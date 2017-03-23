Great investigators all have their trusted tools. Magnum had his Ferrari. Jessica Fletcher had her typewriter. Kojak had his lollipop. When it comes to security investigations, however, the tool threat hunters trust most is the truth.

An organization’s network doesn’t lie, but it handles billions of bytes of data every day. Capturing that vast body of evidence isn’t easy, and storing and maintaining it can be expensive. As a result, most organizations have to choose between spending more or retaining less.

So they cut back on how much network data they keep and for how long it’s held, or they only keep netflows. Even worse, some just rely on log files for forensic investigations. These choices have limited benefits to threat hunters because they only provide partial context of sophisticated threats that can develop over weeks, months and even years.

Without strong evidence, forensics is pointless

According to recent research, at least 44% of advanced threats go undetected by automated security tools. Rather than relying solely on detection — waiting for an attack (or until you realize you’ve been attacked) to do something about it — threat hunting is a proactive way to keep your organization safe.

Threat hunters spend their time following anomalous behavior when (or where) it occurs to confirm whether it was an actual, active attack. Without knowing all about the events that took place long before they notice something suspicious, their investigations might lead them to a dead end. They need access to as much information as possible (read: all of your network data), and to technology that helps them run complex queries on that data quickly.

Nobody likes an itchy trigger finger

Network security isn’t a job for the easily fatigued. It involves a near constant barrage of flashing red lights and noisy alarms. For example, traditional Intrusion Detection Systems (IDS) can pump out thousands of alerts daily. If an IDS rule is written too loosely, anything suspicious could trigger a false alarm. Conversely, if it’s too strict, an attacker may evade it easily.

With an incomplete picture of why an alarm was triggered in the first place, security teams sometimes waste valuable time reacting in the dark. That’s why threat hunting is so important because it moves organizations away from a reactionary response to attacks and towards a proactive search for previously unknown threats.

Clearly, having more information and complete context benefits threat hunters who need to cut through the incessant alarm noise. With more information, they can connect the dots that string together a sophisticated attack, and make it easier to triage and prioritize suspicious events that need the most attention.

Uncorrelated, unconsolidated data is incomplete

Attacks can happen anywhere on your network, and few of the products used by security teams today integrate very well. That puts threat hunters in a position of having to jump from interface to interface to collect piecemeal the information they need for forensic investigations. This “swivel chair” approach to threat hunting is manual and time-consuming.

Since that data is siloed, it’s up to the threat hunter to correlate information from one system with information pulled from another. That process requires a tremendous amount of effort. And since we know complex events execute over long periods of time, there’s a good chance the data won’t go back far enough to be of any value.

It would be a time-saving gift for threat hunters to see the full context of an event in one place. They should have access to metadata correlated with full packet captures, and to pull in additional context from firewall, threat intelligence, and endpoint technologies so they can know right away what happened, where it happened, and what devices and users were affected.

Work smarter, not harder

Although it’s becoming one of the leading ways to keep businesses safe from cybercrime, only 14% of security operations center employees are involved in threat hunting. Considering the shortage of skilled security professionals the industry is experiencing, that means even large enterprises may have a small team of hunters — if any at all.

Whether it’s a team of 1 or a team of many, threat hunting is a big responsibility, and it can be a heavy lift, so nothing beats working with a complete and rich dataset. That massive amount of data should also be presented or visualized in a way that makes their jobs easier so they can perform faster.

Great threat hunters need trusted tools too

Intuition, experience, and an investigative mindset are a great start, but just like Sherlock Holmes had Watson, threat hunters should be armed with the tools that help make them more successful too.

They need all of the facts, going back more than just days or weeks at a time. That substantial body of evidence has to be correlated so that all events — from the network to the endpoint — can be understood quickly, providing better visibility into complex threats that develop over time. Only then can they reach out and find the truth they seek.