In general, detection engineering suffers from the need to continuously hunt for aggressive, damaging, current and long-impactful cyber threats. The need for automated, systematic, repeatable, predictable and shareable approaches is glaring. Especially for most detection engineers that must function as threat hunter, SOC analyst, detection content creator, administrator, mitigator. And operate as part conductor, artist, strategist and tactician.
Furthermore, detecting threats requires not only capability, but also tools and content. Organizations can build, buy, outsource or suffer the consequences as ignorance or avoidance generally results in fines, lost revenues, lost customers, and brand damage. Many organizations do not survive these impacts. SOC Prime offers viable and cost-effective solutions enabling organizations to empower their threat detection capabilties with an innovative cybersecurity approach.
Anton Chuvakin pioneered the premise of “Detection as Code” to attempt to align security operations with other DevOps directorates that were enhanced by software development’s success with similar capability (hence the “as code” tag). The premise is to nudge detection engineering towards a set of practices and systems that are better equipped to deliver modern and effective threat detection and to grow detection engineering to be a “real” practice, built on modern principles used successfully elsewhere in IT (ex. Agile, or DevOps). Ultimately, “Detection as Code” is intended as a systematic, flexible and comprehensive approach to evolving threat detection operation by enabling better collaboration, testing, deployment and threat detection lifecycle management.
SOC Prime is the original innovator embracing the concept of Detection as Code. Today, the SOC Prime platform provides 180K+ Sigma-based rules, queries, parsers, SOC-ready dashboards, YARA and Snort rules, Machine Learning models and Incident Response Playbooks mapped to CVE and MITRE ATT&CK® frameworks.
The returns from leveraging SOC Prime’s Detection-as-Code platform are impressive. Over $3M in costs can be eliminated by removing the need to allocate one man-day to develop a single detection rule at an approximate cost of $800. Enterprise organizations save up to 5,000 hours per year in detection content creation.
SOC Prime has also embraced Sigma to ensure detection content is open source, standards-based and vendor-agnostic. Rules are written in structured YAML format, making it easy for both human and system consumption and to ensure:
In an effort to further simplify access to and application of the detection as code premise SOC Prime has made Detection as Code available on-demand. On-demand subscriptions offer cost-effective, instant access to detection-as-code content based on customized search criteria tailored to the attack vectors most important for an individual organization’s investigation. A Sigma translation engine ensures flexibility and that content is available for any SIEM, EDR or XDR environment.
This ensures that threat hunters can search any detection code phrase to discover available detection content and quickly deploy relevant detection code in their security infrastructure. The intent is to scale organizational threat engineering capability growth quickly and cost-effectively and allow threat hunters to focus immediately on vulnerabilities identified as problematic or prioritized in their unique environments.
“In the wake of a constantly changing threat landscape, keeping an organization’s detection content current, effective and relevant is a daunting task for security professionals,” said Andrii Bezverkhyi, founder and CEO at SOC Prime. “With SOC Prime’s Detection as Code On-Demand security professionals can receive relevant content at the exact time required and continuously ensure that critical threat detection content will never be missed..”