INTELLIGENT BRANDS // Enterprise Security
POWERED BY
ThreatQuotient-sponsored
SANS study shows role of
threat hunter often unclear
/////////////////////////////
Markus Auer, Regional Sales Manager CE
at ThreatQuotient
T
hreatQuotient, a pioneer in the
security operations platform market,
has announced the results of the
SANS Threat Hunting 2019 study. The
study, conducted by SANS, is based on data
collected from 575 participating companies
that either work with or operate their own
threat hunting teams.
The most important result is the worldwide
confusion about the role and tasks of a
threat hunter.
Unlike the Security Operations Centre (SOC)
and Incident Response (IR) teams, threat
hunters not only respond to network threats,
they proactively search for them. This
involves making hypotheses on the existence
of potential threats, which are then either
confirmed or disproven on the basis of
collected data.
“However, the reality within corporate IT is
often different,” said Markus Auer, Regional
Sales Manager CE at ThreatQuotient.
“In many teams, the distinction between
70
INTELLIGENTCIO
SOC, IR and threat hunting is too blurred
and threat hunters are used for reactive
processes contrary to their actual role.” be threat hunters,” said Mathias Fuchs,
Certified Instructor at SANS and Co-author
of the study.
The SANS study data confirms that most
threat hunters react to alerts (40%) or data
such as indicators of compromise from the
SIEM (57%). Only 35% of participants say
that they work with hypotheses during threat
hunting – a process that should be part of
the arsenal of every threat hunter. “When threat hunting is carried out, it is
more of an ad hoc approach than a planned
programme with budget and resources.”
“Responding to threats is important for
security, but it is not the main task of the
threat hunter. They should be looking for
threats that bypass defences and never
trigger an alert,” said Auer.
The fact that threat hunting is still in its
infancy is evident based on suboptimal
prioritisation of resources.
“Many companies are still in the
implementation phase and are more willing
to spend money on tools than on qualified
experts or training existing employees to
In fact, 71% of participating companies
consider technology to be first or second in
terms of resource allocation for threat hunting.
Only 47% of respondents focus on hiring new
personnel and 41% on training employees.
Due to the proactive nature of threat
hunting, companies often find it difficult to
accurately measure the economic benefits of
these security measures. Ideally, the experts
prevent threats from becoming a critical
problem in the first place. However, 61%
of respondents said their overall IT security
status has improved by at least 11% due
to threat hunting. These figures show that
targeted threat discovery is important and
that investing in dedicated threat hunting
teams delivers measurable improvement in
IT security for organisations. n
www.intelligentcio.com