A company like Meta needs to stay on top of their security. And they've done so by evolving their detection engineering program in their very code-forward environment. In our new podcast episode, Justin Anderson, Security Engineering Manager, Detection & Response at Meta, explains how they protect the biggest social media platform in the world.
Here are the top takeaways:
Measuring risk through TTPs: What if there's an attack? What would I worry about? That's how Meta assesses risk: by pragmatically thinking through what the set of TTPs applicable to that environment and what is our coverage across those TTPs. "It's very granular and specific to us being able to measure coverage, but we actually do use that to inform how we talk about risk to VPs."
Taking a page from vulnerability management: When it comes to tuning, Justin looks to vulnerability management practices, specifically when it comes to volume. Not wanting to drown investigators in investigations like you might drown engineers in tickets, "You need a systematic model for not only pulling down very high signal detections ... you also need a way to be able to continuously measure that coverage."
Leveraging detection-as-code: In an environment that is all built on code, Meta builds detections for attacks that are usually executed via code or scripting. As such, they lean into the idea of treating detection-as-code like they would treat any other software problem. "That means you need to actually have CI/CD, you need to have control validation, you need to have good design practices, you need to have really well thought through system design for some of the more complex detections we write."No place yet for AI?: When it comes to using AI in security, Justin says it's great for writing SQL or Python, but when it comes to helping with detection, AI hasn't quite moved the needle yet. However, it has been helping to identify and understand strange processes that may appear, and its answers can help with investigations.