In the constantly evolving cybersecurity landscape, Sekoia.io is at the forefront of crafting sophisticated detection engineering strategies. This blog post dives into our approach to security and more specifically in the creation of detection rules. Aimed at both our existing and future users, this article unveils the complexities of detection engineering.

We will showcase how Sekoia.io does not only meet the current security demands but also anticipate future threats.

The Art and Expertise Behind Our Detection Rules

Central to Sekoia.io’s strategy is a robust process for crafting detection rules that stand the test of time and threat evolution. Our approach is deeply rooted in the examination of emerging threats and cybersecurity trends by our Threat Detection & Research team (TDR). These seasoned cyber experts leverage cutting-edge tools and methodologies to foresee potential threats, ensuring that our rules are not merely reactive but also detect known attacks in real-time.

This extensive research translates into the development of actionable detection rules within the Sekoia SOC Platform, each subjected to strict testing for efficiency and relevance. Our methodology is iterative, meaning that our detection engineers refine new and existing rules based on feedback from end-users, but also based on the ever-changing threat landscape that the TDR team follows day after day. The outcome is a curated catalog of more than 860 rules at this time of writing, each designed for maximum impact and adaptability (each rule can be finetuned based on different criteria).

Prioritizing Depth Over Breadth

To prioritize its workload on detection rules engineering, Sekoia.io focuses on the depth and specificity of each rule rather than the sheer volume. Our catalog emphasizes the relevance of each rule to ensure they address specific security concerns based on our Cyber Threat Intelligence. This is why Sekoia.io firmly believes quantitative metrics – such as the strict number of rules – should not be the sole basis for evaluating the expertise of a vendor. Customers should seek a balanced assessment, considering both standardized metrics and the unique value a vendor offers beyond these criteria. We will now explore the most frequent metrics as perceived by our customers, discussing their advantages and drawbacks.

Metric #1 – MITRE ATT&CK Coverage

Sekoia.io meticulously evaluates the MITRE ATT&CK framework, understanding that while comprehensive coverage is advantageous for mapping out defensive strategies against known attack vectors, it does not equate to a bulletproof security solution. Our selective application of the framework emphasizes protections that are most relevant to our clients, based on our intelligence and expertise. This nuanced approach brings substantial benefits, such as providing a broad perspective on potential threats (comprehensive insight) while aligning with an industry-standard framework (industry benchmark). However, it also comes with its challenges. A sole focus on the MITRE framework coverage might lead to a false sense of security, as it doesn’t account for new, emerging threats not yet included in the framework. Additionally, striving for complete coverage can demand significant resources (resource intensiveness), potentially detracting from addressing other crucial security needs.

Metric #2 – False Positive Rate

At Sekoia.io, we monitor false positives rates in order to finetune our rules. High precision in our detection rules means reducing the noise of unnecessary alerts, allowing security teams to focus on genuine threats. This commitment to accuracy enhances operational efficiency and mitigates alert fatigue, ensuring that real threats are promptly and effectively addressed. However, the journey to minimize false positives involves complex calibration, requiring continuous refinement to strike the right balance between sensitivity and specificity. Moreover, there’s a risk of over-tuning the detection rules, which might lead to missing broader or evolving attack techniques.

Metric #3 – Client-Specific Coverage

Understanding that each client’s security landscape is unique, Sekoia.io places a premium on allowing customized protection. By refining our rules or by creating new ones, our partners and end-users can ensure their defenses are not just robust but also precisely tailored to their situation. This approach allows for targeted defense, making efficient use of resources by focusing efforts where they are most needed. However, customizing detection to fit each client’s specific context is resource-intensive (resource intensive for customization), requiring a significant investment in time and expertise. In this sense, the “One-to-many” model in which Sekoia.io pushes rules to its end-user while offering the possibility to finetune these very rules, shown to be the best win-win scenario for all.

To conclude, we can say that “because the threats out there are constantly evolving, we are always learning, always adapting”. And so is our Detection Rules catalog and our Cyber Threat Intelligence. Our mission? To make sure the good guys (aka, YOU) are always one step ahead, with the sharpest, most reliable cyber defenses in town.

Using our deep knowledge, a dash of creativity, and a whole lot of dedication, we’re not just fighting off the bad guys together – we’re building a safer future for everyone in the digital world. And as this world keeps spinning and changing, so will Sekoia.io, always here to protect and ready for whatever comes next. 

So, let’s keep the adventure going together, making cyberspace a safer place!

Feel free to read other Sekoia.io TDR (Threat Detection & Research) analysis here :

Share this post: