Tips for Breaking Through

In my last blog post, I looked at how challenges relating to SIEMs, default configurations, device-led strategies, and competing priorities can impede efficient threat detection and response. In this post, I’ll look at three things you can do to address them and how Kudelski Security MSS can help. 

 1. Develop your use cases (aka your common “lens”).

I mentioned use cases before, in the context of alert fatigue that arises when we let devices dictate our detection strategy and evaluate alerts across devices through a common lens. A use case is a high-level threat detection priority, not to be confused with detection rules.

For example, phishing might be a threat detection use case for your organization.

While it seems simple, to fully understand each use case, we have to understand your adversary, their motivations and the techniques they use to move through the kill chain.

We also have to understand how that attack will play out within the environment (scenarios) and the data sources required to detect the attack.

Finally, we have to know how each of the parties involved in containment and remediation should respond.

Kudelski Security has developed its own use case framework based on our years of threat detection and monitoring experience. This framework includes 16 common attack vectors with scenarios mapped to the enterprise MITRE ATT&CK matrix. One use case could have upwards of a hundred scenarios, and these scenarios are what you’ll tie your detection rules to. Even if you’re not a client of ours, it’s helpful to think of your threat detection strategy in this top-down way.

2. Prioritize detection based on your threat model.

Use cases provide the foundation for your threat detection strategy, but given the hundreds of potential scenarios and thousands of potential alerts, it’s still a lot to wade through. Threat modeling will help narrow this down to help you prioritize your detection strategy.

At Kudelski Security, when we onboard clients, we take them through a threat modeling exercise to identify the attacker groups targeting their geographic region and industry and the objectives of that group—e.g. ransomware, disruption of critical processes, political motivations, etc.

We also work to understand what we’re defending (from a technical and business perspective).

With their threat model defined, we can identify the Tactics, Techniques, and Procedures (TTPs) those threat groups use and map them to MITRE techniques. We may find that there are overlapping techniques between the groups.

Where we have the most overlap is where we’ll start with our detection strategy, then the second most, the third, and so on.

3. Collect the right data.

It’s only after completing the two steps above that you’re ready to actually start collecting data. You know the types of threats you’re most vulnerable to and the TTPs associated with those threats. Better yet, you know which tactics are shared across threats, helping you focus detection efforts where they’ll have the most immediate impact. This should give you a clearer picture of the sources and types of data you should be pulling into your SIEM.

As a rule of thumb, we always recommend collecting the following types of data. Nearly all the IR projects our team is brought into could have been detected with properly configured alerts from these sources.

Microsoft Windows Logs (not just defaults) Intrusion Detection Systems Netflow AntiVirus Logs IaaS Cloud Logs
Mail Server / Gateways Web Application Firewalls Firewall Logs (accept & deny) Authentication Data Web Proxies


I started this series out with some grim facts about our ability to successfully detect threats, so it’s only fair that I end with some good news.

You likely already have everything you need to improve threat detection and response. What matters is collecting the right data from the right sources to detect the right threats for your environment.

It’s something my team and I are happy to help you out with. Just drop us a line.

This post summarizes content presented during a session at the 2021 European Cyber Summit session “Threat Monitoring and Detections as Code.”

For more information about Kudelski Security’s Managed Detection & Response capabilities, click here.

Francisco Donoso