If you ask a Security Operations Center (SOC) analyst, \u201cWhat\u2019s your biggest challenge when hunting threats?\u201d The majority will give a response like this, \u201cWe have a lot of disparate tools that we need to correlate together to identify what are actual threats vs. false positives and noise.\u201dThe problem has plagued SOC analysts for years and is only getting worse as the proliferation of data, and lucrativeness of stealing it continues. Buried in alerts, SOC analysts scramble to manually decipher which ones need immediate attention. Oftentimes, they end up wasting time on lower priority alerts while the more critical ones slip by.According to an IDC survey of C-level executives worldwide, 37% said they deal with at least 10,000 alerts every month \u2014 and 52% of those alerts are false positives. So how can SOC analysts hunt more efficiently? The answer is by not hunting at all. But before I explain further, let\u2019s take a step back.Defining the kill chain & lateral movement attacksThe goal of threat hunting is to identify a bad actor early in a cyber breach process such as a kill chain so that they are stopped before data is exfiltrated. Or, in the case of lateral movement, identify a bad actor or malicious insider before they seize more than one machine. Expanding on the cyber breach kill chain concept, there is a set of steps most bad actors take to break in and steal data. The steps have been defined by the industry based on historical patterns of criminal actions.Here\u2019s the typical sequence of events. An employee visits an infected website or is the victim of a phishing email and clicks on a malicious link, causing malware to be downloaded on their machine. The malware gives the bad actor access to the network. From there, the bad actor looks around and figures out to which applications and systems they can authenticate. Once the bad actor accesses the crowned jewels, they exfiltrate the data. The earlier a SOC analyst can identify the bad actor during this series of events, the faster the bad actor can be stopped.For a lateral movement attack, a bad actor steals an employee\u2019s credentials, logs into the person\u2019s computer, and uses it as a jumping point to seize other machines. The goal for SOC analysts is to detect the compromised user before the bad actor can control more machines. This kind of attack is more difficult to detect. One main identifier is if an analyst sees a hundred logins in one minute, which means it\u2019s not a human being (and most likely a bot), or if unusual behavior is detected such as \u201cJane\u201d from the marketing department logged into the engineering SQL server.Logging tools alone are not enoughTo detect bad actors early in the kill chain or laterally moving from machine to machine, many organizations are using a logging tool that they have had for years. Based on what they have seen in the past, analysts manually build queries and rules for the logging tool to identify indicators of an attack. For example, if someone logs into a machine a hundred times, that\u2019s a sign of an attack that a logging tool would detect and alert analysts.The problem with this method is that a smart bad actor will distinguish themselves, by for example, logging into a different machine than what\u2019s expected. They will complicate the attack, making it undetectable by the logging tool. Don\u2019t get me wrong. logging tools are important cyber security tools and do have their place. They are excellent at aggregating and storing data coming from disparate security tools. However, there must be a level of intelligence on top of that functionality.Disrupting the kill chain & lateral movement attacks, no threat hunting requiredThis is where security analytics and user and entity behavior analytics (UEBA) provides value. Security analytics platforms bring together and analyze data from disparate security tools, add their own proprietary algorithms including UEBA, and automatically detect scenarios that are known (i.e. the ones defined in rules and queries, however analysts don\u2019t need to manually define them), as well as more complex threats. UEBA identifies and prioritizes unusual behaviors such as in the case of a compromised user, and whitelists behaviors that are business-as-usual reducing noise and false positives in the SOC.With security analytics platforms, the only information SOC analysts receive is which threats need immediate investigation and why. For example, a security analytics platform automatically detects a bad actor that\u2019s in the fourth stage of the kill chain, prioritizes and sends the threat to the analyst along with evidence that validates the claim. The analyst doesn\u2019t need to hunt; the platform says, \u201cYou need to investigate this threat because it\u2019s about to exfiltrate highly valuable data.\u201dToday\u2019s SOC analysts have done the best they can with what they have, which in most cases is a logging tool. However, building queries and rules takes a lot of time, in addition to the problem of analysts being buried in alerts unable to decipher which ones are real. To enable SOC analysts to work more efficiently and prioritize and stop the most critical threats before valuable data is exfiltrated, there must be the extra level of intelligence that security analytics provide.That does not make logging tools obsolete. They are still very much needed for aggregating and storing data. If anything, security analytics optimize logging tools\u2019 effectiveness, ingesting the tool\u2019s data as another piece of the puzzle of who and where is the threat so it can be stopped.