On conventional infrastructure (laptops, servers, workstations, on-premises community infrastructure), the assault floor was the closest match to true perimeter-based protection we may get. The community infrastructure gave entry to the methods inside (crunchy exterior; gooey, cubicle, khakis, and blue button-downs inside). As such, detection of attacker exercise was relegated to network-based exercise, endpoint-based exercise, and perhaps Energetic Listing. Easy, proper? (It wasn’t, however that’s a different blog).
All of that modified with important developments in numerous applied sciences, which, for the needs of this weblog, we are going to oversimplify to “the transition to the Cloud Era.” The Cloud Period is the time the place we broke away from the standard perimeter with IaaS, PaaS, SaaS, cloud workloads, identification, serverless, IoT, and anyplace work.
Lengthy story brief, the transition modified one factor in a serious means: We have now much more selection and variety of assault surfaces to defend than we did earlier than. The time period “attack surface” rose in recognition over the previous couple of years to describe the growing IT asset estate.
Monolithic Safety Phrases Aren’t Descriptive Sufficient
Nonetheless, we’ve no parallel to assault floor to explain the place we are able to detect and, optionally, instantly and mechanically reply to attacker exercise. This can be a drawback — an issue exemplified by phrases like “cloud detection.”
In the event you speak to our colleague, Andras Cserhe’ll describe the present and rising complexity of cloud safety that encompasses excess of a monolithic, singular software to defend all clouds.
Phrases like “cloud detection” can embrace something from CSG, CASB, CWS, SSPM, SaaS detection … and the record goes on. There are too many applied sciences to suit into this broad time period. This will have substantial affect to how detection happens and why.
Overly Granular Detection Classes Aren’t Crucial (Or Wished)
And irrespective of how a lot safety distributors would possibly need us to, we are able to’t maintain including “term + detection” ceaselessly.
Detection Floor Describes The place Detection Of Attacker Exercise Takes Place
All of those causes are why we’re introducing the time period “detection surface” at present. Forrester defines detection floor as:
The IT asset kind upon which detection of attacker exercise happens.
Detection floor instantly parallels assault floor. It describes the IT property upon which we are able to detect attacker exercise, very similar to attack surface describes the IT assets within an estate.
Take endpoint detection and response (EDR) for instance. Detection on Home windows, Mac, Linux, iOS, Android, and IoT gadgets usually are not the identical — but they’re all endpoints. You possibly can detect assaults on all of them, and a few distributors name detection on all of them EDR. They every symbolize completely different detection surfaces {that a} specific EDR might or might not detect on.
To place this into sensible phrases, take into account the next:
- A query you possible typically ask distributors in rivalry for EDR adoption: “What detection surfaces do you have coverage for?” They could reply: Home windows, Mac, Linux, iOS, Android. Or they could get extra particular: Home windows 11 21H2, 10 21H2, 10 Redstone 5, 8.1, 8, 7, Server 2022, Server 2019, and many others.
- A query you possible typically ask distributors when discussing cloud detection: “What detection surfaces do you have coverage for?” They could reply: containers, an AWS occasion, an identification, a SaaS utility, and many others.
- A query chances are you’ll ask distributors when discussing safety analytics or UBA: “What detection surfaces do you have coverage for?” They could reply: The detection floor could be a mixture of elements based mostly on what logs you carry into the SIEM — AD, Azure AD, Home windows 11, and an Azure occasion, for instance.
Use Detection Floor To Higher Perceive The place Detection Takes Place
This time period has come up organically in dialog with practitioners, distributors, and others, particularly as we discover detection on new and rising applied sciences.
The cloud is essentially the most potent instance of this — many distributors say they do “cloud detection,” when in actuality, there are a LOT of issues that may be detected on to guard the cloud, from containers to IaaS to SaaS to identification.
Logging Is Not Detection
Detection floor bridges visibility and detection. It breaks the parable that logging is similar as detection — it isn’t. Logging (when it’s truly in place) is visibility. Detection floor goes past logging and visibility. It’s about utility of detection, not presence of visibility.
Forrester purchasers who’ve questions on detection floor or constructing a detection engineering operate can attain out to me or Jeff through inquiry or guidance session. Also, check out this new report on building a detection engineering function!
Creator: Allie Mellen
Date: 2023-06-26 10:32:00
