Detect
Find and analyze possible cybersecurity attacks and compromises. Detection speed is the metric that determines whether a breach is a contained incident or a catastrophe.
See It Coming
No defense is perfect. Protect reduces the attack surface; Detect finds what gets through. The value of detection is directly proportional to its speed — a breach detected in minutes is an incident. A breach detected in months is a disaster.
Categories
- DE.CM — Continuous Monitoring — Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events
- DE.AE — Adverse Event Analysis — Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents
Key Concepts
Continuous monitoring, not periodic scanning. DE.CM means real-time or near-real-time awareness. SIEM, EDR, network monitoring, log aggregation, DMARC reporting — all feeding a continuous picture of what’s happening in your environment.
Analysis separates signal from noise. DE.AE is what turns an alert into an incident. Automated correlation, anomaly detection, threat intelligence enrichment — the analytical layer that determines whether a log entry is routine or hostile.
Mean time to detect (MTTD) is the key metric. Industry average for breach detection is still measured in weeks to months. Every day an attacker has undetected access is a day they’re moving laterally, exfiltrating data, and establishing persistence.
Detection-to-response latency matters more than detection accuracy. A perfect detection that takes an hour to act on is worth less than a good-enough detection that triggers automated containment in seconds.