EP149 Canned Detections: From Educational Samples to Production-Ready Code

Cloud Security Podcast by Google

English - November 20, 2023 15:11 - 28 minutes - 39.4 MB - ★★★★★ - 33 ratings
Technology cloudsecurity cloud cybersecurity security Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed

Previous Episode: EP148 Decoding SaaS Security: Demystifying Breaches, Vulnerabilities, and Vendor Responsibilities

Next Episode: EP150 Taming the AI Beast: Threat Modeling for Modern AI Systems with Gary McGraw

Guests:

John Stoner, Principal Security Strategist, Google Cloud Security

Dave Herrald, Head of Adopt Engineering, Google Cloud Security

Topics:

In your experience, past and present, what would make clients trust vendor detection content?

Regarding “canned”, default or “out-of-the-box” detections, how to make them more production quality and not merely educational samples to learn from?

What is more important, seeing the detection or being able to change it, or both?

If this is about seeing the detection code/content, what about ML and algorithms?

What about the SOC analysts who don't read the code?

What about “tuning” - is tuning detections a bad word now in 2023?

Everybody is obsessed about “false positives,” what about the false negatives? How are we supposed to eliminate them if we don’t see detection logic?

Resources:

Video (Linkedin, YouTube)

Github rules for Chronicle

DetectionEngineering.net by Zack Allen

“On Trust and Transparency in Detection” blog

“Detection as Code? No, Detection as COOKING!” blog

EP64 Security Operations Center: The People Side and How to Do it Right

EP108 How to Hunt the Cloud: Lessons and Experiences from Years of Threat Hunting

EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil

Why is Threat Detection Hard?

Detection Engineering is Painful — and It Shouldn’t Be (Part 1, 2, 3, 4, 5)