All too often the security industry gets caught up in marketing buzzwords, causing a lopsided focus on one part of a much larger conversation.
One example of this has been the emphasis on threat hunting, the proactive searching of threat indicators within an environment. Security analysts acquire the latest indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) and search for them within their environment. If found, odds are high that an attack either is underway – or has already occurred - and so more investigation would be needed for context and to gain a better understanding of the full scope and scale of the infiltration.
I agree that even though threat hunting seems like an overused marketing phrase, it is a critical part of a threat detection strategy. Yet, it just can’t be the only one. Many organizations rely too heavily on threat hunting as they don’t want to or can’t invest in the required infrastructure, resources, and expertise to continually analyze all activity for possible threats.
This leads to an incomplete and irregular picture of the risks they face. In fact, that singular reliance on threat hunting alone means that many types of attacks will get missed if you’re not specifically looking for them. The upshot: old attacks and new ones slip through.
You need to make sure that threat hunting is one piece of the protection profile. The old concept of depth in defense still applies, threat hunting is only one layer, you need other layers to ensure you are finding the needle in the needlestack.
I explained in an earlier blog that the larger the delta between the time an incident gets detected and the time to call for assistance, the greater your lost opportunity. According to Ponemon’s 2018 “Cost of a Data Breach” report, the average time to identify and contain a threat was 197 days and 69 days, respectively. Tellingly, it also found that companies which contained breaches in less than 30 days saved over $1 million versus those that took longer to resolve the attack. Time really is of the essence and before you can respond to a threat you must first detect it.
Even though threat hunting seems like an overused marketing phrase, it is a critical part of a threat detection strategy. Yet, it just can’t be the only one.
Threat hunting focuses on the specific Indicators of Compromise (IoCs) and tools techniques procedures (TTPs) that the analyst is searching for at a specific point in time. But what about all the other indicators that are being missed or ignored?
The analyst wouldn’t find them if they aren’t specifically searching for them, however continuous advanced threat monitoring using big data analytics to correlate all security logs and alerts with global threat intelligence and large security data lakes will greatly improve the ability to detect advanced and stealth attacks. These are missed as a result of not knowing what to search for and not having the intelligence or the training to find them. It’s like saying, let’s find a criminal but we have no idea what crime they are committing or how they are trying to commit it. You need that information to start hunting for them, and even then, you need the experience on how to conduct a search given the information and intelligence you now possess.
To be clear, the human side of the investigation is critical. There is no better computer for detecting, recognizing and responding to threats than the human mind. Giving that human the advantage of having a correlated set of events presented for them to apply their knowledge is a truly powerful combination.
There is only one company today that has the ability to integrate its own products and services into a cohesive solution that makes good on the concepts above, Symantec.
Symantec Managed Endpoint Detection and Response (MEDR) provides the managed threat hunting and continuous monitoring that incorporates the IoCs and TTPs into our SOC Technology Platform where they are correlated with our Global Intelligence Network and Security Intelligence Data Lake using our big data analytics to find the sharpest needle in the needle stack (enough buzzwords in that sentence for ya?)
Combined with our ability to ingest all your network traffic from Security Devices, AD, Cloud, Network, IoT and other devices, we have the most comprehensive view into your environment in the industry. We find what others can’t and then perform a triage investigation by remotely connecting to your environment to pull forensic information from endpoints. In that way, we will be able to confirm the findings and take remediation actions on your behalf to limit or prevent impact from the attack.