Your Intrusion Detection Still Sucks (And What to Do About It)
Jason Craig
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
Detection and response teams are drowning in low-fidelity alerts, letting attackers dwell for ten to fifteen days on average before detection. Jason Craig, Director of Detection and Response at Remitly, argues that the fix is not more alerts — it is context, decoration, cross-correlation, and enrichment applied to raw events before anything reaches an on-call engineer. The result: fewer meaningless pages, faster triage, and detections that hold up even when adversaries try to hide. ---
AI review
Craig's enrichment-first detection framework is the right medicine for an industry drowning in low-fidelity alerts. The three worked examples — VPN login, admin elevation, GuardDuty ARN pivoting — are concrete enough to steal immediately. Prerequisites section alone is worth the runtime.