April 19, 2024 at 01:40PM
Black Hat Asia conference in Singapore discussed the challenge of distinguishing true security threats from false alarms. Allyn Stott emphasized the importance of metrics in assessing detection and response programs, driving improvements, and demonstrating risk reduction to the business. He advised using frameworks like MITRE ATT&CK, SANS Institute’s HMM, and Security Institute’s SABRE for effective metric implementation and accurate threat assessment.
Based on the meeting notes, the key takeaways are:
1. The importance of effectively measuring and analyzing performance data in a detection and response program, as emphasized by Allyn Stott, senior staff engineer with Airbnb.
2. Metrics are crucial for assessing the effectiveness of a detection and response program, driving improvement, and demonstrating the impact of threats and investments in detection and response programs.
3. Alert volume is a critical metric, but measuring it alone is not enough to gauge the effectiveness of a detection and response program. It is essential to assess whether the program is catching more threats.
4. Implementing frameworks like MITRE ATT&CK, SANS Institute’s Hunting Maturity Model (HMM), and the Security Institute’s SABRE framework is recommended, but it is cautioned that focusing too much on any one framework, such as MITRE ATT&CK, may not provide comprehensive coverage.
5. The need for buy-in from CISOs and organizational adherence to different maturity models to effectively utilize the suggested frameworks and provide useful metrics.
These takeaways highlight the significance of effectively utilizing metrics to assess the effectiveness of a detection and response program and the recommendations made by Allyn Stott to achieve this.