The growing volume and complexities of cyber threats present a compelling case for adopting threat intelligence platforms (TIPs), a Frost & Sullivan analysis finds.
These solutions help organizations navigate the ever-increasing threat landscape and allow for further analysis and threat intelligence operationalization.
The TIP market least affected by the pandemic
The yhreat intelligence platform market is one of the cybersecurity markets that will be least affected by COVID-19. It is estimated to reach $234.9 million by 2022 from $132.7 million in 2019, at a compound annual growth rate (CAGR) of 21%.
“The proliferation of TIP use cases indicates the convergence of the TIP space with adjacent markets,” said Mikita Hanets, Information & Communication Technologies Research Analyst at Frost & Sullivan.
“Vendors increasingly aim to offer some elements of TIP functionality in SOAR and SIEM platforms and vice versa. Going forward, solutions that enable businesses to operationalize threat-related data and set up workflows for cyber incidents will converge in the next three years.”
Hanets added: “North America will dominate the market and contribute the maximum revenue, followed by Europe, the Middle East and Africa (EMEA), Asia-Pacific and Latin America. Technology and telecommunications will be the fastest-growing vertical market for TIP vendors in the next two years, while banking and finance is expected to contribute the most by 2022.”
Growth prospects for market participants
The growing sophistication of attacks and the necessity of using threat intelligence for proactive cyber defense present immense growth prospects for market participants who:
- Increase their presence in geographical areas like EMEA, Asia-Pacific and Latin America, where the penetration rate is currently low.
- Expand the network of third-party SOAR integrations or develop native SOAR capabilities. Enterprises with mature cybersecurity practices need intelligence-powered SOAR.
- Develop SIEM capabilities to offer seamless, intelligence-driven solutions. TIP vendors can build on their data management experience and offer a fully consolidated solution.
- Develop threat detection and threat hunting capabilities to enable investigations of security incidents. Threat intelligence is instrumental in securing enterprises because it enables security teams to prevent cyberattacks in real time and identify a breach that might have occurred in the past.
- Develop or acquire intelligence-driven vulnerability and risk management technology. The ability to assess an organization’s exposure and the risk to its global threat data is a key feature of the next generation of solutions.
SIEM and SOAR solutions are important tools in a cybersecurity stack. They gather a wealth of data about potential security incidents throughout your system and store that info for review. But just like nerve endings in the body sending signals, what good are these signals if there is no brain to process, categorize and correlate this information?
A vendor-agnostic XDR (Extended Detection and Response) solution is a necessary component for solving the data overload problem – a “brain” that examines all of the past and present data collected and assigns a collective meaning to the disparate pieces. Without this added layer, organizations are unable to take full advantage of their SIEM and SOAR solutions.
So, how do organizations implement XDR? Read on.
SIEM and SOAR act like nerves
It’s easy for solutions with acronyms to cause confusion. SOAR and SIEM are perfect examples, as they are two very different technologies that often get lumped together. They aren’t the same thing, and they do bring complementary capabilities to the security operations center, but they still don’t completely close the automation gap.
The SIEM is a decades-old solution that uses technology from that era to solve specific problems. At their core, SIEMs are data collection, workflow and rules engines that enable users to sift through alerts and group things together for investigation.
In the last several years, SOAR has been the favorite within the security industry’s marketing landscape. Just as the SIEM runs on rules, the SOAR runs on playbooks. These playbooks let an analyst automate steps in the event detection, enrichment, investigation and remediation process. And just like with SIEM rules, someone has to write and update them.
Because many organizations already have a SIEM, it seemed reasonable for the SOAR providers to start with automating the output from the SIEM tool or security platform console. So: Security controls send alerts to a SIEM > the SIEM uses rules written by the security team to filter down the number of alerts to a much smaller number, usually 1,000,000:1 > SIEM events are sent to the SOAR, where playbooks written by the security team use workflow automation to investigate and respond to the alerts.
SOAR investigation playbooks attempt to contextualize the events with additional data – often the same data that the SIEM has filtered out. Writing these investigation playbooks can occupy your security team for months, and even then, they only cover a few scenarios and automate simple tasks like virus total lookups.
The verdict is that SOARs and SIEMs purport to perform all the actions necessary to automate the screening of alerts, but the technology in itself cannot do this. It requires trained staff to bring forth this capability by writing rules and playbooks.
Coming back to the analogy, this data can be compared to the nerves flowing through the human body. They fire off alerts that something has happened – alerts that mean nothing without a processing system that can gather context and explain what has happened.
Giving the nerves a brain
What the nerves need is a brain that can receive and interpret their signals. An XDR engine, powered by Bayesian reasoning, is a machine-powered brain that can investigate any output from the SIEM or SOAR at speed and scale. This replaces the traditional Boolean logic (that is searching for things that IT teams know to be somewhat suspicious) with a much richer way to reason about the data.
This additional layer of understanding will work out of the box with the products an organization already has in place to provide key correlation and context. For instance, imagine that a malicious act occurs. That malicious act is going to be observed by multiple types of sensors. All of that information needs to be put together, along with the context of the internal systems, the external systems and all of the other things that integrate at that point. This gives the system the information needed to know the who, what, when, where, why and how of the event.
This is what the system’s brain does. It boils all of the data down to: “I see someone bad doing something bad. I have discovered them. And now I am going to manage them out.” What the XDR brain is going to give the IT security team is more accurate, consistent results, fewer false positives and faster investigation times.
How to apply an XDR brain
To get started with integrating XDR into your current system, take these three steps:
1. Deploy a solution that is vendor-agnostic and works out of the box. This XDR layer of security doesn’t need playbooks or rules. It changes the foundation of your security program and how your staff do their work. This reduces your commitment in time and budget for security engineering, or at least enables you to redirect it.
2. It has become much easier in the last several years to collect, store and – to some extent – analyze data. In particular, cloud architectures offer simple and cost-effective options for collecting and storing vast quantities of data. For this reason, it’s now possible to turn your sensors all the way up rather than letting in just a small stream of data.
3. Decide which risk reduction projects are critical for the team. Automation should release security professionals from mundane tasks so they can focus on high-value actions that truly reduce risk, like incident response, hunting and tuning security controls. There may also be budget that is freed up for new technology or service purchases.
Reading the signals
To make the most of SOARs and SIEMs, you XDR – a tool that will take the data collected and add the context needed to turn thousands of alerts into one complete situation that is worth investigating.
The XDR layer is an addition to a company’s cybersecurity strategy that will most effectively use SIEM and SOAR, giving all those nerve signals a genius brain that can sort them out and provide the context needed in today’s cyber threat landscape.
Security alerts more than doubled in the last 5 years, SecOps teams admit they can’t get to them all
Sumo Logic announced the findings of a global survey that highlight the barriers security professionals are facing on the path to modernizing the security operations center (SOC).
High volume of security alerts
The struggle to effectively manage high volumes of security alerts and the complexities associated with traditional SIEMs are driving the demand for a new approach to effectively address challenges in the SOC through cloud-native SIEMs combined with security automation capabilities.
“Today’s security operations teams are faced with constant threats of security breaches that can lead to severe fallout including losing customers, diminished brand reputation and reduced revenue. To effectively minimize risk and bridge the gap, many companies rely on automated solutions that provide real-time analysis of security alerts,” said Diane Hagglund, principal for Dimensional Research.
“These findings highlight the challenges SOC teams are facing in a cloud-centric world, but more importantly why enterprises are aggressively looking to cloud-native alternatives for security analytics and operations.”
The study reveals that managing the sheer volume of these alerts poses a significant problem for IT security professionals. Although automated security alert processing can help to mitigate this issue, it is still a work in progress for most security teams.
Security alert volumes create problems for security operations
- 70% have more than doubled the volume of security alerts in the past five years
- 99% report high volumes of alerts cause problems for IT security teams
- 83% say their security staff experiences “alert fatigue”
Automation helps, but it is still a work in progress
- 65% of teams with high levels of automation resolve most security alerts the same day compared to only 34% of those with low levels of automation
- 92% agree automation is the best solution for dealing with large volumes of alerts
- 75% report they would need three or more additional security analysts to address all alerts the same day
Better technology is needed to manage security alert volumes
- 88% face challenges with their current SIEM
- 84% see many advantages in a cloud-native SIEM for cloud or hybrid environments
- 99% would benefit from additional SIEM automation capabilities
“Enterprises are arguably dealing with more data today than ever before, and the pain security operations teams are feeling is significant. There’s never been a more important time to ensure IT security operations are up to par,” said Greg Martin, general manager for the security business unit at Sumo Logic.
“Companies need to adopt solutions that let them quickly identify, prioritize and respond to only the most critical warning signals, so that they’re not left drowning in alert overload with no direction.”
A Security Information and Event Management (SIEM) solution collects and analyzes activity from numerous resources across your IT infrastructure. A SIEM can provide information of critical importance, but how do you find one that fits your organization?
To select an appropriate SIEM solution for your business, you need to think about a variety of factors. We’ve talked to several industry professionals in order to get insight to help you get started.
Jae Lee, Senior Director, Elastic Security
SIEM is a mature product category and continues evolving. However, SIEM needs to enable teams to evolve, as SecOps transforms from “traditional” to “adaptive.”
Let’s start with people — traditional skillsets are based on tools (e.g., vulnerability, firewall, IDS/IPS, etc.), but broader skillsets are needed to help practitioners adapt quickly. Manipulating and analyzing data, performing collaborative research, understanding adversaries/tradecraft — SIEM must help augment and develop these skillsets.
Next is process — with improved skills, alerts no longer rule (unless allowed to), and pre-defined, static SOPs / playbooks alone are not enough. Teams now require real-time analysis to hunt — including performing research, reverse-engineering and simulating threats, and more. Context is everything. Hunting and operationalizing effectively requires full visibility — not in a separate tool, but within the SIEM.
Finally, technology. Full visibility isn’t just broad coverage, but fast insights. Also, detections need to work OOTB. Consider endpoint — there, OOTB detections have high accuracy. The same principle should apply in SIEM, without requiring every analyst to be an expert rule author. SIEM isn’t just “technology” — it needs real-world-validated security content.
As SecOps matures, major investments are often required for the care and feeding of a SIEM. You have to stop threats and justify your investment. Give yourself the runway to be confident that once deployed the SIEM can meet your fast-evolving needs, and ask hard questions around scale and flexibility — from detections to integrations, to deployment options, to pricing metrics.
Christopher Meenan, Director, QRadar Product Management and Strategy, IBM Cloud and Cognitive Software
The first thing to think about is what use cases you need to address. Your requirements will look very different depending on whether you need to secure your organization during a cloud transformation, build a unified IT and OT security operations program, or simply address compliance. Your use cases will drive requirements around integrations, use case content, analytics, and deployment methods.
Ask the vendors how they can help address your requirements. Understand which integrations and use case content are included, versus which require a separate license or custom development. Understand what analytics are available and how those analytics are used to detect known and unknown threats. Ask what frameworks, such as MITRE ATT&CK, are natively supported.
If you’re like most companies, your team is understaffed – which means you need usable products that help shorten the learning curve for new analysts and make your experienced team members more efficient. Ask how each solution measurably increases efficiency during the detection, investigation and response processes. Also ask about SaaS deployments and MSSP partnerships if to reduce on-going management requirements.
Most importantly, don’t be shy. Ask for a proof of concept to make sure the tools you’re considering will work for you.
Stephen Moore, Chief Security Strategist, Exabeam
The most seasoned and well-resourced security teams can be easily overwhelmed by the volume of organizational alerts they receive in a day and that complexity – coupled with the inherent difficulties of detecting credential-based attacks – means many SOC analysts now experience several pains that traditional SIEMs can’t solve, including alert fatigue, a lack of skilled analysts and lengthy investigation times.
Many organizations are now migrating their SIEM to the cloud, which allows analysts to harness greater compute power, sift through, interpret and operationalize SIEM data. Now more of their time is spent finding bad things versus platform and server support. But to choose the right SIEM for ‘the business’ you need to consult with it. You need to align its capabilities to the goals, concerns and expectations of the business – which will undoubtedly have changed over the last few months. Above all else, this requires taking the time to ask the questions.
Then, make choices based on known adversary behavior and breach outcomes – focusing specifically on credentials – ensuring your platform is adversary adaptable and object centered. Ask, will it improve your time to answer (TTA) questions, such as ‘which account or asset is associated with this alert?’ or ‘what happened before, during, and after?’
Finally, any solution needs to help your SOC analysts focus on the right things. Key to this is automation – both in the form of incident timelines that display the full scope, acting as the storyboard of the incident, as well as an automated incident response capability for when action must be taken to return the environment to normal. Providing automation of the necessary investigation steps is the most important thing an incident responder can have so they may take action faster and most importantly minimize the risk of an incomplete response.
Wade Woolwine, Principal Security Researcher, Rapid7
While the term SIEM has “security” as the very first word, event and log management isn’t just for security teams.
When organizations look to invest in a SIEM or replace an existing SIEM, they should consider use cases across security, IT/cloud, engineering, physical security, and any other group who may benefit from a centralized aggregation of logs. Once the stakeholders have been identified, documenting the specific logs, their sources, and any use cases will ensure the organization has a master list of needs against which to evaluate vendors.
Organizations should also recognize that the use cases will change over time and new use cases will be implemented against the SIEM, especially within the security team. For this reason, organizations should also consider the following as hard requirements to support future growth:
- Support for adding and categorizing custom event sources by your own team
- Support for cloud based event sources
- Field searching level with advanced cross-data-type search functionality and regular expression support
- Saved searches with alerting
- Saved searches with dynamic dashboard reporting
- Ability to integrate threat feeds
- Support for automation platform integration
- API support
- Multi-day training included with purchase
Jesper Zerlang, CEO, LogPoint
As the complexity of enterprise infrastructures is increasing, a key component of a Modern SIEM solution is the ability to capture data from everywhere. This includes data on-premises, in the cloud, and from software, including enterprise applications like SAP. In today’s complex threat landscape, a SIEM that fully integrates UEBA and allows enterprises to relevantly enhance security analytics instantly is an absolute necessity.
The efficiency of your SIEM solution is entirely dependent on the data you feed into it. If the license model of a SIEM solution relies on the volume of data ingested or the number of transactions, the cost will be ever-increasing due to the overall growth in data volumes. As a consequence, you may select to skip SIEM coverage for certain parts of your infrastructure to cut costs, and that can prove fatal.
Choose a SIEM with a license model that that support the full digitalization of your business and allows you to fully predict the future cost. This will ensure that your business needs are aligned by your technology choices. And last but not least: Select a SIEM solution that has documented short time-to-value and complete your SIEM project on time. SIEM deployments, whether initial implementation or a replacement, are generally considered complicated and time-consuming. But they certainly don’t have to be.
Security Information and Event Management (SIEM) systems combine two critical infosec abilities – information management and event management – to identify outliers and respond with appropriate measures. While information management deals with the collection of security data from across silos in the enterprise (firewalls, antivirus tools, intrusion detection, etc.), event management focuses on incidents that can pose a threat to the system – from benign human errors to malicious code trying to break in.
Having been in existence for over a decade now, SIEM systems have come a long way: from mere log management to integrating machine learning and analytics for end-to-end threat monitoring, event correlation, and incident response. The modern SIEM system goes way beyond collating data and incidents for security supervisors to monitor – it analyses and responds to threats in real-time, thereby reducing human intervention while also enabling a more holistic approach to information security.
But given the magnitude and complexity of the tasks performed by an SIEM solution, integrating it into the existing information security architecture of an enterprise can be daunting, especially when it comes to a large enterprise with multiple, disparate centers spread across the globe.
Common SIEM integration mistakes
Cybersecurity is a highly dynamic space and a solution that is effective today may no longer be viable tomorrow. This is exactly where SIEM integration pitfalls stem from. Deployments failing and solutions not meeting goals, in the long run, is a commonly observed problem. And when it comes to a large enterprise with a global presence, the complexity only compounds further! Here’s a look at some common mistakes that organizations commit while implementing a SIEM solution, which can later snowball into major threats.
1. Under-planned implementation
Despite a widespread awareness that SIEM solutions can be complex in nature, many organizations go about integrating one without initially defining their goals and requirements. Chances of successfully implementing a SIEM solution without proper planning are slim. Evaluating the solution at a later stage or on an ad-hoc basis only piles up the expenses that could easily have been avoided.
Moreover, out-of-the-box SIEM solutions are more generic in nature and cannot cater to the specific cybersecurity challenges of any organization. This is another reason why prior planning comes in handy so that there is enough scope for customizations and third-party integrations before implementation.
2. Implementing without a predefined scope
Implementing an SIEM solution without defining the scope is akin to building a house without a foundation. And in the case of a large multinational enterprise, implementing SIEM solutions without proper scoping is no less than causing mass destruction. The scope provides the basis for everything that follows – planning, deployment, implementation, and maturing the SIEM solution with related capabilities. It will determine the choice of solution, the architectural requirements, the necessary staffing, and the processes and procedures.
3. Rooting for the one-solution-fits-all approach
Given the large, almost comprehensive nature of a SIEM tool, it may seem tempting to try and do everything with it at once. While SIEM solutions are capable of collecting, processing and managing large amounts of data, that doesn’t mean it’s a good practice to over-stuff the solution with too many capabilities at once.
Organizations with a global presence are bound to deal with myriad and diverse use cases, each use case being distinct and requiring a different approach. Hence, SIEM use cases should be approached in a way that can set up stages of cycles to make way for continual improvements rather than taking a one-solution-fits all approach.
4. Monitoring noise
Another common mistake is approaching the SIEM solution as a log management tool, setting it to capture and store all logs from all devices and applications without discrimination, under the impression that this will give a more comprehensive and clearer view. However, instead of reducing the noise, such an exercise actually amplifies it and generates more of it.
What’s more, one can only imagine the chaos it will cause in the case of a large enterprise with a global presence. Pouring in more hay is pointless when your purpose is to find a needle in the haystack.
SIEM implementation best practices
The mistakes can be easily avoided by following a set of best practices for implementation. Every organization’s implementation will be different, but here are some steps that a CISO can consider and are crucial to the effective performance of an SIEM solution post-deployment.
1. Define the project and scope
The first step to SIEM implementation is planning the scope of the project and its timeline. This entails outlining the scope of the project, including the necessary informational, budgetary, and physical resources. Plus, companies must define their goals and identify all necessary resources in this stage. As a starting point, the CISO must consider setting up basic rules, identifying necessary compliance and policy requirements, and structuring the post-implementation SIEM management.
It is to be noted that SIEM solutions need to be connected to almost everything across the network infrastructure to achieve optimal performance. Therefore, defining log sources is recommended. Here are some basic components that can be included while scoping:
Security control logs:
- Intrusion detection and prevention systems (IDPS)
- Endpoint protection software
- Data loss prevention (DLP) software
- Threat intelligence software
- Web filters
Network infrastructure logs:
- Internal applications
Other data points:
- Network architecture
- Network policy configurations
- IT assets
2. Research products
Product research is something that will be unique to each business. However, on a broad level, there are three main informational resources that the CISO can consider before zeroing in on an SIEM.
Vendor analysis: A number of online resources and search engines can help identify the major SIEM vendors. CISOs can then contact the vendors for more information, relating to their specific situation. In addition, CISOs can also consult software analyst firms or deploy empirical testing for vendor analysis. There are many research and testing services providers out there who can generate valuable insights on markets and tools.
Product reviews: As to how product reviews help a CISO decide on an SIEM solution is self-explanatory. Websites can come in handy for CISOs to review and analyze some of the best SIEM tools out there.
Use case assessment: Assessing use cases that will pertain to the business – not just in the immediate future, but in the long run – is essential to ensuring a smooth SIEM integration. This step requires CISOs to communicate with the shortlisted vendors and understand industry-specific scenarios, case studies, and product demos.
3. Implementation planning
The next step is to outline a number of implementation procedures to ensure a smooth and effective transition. Here are a few components that CISOs should include in their plan:
Design architecture: Making a detailed design architecture helps get a clearer view of the entire implementation. Outlining all data sources related to log sources and data inputs and deploying information collectors to ensure all log sources are connected is a good starting point.
Create rules: It is critical to ensure that correlation engines are functioning with basic policies. Also, determining more customized rules to be implemented in the long term should be taken up in this stage. These rules help optimize documentation and alerting without damaging network performance. They should also be customized to meet any necessary compliance requirements.
Define process: It is advisable to put a handoff plan in place before deployment, to transfer control from the implementation team to security operations or IT management team. Plus, considering the company’s staffing capabilities is crucial to ensuring that teams can seamlessly manage the SIEM; otherwise, it will all be rendered pointless.
In addition to the aforementioned steps, it is a good idea to outline any other long-term management processes specific to the organization, such as training the staff to manage and monitor an SIEM system.
4. Deployment and review
As soon as the solution is deployed, it is necessary to take a few immediate actions to ensure smooth functioning going forward:
- Ensure data is being collected and encrypted properly
- Ensure all activities, logs and events are stored correctly
- Test the system to visualize connected devices and display to those planned
Ensuring seamless functioning of the SIEM solution
Successfully implementing an SIEM solution is just the beginning. Teams should continue testing and updating the solution against the latest attack. Timely upgrades and customizations are inevitable as the threat landscape and policies keep evolving – it is the only way to keep the number of false positives in check, while also ensuring end-to-end information security to the maximum extent possible.
Enterprise security infrastructures average 80 security products, creating security sprawl and a big management challenge for SOC teams. With high volumes of data generated from security controls across the infrastructure, SOC teams often rely on Security Information and Event Management (SIEM) solutions to aggregate data and deliver insight into events and alerts. Similarly, Security Orchestration, Automation and Response (SOAR) platforms can take the results and automate them into action.
However, the business needs to know that it’s safe—now. That’s why organizations are turning to Breach and Attack Simulation (BAS) integration with the SOC. BAS integration with SIEM and SOAR solutions enables SOC teams to continually evaluate the effectiveness of their security controls and improve the company’s security posture with real-time, accurate metrics.
BAS validates that your SIEM is effectively picking up events and alerts. You can:
- Validate SIEM integrations with other security controls across the infrastructure.
- Refine SIEM rules using forensic artifacts—such as hash values, domain names, host artifacts, etc.—provided in attack simulation analyses.
- Evaluate effectiveness of preventative controls, such as EPP, web gateways, email gateways, firewalls, and IPS.
- Assess effectiveness of behavior-based detection controls, such as EDR, EUBA, deceptions, and honeypots.
The best BAS solutions deliver specific details about myriad controls’ ability to detect suspicious activity. A SOC team can launch an Immediate Threats Intelligence assessment to simulate the latest threats seen in the wild. Data from lateral movement, data exfiltration, and other attack vector simulations can be pulled into the SIEM for parsing, creating alerts, and remediation purposes.
BAS can run daily, hourly, or continuously with results pulled into the SOAR. Team members can prioritize remediation and take corrective steps right from the SOAR dashboard. Use BAS-generated data to:
- Refine SOAR incident-response playbooks.
- Assess effectiveness of post-breach controls.
- Determine effectiveness of monitoring and response workflows.
- Prioritize mitigation efforts according to heuristic cyber exposure scores.
Integration with GRC systems
Besides compliance risk, companies need to manage and report on risk associated with digital transformation efforts and supply-chain relationships. When BAS is integrated with Governance, Risk, and Compliance (GRC) tools, such as RSA Archer, organizations gain granular data to:
- Proactively identify and preempt potential adverse impacts of IT configuration changes, software updates, and new technology deployments.
- Measure control effectiveness at specific points in time and over time.
- Reduce supply chain risk by continuously challenging security controls that defend portals, email and web gateways, and endpoints.
Power up vulnerability management tools
BAS data powers up vulnerability scanning, giving SOC teams visibility into common vulnerability and exposure (CVE) data combined with attack simulation results. Teams can prioritize and accelerate remediation according to various parameters, such as asset type, user privileges, and proximity to critical digital assets.
Integration with EDR tools
BAS enables teams to verify that EDR solutions are effectively detecting IoCs and attack techniques of the latest simulated threats. Teams can simulate specific threat behaviors on their endpoints and verify that response tools work as expected.
BAS integration via API enables SOC teams to retrieve all assessment results from simulated attacks—including IoCs, TTPs, payload names, mitigations, other data—and move into their own environments. This gives them:
- Immediate insights: BAS data is always available for incorporation with other SOC tools.
- Latest threat intelligence: Detailed attacker TTP and daily threat data gives SOC teams the latest insight without needing a team of experts.
- Unified visibility: Combining BAS results with SOC tools maximizes team productivity for decision-making and prioritization.
- Mitigation guidelines: Teams receive specific guidance mapped to the MITRE ATT&CK™ framework for accelerating remediation.
- Comprehensive coverage: BAS challenges controls across all vectors and the entire kill chain.
- Continuous automated testing: SOC teams can continuously challenge controls and immediately identify infrastructure changes or security gaps before they are exploited.
- Control optimization: Gain consistent assessment across the kill chain, ensuring that mitigation efforts deliver the expected benefit.
With just a few clicks, SOC teams can initiate thousands of attack simulations and see exactly where they’re exposed and how to fix it. Now, it’s possible to surface new threats daily, defend against advanced stealth techniques, preempt adverse effects of continuous IT change, and ensure that security controls maximize protection against state-sponsored threat actors and complex supply-chain attacks.
The role and tasks of a threat hunter are confusing, according to a ThreatQuotient and SANS study based on data collected from 575 participating companies that either work with or operate their own threat hunting teams.
Threat hunter role: How threat hunting teams are tasked in an environment
Unlike the Security Operations Centre (SOC) and Incident Response (IR) teams, threat hunters not only respond to network threats, they proactively search for them. This involves making hypotheses on the existence of potential threats, which are then either confirmed or disproven on the basis of collected data.
“However, the reality within corporate IT is often different,” says Markus Auer, Regional Sales Manager CE at ThreatQuotient. “In many teams, the distinction between SOC, IR and threat hunting is too blurred, and threat hunters are used for reactive processes contrary to their actual role.”
The study confirms that most threat hunters react to alerts (40%) or data such as indicators of compromise from the SIEM (57%). Only 35% of participants say that they work with hypotheses during threat hunting – a process that should be part of the arsenal of every threat hunter.
“Responding to threats is important for security, but it is not the main task of the threat hunter. They should be looking for threats that bypass defenses and never trigger an alert,” Auer emphasises.
Targeted threat discovery is important
The fact that threat hunting is still in its infancy is evident based on suboptimal prioritization of resources. “Many companies are still in the implementation phase and are more willing to spend money on tools than on qualified experts or training existing employees to be threat hunters,” says Mathias Fuchs, Certified Instructor at SANS and co-author of the study.
“When threat hunting is carried out, it is more of an ad hoc approach than a planned program with budget and resources.” In fact, 71% of participating companies consider technology to be first or second in terms of resource allocation for threat hunting. Only 47% of respondents focus on hiring new personnel and 41% on training employees.
Due to the proactive nature of threat hunting, companies often find it difficult to accurately measure the economic benefits of these security measures. Ideally, the experts prevent threats from becoming a critical problem in the first place. However, 61% of respondents said their overall IT security status has improved by at least 11% due to threat hunting.
These figures show that targeted threat discovery is important and that investing in dedicated threat hunting teams delivers measurable improvement in IT security for organizations.
Organizations reported an average 32% reduction in threat responder workload when they deployed a managed SIEM solution, according to CenturyLink and IDG. Improve incident response The research shows security leaders are turning to managed security services to help augment limited internal resources and bridge the security technology gap. “Security is an inherent ingredient in networking today; however, limited resources and budget constraints make it difficult for companies to develop with their own staff,” says Chris … More
The post To improve incident response, you need to consider 3rd party solutions appeared first on Help Net Security.