• United States



Chief Product Officer

Build Better Mousers, Not More Mousetraps

May 26, 20176 mins

Take a deep breath, grit your teeth, and say it with me: Data breaches are inevitable.

If somebody or some group wants to penetrate your network, it’s only a matter of time before they exploit a weak link in your defenses, like a vulnerability you didn’t know existed. If the thought of that leaves you feeling exposed, you’re in good company. Some of the biggest and most well-known brands in the world, critical infrastructure, governments and even political campaigns, have been victims of major attacks.

But what if the ones working hard to get into your network were already on the inside?

Threat hunting, or the proactive search for vulnerabilities and other points of exposure in an organization’s information security strategy, is becoming a leading way to keep ahead of sophisticated cyber threats. In fact, almost half of respondents in a recent SANS survey claimed to be doing threat hunting on at least an ad-hoc basis, and of those 91% report having reduced their overall exposure to threats.

That’s good news, but it also means that more than half of respondents aren’t threat hunting at all, or that they want to and don’t know where to start. Building out a threat hunting function within a security team takes careful planning, skilled and dedicated resources, and the right technology. Making sure those things are in place first can put your team on the right path to becoming effective threat hunters.

Evangelize the Benefits of Threat Hunting Organizationally

Getting everyone in the organization on the same page about any subject isn’t always easy. When it comes to building a threat hunting function, it’s best to take a top-down approach so you can help ensure everyone is ready to support the team. That means making sure the executive staff understands why threat hunting is necessary, including the value that the team would bring to the organization.

From there, it’s equally important that groups within the organization know what they can expect from threat hunters and how that team can benefit them. For example, finance, R&D, and legal departments can all benefit from increased security for sensitive business documents and intellectual property. These teams should also know threat hunters may reach out to them for help if gaps in technology or business processes are causing a potential threat.

Upgrade Analysts to Threat Hunters

Smart security analysts keep their eyes open for new opportunities, including ways to improve their skill sets. Security team managers should be equally as opportunistic by identifying analysts who may be interested in or who have the aptitude to become threat hunters. These individuals aren’t just skilled security professionals, they’ll be the detectives on the team who ask questions more than they follow orders.

Make sure your more tenured security staff with greater proficiency in incident response processes and capabilities are mentoring these junior analysts. In order to be effective threat hunters, they’ll have to marry any new knowledge and experiences with their intuition and an investigative mindset.

Threat hunting also has the added benefit of driving higher job satisfaction since analysts are being challenged rather than performing mundane or repetitive tasks commonly associated with threat detection. That helps organizations ensure they can retain their valuable security talent which is especially important in a world where replacing that talent is becoming harder every day.

Drilling Down Requires the Right Tools

Threat hunting is most successful when dedicated resources can remain focused on their goals. It will be difficult to build out a threat hunting function if a team finds itself constantly putting out fires or without the right technology to get through the reactive nature of day-to-day activities efficiently. That’s why it’s critical that products in your organization’s security stack work together so hunters can remain focused on seeking out threats.

Intrusion Detection Systems (IDS), SIEM, firewalls, and endpoint security products should work together to automate detection and mitigation workflows. Information from these products should feed a unified body of correlated forensic evidence for better context, and should be retained for periods of time that exceed breach windows.

Embrace the Cloud

Done right, threat hunting requires access to a considerable amount of data, and in most case, that data can’t survive where storage is limited by high hardware costs and lack of scalability. That’s where the Cloud comes into play. The cost for cloud storage is calculated in fractions of cents, and cloud computing is cheaper than maintaining proprietary data centers.

That means most organizations can now cost-effectively retain and process infinite amounts of data, including full-fidelity PCAPs, for as long as they need them. That also means threat hunters can perform an infinite amount of threat hunting in the Cloud.

The Cloud’s highly scalable computing power is also capable of running complex statistical analysis, and can index massive amounts of stored data quickly. That makes handling vast amounts of data and correlating it across multiple systems easier and faster. It also provides threat hunters with a more contextual understanding of what’s going on inside their networks. For example, rather than saying an event happened at a specific point in time, threat hunters can see instantly a 360-degree view of network segments, users, devices, and even external parties involved in security events.

Start Sooner Rather Than Later

If data breaches are going to happen, and you know threat hunting can help improve your security posture, then don’t be part of the more than 50% that either isn’t hunting or doesn’t know where to start. Even the most fortified security defenses have gaps you may not have even known were there, and some malicious actors even make it their business to make sure everybody knows about these before you can protect yourself. However, with some thoughtful consideration, upskilled security staff, the right tools, and a few best practices, you can put your best foot forward in taking more a proactive stance against cyberthreats.

Chief Product Officer

A proven leader in the security industry, Ramon is responsible for product strategy, development and market delivery. Prior to ProtectWise, he was Vice President, Web Protection at McAfee. With a track record of creating category-leading security products and companies, he has held executive product and business development positions at Proofpoint, Websense and Symantec. He serves as a board member for Abusix, Inc., a network abuse and threat intelligence company and Identity Finder LLC, a sensitive data management solutions provider. Ramon holds a M.B.A. in Finance & Entrepreneurial Management from The Wharton School and a B.A. in World Politics and Spanish from Hamilton College.

More from this author