What is the state of threat hunting today? Security teams know the benefits it brings to keeping their organization protected, especially when threats are increasing and the actors behind those attacks are changing their tactics by the minute. Ransomware attacks increased 13% over the past year. Password attacks increased 74%. And the global average cost of a cyberattack is $4.35 million.
However, in a recent “Voice of a Threat Hunter” report from Team Cymru, only 41% of security practitioners considered their threat-hunting program very effective. This leaves the majority of security teams running a threat-hunting program they deem either somewhat effective or not effective at all. What’s causing them to not be able to effectively protect their organization?
We know that security teams are passionate about what they do and put in an enormous effort to protect their organization against attacks. However, without the necessary resources — tools and technology, training, the right data, standardized processes and more — their efforts won’t be as impactful as they could be, leaving lurking threats undetected. Here are three ways that you can improve your threat-hunting program.
Security teams want to do all they can to protect their organization, and one of the most proactive ways to do so is by having a robust threat-hunting program that can help you find and fix vulnerabilities, detect malicious activity and have a proactive security posture. However, implementing an effective threat-hunting program takes a few key components. The three approaches below are what respondents in our report said make their threat-hunting program most effective.
1. Using Trained and Experienced People
The number-one thing that makes a threat-hunting program most effective is having trained and experienced people leading the way. They know what to look for, what data and intelligence they need and how to anticipate attack behaviors.
However, not every security team has the advantage of every member being an experienced threat hunter, which is why it’s key for security teams who want to keep up with quickly changing threats and trends to prioritize skills development. This can include regular training and workshops, attending industry conferences and participating in research initiatives.
This is especially crucial considering today’s lack of security professionals to fill necessary roles, where today, there are only 68 cybersecurity professionals per 100 job openings. Upskilling the team members you have means increasing their value while gaining the skills necessary to improve your cybersecurity initiatives. And offering continuous learning development is a great draw to the talent in the pipeline.
Today, more security teams who realize that they don’t have the skills necessary to run an effective threat-hunting program are outsourcing to third-party providers who do. This can help organizations access the required expertise, data, knowledge and support to identify, analyze and mitigate cyberthreats more effectively.
2. Having the Right Tools
Another key element of an effective threat-hunting program is having the right tools and technology in place. This includes tools for endpoint detection and response, and tools that help track security events and initiatives, like SIEMs and SOARs.
As you evaluate which tools can help strengthen your threat-hunting program, look at what types of data you need to capture that you’re not capturing now, or even the volume of data required for your program. Next, look at the sources from which this data needs to be collected. Are there any gaps in the sources? Do you need new sources?
Next, consider what tools you want to invest in to make your threat-hunting program more effective. Choose a tool with the functionality that meets your needs and requirements; the ability to scale with the volume of data and number of users; and speed, accuracy and ease of use. Be sure to test new tools with use cases relevant to your organization as you evaluate vendors, and that it integrates seamlessly into your current systems. Finally, as with any new tool or initiative, evaluate its efficacy on an ongoing basis, and update as needed.
3. Established Formalized Processes and Procedures
Finally, having an effective threat-hunting program means having formalized processes and procedures for guiding how to conduct threat hunts — from how and what data is collected, to how to carry out counter-response. Without a formalized approach to threat hunting, you may have different analysts looking for different things, not have a baseline of activity, or lack standards for data collection, leaving your approach scatter-shot at best.
Formalizing your processes and procedures starts by defining the objectives and goals of your threat-hunting program, including what types of attacks your organization is likely to experience. Determine the data you’ll collect, where it’s coming from, and what to look for. If a threat is identified, create a standardized response or playbook for the triggers that you see so that each analyst is responding in a similar way.
Part of your policies and procedures should pivot around success, as well as metrics that you can track to benchmark and improve your efforts. This can include tracking the number of threats detected, time to detection, time to response, and the impact of threat-hunting activities on the overall security posture of the organization.
As you create your policies and procedures, establish the roles and responsibilities for those in your SOC. Identify any skill gaps so that your team members can get the training they need to keep up with evolving trends and tactics.
What is the state of threat hunting in your organization? Even if you think you have a very effective program, security teams can always benefit from doing more to shore up their process, procedures, training and more. Build on these elements to create a foundation for threat hunting that will protect you today and into the future.
Via a Darwin update, Palo Alto Networks this week added six capabilities to its cloud-native application protection platform (CNAPP).
Law enforcement agencies throughout Europe and the United States took a big swing at the notorious RagnaLocker ransomware group, arresting…
Many thanks to DEF CON 31 for publishing their terrific DefCon Conference 31 presenters content. Originating from the conference events…
Part 9: Perception vs. ConceptionThe concepts discussed in this post are related to those discussed in the 9th session of…
At some point we must say goodbye to our beloved products. Mend.io VP of Product Jeff Martin explains why letting…
via the webcomic talent of the inimitable Daniel Stori at Turnoff.US. Permalink