INTELLIGENT BRANDS // Enterprise Security
“Adopting new tools without changing
the processes for hunting and incident
response is rarely successful, as success
requires an upfront investment in
architecture and optimised processes.”
development before eventually finding
an appropriate balance between
process and ad hoc in the most mature
hunters. Immature organisations
tend to aggressively give their hunters
sophisticated tools and data, with limited
success. As they mature, hunters refine
their processes and hunting techniques,
adding automation and analytics to
help manage the vast amounts of
security data. By Level 4, hunters have
significantly increased their effectiveness
as they selectively use tools and data
appropriate to their environment and
likely attack vectors.
As a case in point, our survey revealed
that at Level 1, only 40% of processes
are automated, compared with more
than 70% by Level 4. This embrace of
automation, combined with effective
and skilled identification of patterns of
anomalous behaviour, results in a synergy
between hunting and incident response
that delivers faster triage, shorter case
closure times, and a much higher
percentage of root-cause determination.
Our survey showed that more than 70%
of mature SOCs closed cases in less than
7 days, compared to 25 days for the least
mature ones, and determined root cause
70% of the time, compared to just 43%
for least mature ones.
www.intelligentcio.com
Conclusion
Threat hunters are using a wide range
of tools and techniques to find, contain,
and remediate cyberattacks. As they
mature in the role, their effectiveness
increases as they are augmented by
human-machine teaming, combining
human judgment and intuition with
machine speed and pattern recognition.
Threat hunting is here to stay, and is no
longer an esoteric practice limited to
a few of the edgier practitioners. Over
the next few years, expect to see threat
hunting as part of most organisations’
analytics-driven security operations,
backed by extensive automation and
machine analytics. n
One of the key characteristics of mature
hunters is the way they leverage
automation to improve manual steps
in the process, customise scripts for
their environment, and quickly test new
ideas. In mature environments, leading
hunters make use of a wide variety of
tools and data sources, continuously
updating and improving them and
generating a positive OODA loop.
For less mature organisations, copying
the tools and techniques of the leading
hunters is not sufficient. Adding new
tools without changing the OODA cycle
is unlikely to produce positive results.
Sandboxing, automation, and analytics
can empower these less-experienced
hunters, but organisations that have
not invested in architecture and defined
processes that support that automation
will experience diminished results.
Raj Samani, Head of Strategic
Intelligence, McAfee LLC
INTELLIGENTCIO
55