Getting a career in cybersecurity isn't a very obvious path, and there are dozens of ways to navigate it. Everyone gives you advice and directions, but none of them get very granular into the actual work you want to do. Let's take a step back from everyone telling you to get into ethical hacking and go for a path that pays well, has folks missing technical knowledge, and is incredibly entertaining.
What Is Detection Engineering?
As we have mentioned in our other blog (go see our "Blog & News" page), Detection Engineering is the process of creating alerts that indicate malicious activity is happening in your network. Think of it as you are making the core of what the other cyber security analysts work off of. You might create an alert that is titled: "MEDIUM: Password Spray Activity Detected Against Login Portal X", which might detect on what the alert suggests. An analyst would receive the alert in their dashboard, annotate their triage results, and take action according to such results.
How Do You Get Into Detection Engineering?
While being a very niche end of cybersecurity, it is still one that can be entered into at entry-level. It might not be out of the gate, but it can absolutely be a spot in which you land within your first couple years in the field.
As with most paths, it typically starts with some sort of formal or practical knowledge-gain in order to land the specific entry-level role. Whether that's by getting something like a CompTIA Security+, or an entire Bachelor's degree, these steps are typically needed. We have spoken on our blog before about how you should also have personal projects in order to land your first entry-level job, but it will more importantly come into play later. Your first role should be something at like a Managed Security Services Provider (MSSP), where you can do tasks such as analyzing alerts from an Endpoint Detection and Response (EDR) solution like SentinelOne, CrowdStrike, Microsoft Defender for Endpoint. Some of your tasks will be in a SIEM like Splunk, ELK, or QRadar, where you can get your first steps digging deep into some logs.
Working with log sources and performing searches everyday will begin to build your knowledge base, even if you are just following a playbook listed out on a piece of paper. Most mature organizations won't need you to understand how the query works, but what it indicates and then you act based on that for things such as malware analysis, phishing attempts, and more.
Getting Good and Creative At SPL
Now that you have been in a SIEM for awhile, you've likely seen parts of some searches that could be improved upon. Obviously you can tinker around, but you likely won't be allowed to productionize anything. Instead of standing up a homelab, you can use our platform EpicDetect to help you practice on more problems and build real searches in SPL to detect malicious and anomalous activity within an environment.
Getting these creative repetitions in will likely give you some ideas that you could showcase in your own blog, or a GitHub, where you can then start pivoting and applying to detection engineering jobs. After doing some problems and pathways on EpicDetect, you can mention to the interviewer all sorts of nuances that you just simply wouldn't have otherwise.
Next Steps
If you're still figuring out the path for you in life, proceed on. If you're determined however, go ahead and go sign up. We're completely free and we provide real training that will help you get started. It can be before you have your first certification, but the earlier you start, the more you'll impress your first manager. Once you're signed up, go ahead and head over to the "Introduction to SPL" pathway where you can get your hands-dirty and figure out how the entire thing comes together without needing to setup an entire homelab.
Wrapping Up With A Few Statements
To sum it all up, there are a few things you need to take away with this and they aren't complex. First, you usually need SOME sort of experience to become a detection engineer - typically as a level 1 cybersecurity analyst. Two, you don't need a certification to specifically become a detection engineer - just the proof you can do it and a portfolio or examples of such. Finally three, we will help you here at EpicDetect to start this journey!
