It takes skilled people, and effective, efficient tools to make sure you can create, validate, and maintain detection signatures that will provide full coverage of real-world attacks while minimizing false positives and false negatives.
In this paper, SANS Director of Emerging Security Trends, John Pescatore, compiles data from the recent SANS survey of 267 cybersecurity professionals to determine the state of practice in detection engineering. Key findings include:
- 86% of survey respondents use MITRE ATT&CK
- 78% of survey respondents manually map detections
- The complexity and time-consuming nature of developing new detections for new vulnerabilities/attacks is the most common cause of detection gaps