This presentation introduces detection engineering, a crucial cybersecurity concept that transitions security from preventative measures to reactive response upon detecting adverse events. A core principle is treating detections as code, leveraging software development tools and processes like version control, approval flows, and automation to manage the detection life cycle effectively.
Sumo Logic applies this internally to manage over 1,000 Cloud SIEM rules, updating them frequently using a content repository (like GitHub), automated testing, and a two-engineer approval process. Treating detections as code also enables automation, such as automatically generating a content catalog (documentation).
For customers, Sumo Logic provides Cloud SIEM rules as Terraform resources. This allows customers to create their own content repository and synchronize it with their Cloud SIEM instance using Terraform and automation like GitHub Actions. This setup enables version control, collaborative development, testing branches, and continuous, often seconds-long, synchronization, working bidirectionally. Further learning on detection engineering is available through external resources like Brendan Chamberlain’s reference guide.