Bruno Blumenthal

Most Security Operation Center work with use-cases to manage their detection and response capabilities. When it comes to the use-case development many organizations turn to the MITRE ATT&CK Framework as a starting point. Even though ATT&CK is not a use-case framework, as it was originally developed as a taxonomy tool for threat intelligence. But it has a valuable information we can use to identify and prioritize potential detection use-cases. Identifying the use-cases is an important first step. But how are we ensure the use-cases are implemented in a timely fashion. We then need to prioritize and ensure that we adapt our prioritization to changes in the threat landscape and the business environment. This is where methods and principles of the agile software development can help us. In this talk I will show you how to combine a data-based method to prioritize ATT&CK techniques with ideas from the agile software development for their implementation. With this approach you can ensure an efficient use of your resources and focus on the right use-cases at the right time. The agile methods will allow you to constantly grow and evolve your detection capabilities.