How I Learned to Stop Worrying and Build a Modern Detection & Response Program

Allyn Stott

You haven’t slept in days. Pager alerts at all hours. Constant firefights. How do you get out of this mess? This talk gives away all the secrets you’ll need to go from reactive chaos to building and running a finely tuned detection & response program (and finally get some sleep). Gone are the days of buying the ol’ EDR/IDS/NGAV combo, throwing some engineers on an on-call rotation, and calling it your incident response team. You need a robust and comprehensive detection and response program to fight the modern day attackers that threaten to disable, disrupt, degrade, destroy, and steal from the enterprise you protect. But there’s a lot of challenges in the way: alert fatigue, tools are expensive, hiring talent is impossibly difficult, and your current team is overworked from running firefights every day. How do you successfully build a modern detection and response program, all while riding the rocket of never ending incidents and unforgiving on-call schedules? This talk addresses the lack of a framework, which has led to ineffective, outdated, and after-thought detection and response programs. At the end of this talk, you will walk away with a better understanding of all the capabilities a modern program should have and a framework to build or improve your own.

Key takeaways:

  • A framework to guide leadership and engineers in building or improving a modern detection and response program, along with a better understanding of what processes, capabilities, and skill sets are needed to detect and respond to modern threats.
  • Methods to measure and report on the effectiveness, efficiency, and threat coverage of a detection and response program (and how to identify failures or inefficiencies early and course correct).
  • Lessons learned on how to empower your teams to succeed and overcome operational time-sinks.

Speaker's Bio

Allyn Stott is a senior staff engineer at Airbnb. He currently works on the information security technology leadership team where spends most of his time working on threat detection and incident response. He especially enjoys building strategies for hunting down and finding advanced threat actors. Over the past decade, he has built and run detection and response programs at companies including Delta Dental of California, MZ, and Palantir. Red team tears are his testimonials. In the late evenings, after his toddler ceases all antics for the day, Allyn writes a semi-regular, exclusive security newsletter. This morning espresso shot can be served directly to your inbox by subscribing here: Allyn has previously presented at Kernelcon, BSides Seattle, BSides SATX, and The Diana Initiative. He received his Masters in High Tech Crime Investigation from The George Washington University as part of the Department of Defense Information Assurance Scholarship Program.