Signals Engineering Team (SET)
Engaging Signals Engineering
Teams can engage Signals Engineering by heading over to the #signals-engineering slack channel. SIRT can also engage Signals Engineering for detection and alert tuning needs by selecting the “report a bug” feature in GUARD.
Our Vision
Improve the effectiveness and overall coverage of GitLab’s detection engineering program internally and for customers, identifying opportunities to reduce the mean time to detection creation for incidents, and partnering with the product team to drive security observability improvements in the GitLab product, corporate, cloud and identity infrastructure.
Our Mission Statement
Improve Detection Engineering
- Improving coverage & effectiveness of detections
Reducing Time to Detection Creation
- Improving depth and quality of incident detections
- Reducing how long it takes to create quality detections
Improving Security Observability
- Partnering with product to improve GitLab security signals
- Improving security signals in corporate, cloud, identity infrastructure
Providing Customer Value
- Improving customer facing detection capabilities and offerings
- Identifying & partnering stakeholders to implement customer observability needs
The Team & Priorities
Team Members
Team Member | Role |
---|---|
Matt Coons | Security Manager |
Harjeet Sharma | Staff Security Engineer, Signals Engineering |
Evan Baltman | Security Engineer, Signals Engineering |
Our Stakeholders
While Signals Engineering has dedicated engineers focussed on advancing projects and handling operational duties, there are a number of stakeholders both within the Security Division and beyond that Signals Engineering collaborate with to drive results.
Stakeholder | Shared Responsiblities/Dependencies |
---|---|
SIRT | Detection tuning, new detections, GUARD DaC framework |
T&S | Omamori integration |
Security Logging | Security logging capabilities & collaboration |
Threat Intel | Threat driven detections, Top threat actor detections |
GitLab Customers | Consumer of customer facing detections |
Product team | Collaboration to improve security signal capabilities |
CorpSec | Collaboration to collect signals from purchased tooling |
Security Identity Team | Collaboration to collect signals from purchased tooling |
Red Team | Collaboration to collect signals from purchased tooling |
Product Security | Collaboration to collect signals from purchased tooling |
Current Priorities
In the first 6 months (FY25Q4 - FY26Q1), we are focusing on “Low hanging fruit” and establishing the Signals Engineering program.
Some highlights include:
- Reducing alert false positives & improving FP alerting/handling workflow
- Initial metrics creation & label standardization
- Improving customer facing detection creation & sharing process
- Writing new detections to close identified detection gaps
As the program matures, we will expand our focus to improve our automation and maturity as well as bolstering our customer detection capabilities.
What we’ve Built & Services we Offer
GUARD
GUARD (GitLab Universal Automated Response and Detection) is the Security Team’s Detections as Code (DaC) pipeline and alerting automation framework. GUARD hands off an alert to the SIRT incident handling process stops when an alert is converted into a SIRT incident.
GUARD is a shared responsibility model between Signals Engineering and SIRT - Both SIRT and Signals Engineering build threat detections and have the ability to commit new and maintain existing detections in GUARD.
Threat Detection Tuning
When SIRT identifies a threat detection that needs to be tuned, tuning requests are submitted to the Signals Engineering team for improvements.
Threat Detection Creation
The Signals Engineering team tracks detection coverage and builds new threat detections based on several needs:
- Gaps in detection capabilities as identified by SIRT or Signals Engineering
- Collaboration with T&S to improve the ability to identify potential abuse on the GitLab platform
- New detections for new log sources that can be queried in GitLab’s SIEM
- New attacker TTPs
- Collaboration with the Red Team as part of purple team or stealth engagements
Signals & Detection Research
Signals engineers conduct deep dive research into potential observability gaps and signals enhancement opportunities, identified in the GitLab product and 3rd party tools GitLab uses. Such research assignments have a target deliverable of new detections as well as improved observability capabilities.
How We Measure Success
We measure the success of Signals Engineering by collecting and reporting on key performance indicators, through metrics collected from MRs, issues and alerting metrics.
Initial metrics we report on are listed below:
Alerting & Tuning
- TP/FP ratio + trending
- Alert Bug report volume
Incidents
- Number of S1 incidents with signal gaps
Value for Customers
- Number of public detections
Detection coverage
- MITRE coverage
- Coverage by log sources
- MTTDC (Mean time to detection creation)
- Coverage by threat actor
Metric Labels
SET::Detection-New
SET::Detection-Maintenance
SET::Research
SET::Signals-Improvement
SET::Cross-Functional
SET::Signal-Gap
e9ab3515
)