Blog post

The Best Starting Technology for Detection?

By Anton Chuvakin | March 06, 2018 | 2 Comments

securitymonitoringincident response

We talked about starter detection and response processes, now what about the tools? Namely, tools that help you start your detection and response capability. Here, some “experts” will shout ‘screw the tools! “security is a process, not a product”’

Sadly, among the least mature organizations [at which this research is aimed!], the opposite perception is firmly in place: “security is a box, what do you mean by ‘process’… huh?” [BTW, I am not joking here – some of you reacted to my utterly depressing post with “WTF, the reality is much worse and Anton is an optimist” :-)]

In fact, I learned a fascinating concept last week: that of a “natural process.” In plain English, it is the shit you do when you have no set and/or documented process for accomplishing your goal. Example: a “natural process” for DFIR is panic, scream, turn off computers, polish your resume, then go on eBay to buy new mice because the old ones are “hacked”…

Now, a warning, before you read the below, think “STARTING”, “BEGINNER”, “LOW MATURITY” and often also “SEVERELY BUDGET CONSTRAINED.” Note this does not mean SMB, necessarily, but often does.

OK, so what are the choices?

  • LOGS: A SIEM of some sort, perhaps a log management tool with decent alerting (as Gartner says here). Notably, SIEM is ***NOT*** at all an obvious choice here, but log analysis of some sort probably is (also see debate below that post), due to its breadth and flexibility of covered use cases.
  • TRAFFIC: A network detection tool of some sort (we can debate NIDS vs NTA later); it may be something that is a module in your UTM or a firewall, or a good old IDS. Note that perhaps it is useful to differentiate between detection on the perimeter vs inside the perimeter.
  • ENDPOINT: not a common starter tech choice for detection (but very much so for incident response). Still, we expect that as EPP and EDR merge together, it will be more popular. Or, perhaps, OSSEC HIDS suffices for some? [here is a fun debate on this topic, but admittedly NOT between or for the beginners, because APT :-)]

What is obviously missing? Ah, glad you asked!

  • MSSP / MDR with whatever technology they bring (typically, logs, but nowadays often a combination of logs + traffic, and occasionally logs + endpoint via EDR) [note that it is often advisable to combine an MSSP with your own log management, such as for IR and troubleshooting]. Note that our existing guidance favors this approach quite a bit.

Anything else? Some “spork-style” tool that combines several/all of the above? Or, perhaps, our thinking is too constrained by the above categories?

Blog posts related to this project:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Richard Rushing says:

    Awesome post and agree, Do something is better than nothing, I think there is 2 overlays that go along, if your not doing a MSSP

    internal staff knowledge

    Some things like window event logs, domain reputation, OSINT, etc..

    if you have a small security-savvy staff you can handle a SIEM if not focus somewhere else.

    FTE for upkeep is another
    Do you have enough sysadmin to support the tools for upgrades and management and storage upkeep as well.

    My vote is endpoint, historically its harder having to touch so many devices verse touch a few network points. But many of the new solutions support cloud, client management, multiple OS, and nice dashboards and workflow, make these the easiest today

    • Richard, thanks a lot for this comment. Indeed, we of course plan to cover the 3rd (rather, the 1st) leg of the stool re: personnel to start off the effort. For sure, internal staff knowledge would matter for the program initiation, and I’ve been saving it for last since it is the trickiest. Re: OSINT – not sure, while I love it, it feels a poor fit for a true STARTER program…

      Re: endpoint vs network – thanks for the vote, but I don’t think we have a chance of determining the truth here, agent hatred is strong BUT also so many devices aren’t really on the monitored networks, so it feels at times a LOSE/LOSE story 🙁