Sherlock in the SOC—SecurityWeek

A new article by Stan Engelbrecht, Director of D3’s Cyber Security Practice, is currently featured on SecurityWeek. The character Sherlock Holmes once said, “There is a strong family resemblance about misdeeds, and if you have all the details of a thousand at your finger ends, it is odd if you can’t unravel the thousand and first.” Holmes wasn’t talking about cyberattacks of course, but this quote actually makes a great case for the behavior-based model of cybersecurity. In his new article, Stan describes why behavior-based security is an important complement to the conventional signature-based model, how security teams can implement it, and what Sherlock Holmes can teach us about security operations.


In this excerpt, Stan compares cyber crimes to crimes in the physical world to illustrate how security teams limit themselves by not incorporating behavioral data into their analysis.

Imagine that a detective comes across a broken window, sees someone running in the opposite direction, and upon looking in the window, hears a person inside shout that their phone and wallet are missing. It should be obvious to the detective that a robbery has taken place.

While this is a very simplistic example, it’s only obvious that a crime has occurred because of the detective’s knowledge of the steps that a robbery is likely to follow (a real-world kill chain). If the detective saw each piece of the crime separately, and was unable to make correlations, there would be many plausible explanations for the scene that wouldn’t suggest a robbery. The window could have been broken accidentally by kids kicking a soccer ball; the person running might just be out for a jog; and people misplace their phones and wallets all the time. Nothing suspicious going on here!

As absurd as it may sound, this is where many security teams are stuck: treating every security event separately, with minimal ability to view the context of the attack or the connections between related events. To paraphrase Holmes himself, they see, but they do not observe.


This article can be found in its entirety on SecurityWeek.

To learn more about how D3 has enabled the behavior-based model in its SOAR platform by embedding the entire MITRE ATT&CK matrix, read our whitepaper.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.