ThreatQuotient, a pioneer in the security operations platform market, today introduced the results of the SANS Threat Hunting 2019 study. The most vital result is the worldwide confusion about the role and tasks of a threat hunter. The study, sponsored by ThreatQuotient and conducted via SANS is, based on data accumulated from 575 participating companies that either work with or function their own threat hunting teams.
Unlike the Security Operations Center (SOC) and Incident Response (IR) teams, threat hunters not only respond to network threats, they proactively search for them. This entails making hypotheses on the existence of possible threats, which are then either demonstrated or disproven on the basis of accumulated data. “However, the reality within corporate IT is frequently different,” says Markus Auer, Regional Sales Manager CE at ThreatQuotient. “In many teams, the difference between SOC, IR and threat hunting is too blurred, and threat hunters are used for reactive processes opposite to their authentic role.”
The SANS study data confirms that most threat hunters react to alerts (40%) or data such as indicators of compromise from the SIEM (57%). Only 35%of participants say that they work with hypotheses during threat hunting – a manner that must be part of the arsenal of every threat hunter. “Responding to threats is important for security, however it is not the important task of the hazard hunter. They should be searching for threats that bypass defenses and never trigger an alert,” Auer emphasizes.
The truth that threat hunting is still in its infancy is evident primarily based on suboptimal prioritization of resources. “Many companies are still in the implementation phase and are more inclined to spend money on tools than on qualified professionals or training existing employees to be threat hunters,” says Mathias Fuchs, Certified Instructor at SANS and co-author of the study. “When threat hunting is carried out, it is more of an ad hoc approach than a planned program with budget and resources.” In fact, 71% of participating companies think about technology to be first or second in terms of resource allocation for threat hunting. Only 47%of respondents focus on hiring new personnel and 41% on training employees.
Due to the proactive nature of threat hunting, companies frequently find it tough to accurately measure the economic advantages of these security measures. Ideally, the professionals prevent threats from becoming a critical problem in the first place. However, 61% of respondents said their overall IT security status has increased through at least 11% due to threat hunting. These figures exhibit that targeted threat discovery is essential and that investing in devoted threat hunting teams provides measurable improvement in IT security for organizations.
Threat hunting teams gain from a single security architecture that integrates seamlessly with existing processes and technologies. The ThreatQ platform enables such an architecture. The solution accelerates and simplifies investigations and collaboration inside and across teams and tools. It helps Incident Response and threat hunting and serves as a threat intelligence platform. Through automation, prioritization and visualization, disruptions can be minimized and high-priority threats can be recognized to enable more targeted action and supply decision aid for constrained resources.