CatsCrdl

CatsCrdl

Daniel's thoughts on infosec

There are Only Two Rules

One mental model I've maintained for a long time is that there are only two types of detection rules. We'll cover what those rules are and why this distinction matters.

Daniel Wyleczuk-Stern

12-Minute Read

A cyber security professional offering a choice between a red pill and a blue pill in a style reminiscent of the Matrix. The scene captures a futuristic and mysterious atmosphere.

In the field of detection engineering, understanding and applying the right frameworks is crucial for effectively identifying and responding to threats. Mental models provide a structured way of categorizing and approaching the myriad of security alerts and anomalies we face daily. These models help us dissect and understand the behavior of potential threats, allowing for a more targeted and effective defense strategy. In this blog post, I’ll explain how I use one mental model to clearly…

Building Resilient Detection Suppressions

When a false positive occurs, how do you approach tuning your detector? Do you allowlist that one event? That can lead to another false positive tomorrow. This article will provide an example of how we build resilient suppressions.

Daniel Wyleczuk-Stern

4-Minute Read

A Cybersecurity Engineering Playing Whack-a-Mole

Raise your hand if you’ve worked on suppressing a false positive for a detector and then the very next day, it’s back in your “fix” queue with another false positive. I’d expect almost everyone who’s worked in detection engineering for any period of time has their hand raised or is nodding along. Why does this happen? Well, sometimes the detector itself isn’t very good and it’s alerting on a lot of benign behavior. But sometimes, the answer is that…

Recent Posts

Categories

About

A random collection of thoughts on cybersecurity.