This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Using MSV for Detection Engineering Quality Assurance

Posted on 12-14-2023 02:14 PM
msvwrangler
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Just wanted to introduce myself and see if anyone else was using MSV as part of their detection engineering practice.

We've been using a test-driven detection process for about a year now. Getting intel tasks, building MSV tests, then creating detection against the SIEM events. We're working on scheduling for ongoing automated validation.

0 6 425
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
Tabindanoor
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Great to meet you! Your approach of integrating MSV (Metric System Validation) into your detection engineering practice is commendable. Utilizing a test-driven detection process for a year reflects a proactive stance towards enhancing your security posture. The systematic flow from intel tasks to MSV tests and then to SIEM event detection aligns well with a robust and structured detection strategy. The ongoing focus on automated validation scheduling demonstrates a commitment to efficiency and continuous improvement in your security operations.

0 Likes

Posted on --/--/---- --:-- AM
R_Bo
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello, msvwrangler,

I do, also. Where do you draw your intel tasks come from? TAAM? How do you decide which tests to run? Are you leveraging Monitors for the ongoing automated validation?

 

Thanks

0 Likes

Posted on --/--/---- --:-- AM
msvwrangler
Bronze 1
Bronze 1
In response to R_Bo
Reply posted on --/--/---- --:-- AM

Intel tasks come from our CTI team primarily. Our detection engineering pipeline is full as-is without significantly curating content from Mandiant, though we will find existing Mandiant Actions that fit our CTI tasks.

I'm not using the built-in Monitoring function for ongoing validation, I've built a piece of software to interface with MSV and our SIEM to track relationships between custom rule content, and MSV Actions. It detects when rules change, or tests are not run within a specified timeframe to automatically schedule re-testing and then notify me when unexpected results (missing alerts) occur.

The MSV API is robust and flexible enough to enable some interesting enhancements to the product, and work around some of the limitations of the platform that come from a focus on identifying prevention behavior, rather than detection behavior.

0 Likes

Posted on --/--/---- --:-- AM
hzmndt
Staff
Reply posted on --/--/---- --:-- AM

MSV = Metric System Validation? Or Mandiant Security Validation? 

0 Likes

Posted on --/--/---- --:-- AM
msvwrangler
Bronze 1
Bronze 1
In response to hzmndt
Reply posted on --/--/---- --:-- AM

Mandiant Security Validation. I'm not sure the post that uses the other definition is authentic.

0 Likes

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

I've worked with several customers to successfully integrate MSV into their detection engineering workflows โ€“ and always welcome the opportunity for more! In one case, I systematically reviewed a client's existing detection rules, aligning them with detection sets and using either out-of-the-box or custom content for validation. While effective, some rules couldn't be tested safely due to potential risks.

Based on this, I recommend building validation directly into the development sprint process for new detections. This proactive approach appears successful. Naturally, a well-defined process is crucial for the long-term success of any MSV implementation. I'm happy to delve deeper into specific strategies and experiences.