Recently we announced our 2018 State of Threat Detection survey results and we picked up on some interesting trends around the subject of threat hunting. But what exactly is threat hunting? Who’s doing it? And how can you do it too? Find out the answers below:
Threat hunting is a buzzword du jour, but it’s often misused and misunderstood. While organizations are varying in their definitions of threat hunting, ultimately it is a proactive way to find advanced threats that have been designed to evade traditional preventive defenses, as well as automated detection capabilities. Consider it the last line of defense before data exfiltration occurs. From PII to intellectual property, cyber criminals want what you have and be assured, are looking for a way to get it. Threat hunting is different than monitoring, since it is carried out by a human analyst, despite relying heavily on automation and machine assistance. The analyst’s true goal is to determine an initial threat or indicator to hunt for and how that type of malicious activity will be found within the environment.
For our recent State of Threat Detection report we interviewed over 580 security professionals from around the globe and found that 63% of all respondents said they do not threat hunt or do not know if they do. We know the adoption rate of threat hunting has been increasing in the last few years – but it’s still nowhere near where it should be. It’s also surprising that the adoption rate among very large organizations is not higher as just over half (51%) of organizations with 5000+ employees state that they threat hunt.
The reasons why organizations are unable to adopt this proactive measure is unsurprising – nearly half of the professionals who participated in the study noted they didn’t have the time to threat hunt, and a third cited lack of skills as a barrier. But almost all of them – 88% – believe threat hunting is a necessity. This means that despite identifying that threat hunting is critical for a robust security posture, security operations teams are struggling underneath the weight of the resource drought – both in terms of skill and capacity. And these organizations don’t appear to see a light at the end of the tunnel as 53% of organizations said that they don’t see themselves starting to hunt within the next year.
To overcome these limitations, organizations should consider solutions and services that can elevate existing teams with the provision of the right data and automated workflows to speed up the detection and response process and facilitate threat hunting capabilities.
The skills shortage is taking its toll on proactive detection, especially where threat hunting is concerned. Threat hunting requires experienced analysts who have a very specific set of skills. It’s difficult to find threat hunters, let alone afford them. Generally, having an analyst with these skills is a luxury only 3-letter agencies or the fortune 500 can afford but this doesn’t mean threat hunting isn’t achievable for everyone else. It absolutely is if you outsource detection and response to an MDR. Whether you have an existing SOC and want to augment it to facilitate threat hunting, or would prefer to outsource this function entirely, tapping into the talent of technology providers who can fine tune and use high level technology in their sleep (not literally, but they are monitoring 24 hours), is a great way to go.
Threat hunting takes time. That’s a fact. With some technology solutions running a search can take hours, if not days – and we won’t even mention the open source tech, that’s a whole other story. You can make threat hunting more viable for your team if you have solutions in place which can speed up the workflow. Here’s what to look for in a technology to assist this:
To sum up – in order to better protect organizations from the good, the bad and the ugly, they need to be considering proactive threat detection tactics such as threat hunting. Lack of resource and skills are valid barriers, but they can also be overcome – and MDR is an excellent place to start.
Read the full State of Threat Detection report here:
View our on-demand webinar here: