Lilly Tech Systems
Threat Detection Best Practices
Master detection engineering principles, model lifecycle management, performance metrics, and detection-as-code methodologies for scalable AI-powered security.
Detection Engineering Principles
Detection-as-Code
Version control detection logic (rules and ML models) alongside application code. Use CI/CD pipelines for testing and deployment.
Test-Driven Detection
Write unit tests for detections using attack simulation tools like Atomic Red Team. Every detection should have a corresponding test.
Coverage-Driven Development
Prioritize new detections based on ATT&CK coverage gaps and threat intelligence about relevant adversary groups.
Continuous Validation
Regularly test detections against simulated attacks to ensure they still fire. Alert on detection degradation.
Key Metrics
| Metric | Target | Why It Matters |
|---|---|---|
| True Positive Rate | > 90% for known TTPs | Measures detection effectiveness |
| False Positive Rate | < 5% | Determines analyst workload burden |
| Detection Latency | < 5 minutes | Time from event to alert generation |
| ATT&CK Coverage | > 80% of priority techniques | Breadth of detection capability |
| Model Freshness | Retrained within 30 days | Ensures models reflect current environment |
Scaling Detection Programs
Model Registry
Maintain a central registry of all detection models with metadata, performance history, data dependencies, and ownership information.
Feature Store
Build a shared feature store for security features so detection models can reuse common enrichments and behavioral signals.
A/B Testing
Run new detection models in parallel with existing ones to compare performance before promoting to production.
Knowledge Sharing
Document detection logic, false positive patterns, and tuning decisions so the team can learn from each other's work.