Ryan McGeehan shares his experience in a post called Lessons Learned in Detection Engineering. In his article, he speaks through a detection infrastructure that depends on the logs with rules that cause automation, prepares leads to the hunt, or causes warnings. Ryan believes that the “law of leverage” is observed. He calls the “lever work” a one person who can work for many others. At the same time, security can be viewed in terms of individual work, which is divided into the risk of detection and mitigation.
In addition to the “law of the lever,” Ryan singles out: the rules that trigger automation before warning, and information being recorded on closed warnings and on frequently used tools. As a result, each security program gets the opportunity to “detect” bad things happening in their systems. This creates certain difficulties for manual analysis. In conclusion, Ryan McGeehan calls for investing as an incident response.
