Detection Engineers are cybersecurity experts who design systems and processes to detect malicious activities and behaviors, in other words, cyber attacks. As part of the cyber security operations team, Detection Engineers are responsible for writing detection rules in various security products to detect cyber threats in systems. They set up and maintain the structures that generate security alarms. They also track the threat intelligence needed to detect cyber attacks and use this information to strengthen cyber defense mechanisms.
TL;DR
This article aims to provide a comprehensive guide for those who want to become a Detection Engineer. The Detection Engineering role is an essential part of cybersecurity operations and plays an important part in detecting malicious activity. Detection Engineers create and maintain detection rules by tracking current threats. They also analyze false positive and true positive alerts to continuously adjust rules and strengthen security defenses. For this role, it is important to have a degree in computer science or information security, 3-5 years of experience in cybersecurity, and a variety of technical skills. These include skills such as network security, security analysis, incident response, endpoint security, and threat intelligence. In addition, knowledge of programming and scripting and the ability to continuously learn are also critical. This article aims to guide those who want to pursue a career in this field by providing the necessary information and resources for those who want to become a Detection Engineer.
Job Requirements
There are some requirements for someone who wants to become a Detection Engineer. These requirements are shared below.
It is generally expected to have a bachelor's or master's degree in computer science, information security, or a similar field.
Detection Engineers are generally expected to have 3-5 years of experience in cyber security. The purpose of this criteria is to ensure that they have enough experience to be able to analyze the alerts, to understand false positive and true positive alerts, and to tune these alerts that will occur. In addition, detection engineers should know which security device the logs are on, should not write rules for unnecessary logs, and if there is a raw log, they should have the ability and experience to make it suitable for writing rules (parsing). This is because it is not correct to think that it is better to have more rules. Sometimes unnecessary rules in the structure tire the structure and it loses its functionality.
It is important to have technical knowledge (AV, EDR, FW, Proxy, IPS/IDS, etc.) and experience in network security, attack detection and response, security event management (SIEM), and security devices. Detection engineers should be able to recognize which type of attack will be in the log of which security device.
It is important to have good analytical skills to understand security threats, analyze attacks, and respond effectively. In other words, they should have worked in the SOC analyst role in the past before becoming a Detection Engineer or have the skills of that staff.
They are expected to have advanced knowledge of Linux, Windows, and Cloud. The content of the rules to be written varies for different platforms. In addition, the paths where the logs are located also differ. For example, while rules are written for critical event IDs on the Event Viewer on the Windows machine, these logs are located in various files under /var/log in Linux. The Detection Engineer is expected to know which event in the structures may be the logs belonging to the attacker and write rules for it.
Detection engineers should have knowledge in Malware Analysis, Reverse Engineering, and Forensics. This is because they should have a high level of analysis skills to detect IOCs belonging to the malware or attacker and to investigate whether they are on different machines. Also, they need to write rules to detect repeated attacks that may occur in the structure from the IOCs obtained.
They should have knowledge of programming or scripting, even at a basic level. It is an advantage to know regex because using regex while writing rules prevents writing expensive rules. The expensive rule will cause a rule written in the system to tire the structure too much while running. If more than one such rule is written, it may cause the structure to run slowly or even stop the services from time to time. Therefore, Detection Engineers have to pay attention to this when writing rules.
Finally, they are expected to be open to continuous learning and development because new vulnerabilities are constantly emerging. These vulnerabilities should be analyzed in a short time and rules should be written in accordance with the structure.
Required Skills
Employers expect a Detection Engineer to have the following technical skills. The level of knowledge expected for these skills is usually advanced because Detection Engineers are among the technical personnel in the SOC (Security Operations Center) teams with the highest technical capacity and experience. Therefore, their technical skills are also expected to be at a high level.
Rule Tuning and Correlation: They should have the ability to write and tune detection rules for the healthy operation of SIEM (Security information and event management) in structures.
Network Security Knowledge: It is important for the detection engineer to have in-depth knowledge of network protocols, routing, VLANs, VPNs, and traffic analysis to be able to write rules properly.
Security Analysis and Incident Response: They should have the ability to examine whether the alerts generated as a result of the written detection rules are false positive or true positive. Thus, they perform rule tuning on the generated alerts.
Endpoint Security: One of the most critical sources of alerts on systems is endpoints. It is critical that the attacker's activities are found in the logs on the endpoint. This is proof that the attacker has bypassed the security products and reached the end user. Therefore, detection rules to be written for the endpoint are very important. Detection rules should be written with as few false positive alerts as possible or, if possible, with no false positive alerts at all. For this, it is necessary to have an advanced level of knowledge in Endpoint Security.
Threat Intelligence and Analysis: Structures such as SIEM are supported with data from different sources through integrations. This incoming data sometimes includes various intelligence reports. Rules can also be written in line with these reports. For example, if there is a situation where the names of critical users (Admin, CEO, CFO, etc.) are included, actions such as creating high-level alerts or automatically sending an e-mail can be quickly taken.
Scripting and Programming Skills (Python, PowerShell, etc.): Detection Engineers usually write rules for proactive situations. However, sometimes they can also support incident responders or forensic personnel at the time of the incident. It is also necessary to write rules for the IOCs of the attacker to determine how much the attacker spread in the network. In such cases, detection engineers write rules. They may need to write small scripts to detect malicious activities on the system in cases where the log is not received or the log is stopped by the attacker to SIEM. Therefore, they are expected to know a certain level of Python and PowerShell. In addition, the platforms where you will write detection rules also have their own languages. For example, it will be to your advantage to know popular languages such as Ariel Query Language (AQL), Kusto Query Language (KQL), and Splunk Search Processing Language (SPL).
Vulnerability Management: Detection Engineers are also involved in the vulnerability management process. They need to write rules to detect popular attacks on systems and attacks attempted by taking advantage of current vulnerabilities. They have to follow the current vulnerabilities. They are in contact with the relevant teams until the vulnerabilities are patched. Sometimes there are no direct patches for vulnerabilities. It is vitally important to follow the products affected by the vulnerability.
Job Opportunities
There are some important issues you should pay attention to in the process of finding a job. First of all, your CV should be up-to-date. You should include the certificates or training you have received on your CV. Another important issue is the interview or technical exam phase. Some companies may conduct an exam to measure your technical competence, even at a basic level. If you do not have experience in the Detection Engineer role in the past, it will be beneficial for you to study beforehand to avoid problems in this phase. If you have experience in writing rules in different SIEMs, this will not be a big problem for you because even though they have a language of their own, they are very similar. In addition, you will not have a big problem if you master the Sigma rule that covers all of them. You can apply for jobs and internships especially in Europe and the USA through the following platforms.
The average salaries for a Detection Engineering role vary depending on geographical location and experience. For example, the average annual salary for a Detection Engineer in the United States is $111,805. These figures can be used as a general reference. However, it should be noted that salaries can vary depending on the industry, company, level of experience, and other factors. For detailed information, it is useful to check job postings and career pages of companies.
Courses and Certificates
Some companies or organizations also consider your past experiences, certificates, and training before hiring you as a Detection Engineer. Having Certified Ethical Hacker (CEH), GIAC Certified Incident Handler (GCIH), Certified Information Systems Security Professional (CISSP), and GIAC Certified Detection Analyst (GCDA) as certificates prove that you have a certain level of knowledge in cyber security. However, since the detection engineering position is a more specific role, the training you receive directly for that role will put you one step ahead. The following is a link for training that may be useful if you want to become a Detection Engineer.
Conclusion
In conclusion, this article provides key steps and information as a guide to becoming a Detection Engineer. First, we explained the duties and responsibilities of a Detection Engineer, including their role and importance within companies. Furthermore, detailed information about the skills and abilities required for this role is shared. We discussed work experience and practical tips to help you start your career. We examined the training and certification processes to advance your career and offered suggestions on useful courses or certifications. Finally, we shared important information about the job application and interview process. This article aims to provide resources to help you succeed in becoming a Detection Engineer. We hope it will be useful to everyone who aspires to this career!
