Threat hunting is now pervasive, learn how the ThreatQ Platform helps support your teamLIZ BUSH
Here are three key challenges the survey revealed:
- Researchers state, “One of the critical factors for successful threat hunting is to lose as little time as possible when pulling needed data together.” This includes a combination of data from internal systems and external sources. Yet 48% of respondents indicate they are using traditional file storage such as spreadsheets, PDFs, text files and other unordered file types, which suggests a high degree of manual effort is required to use this data. In fact, 36% say they are manually applying the threat intelligence they have collected.
- Alerting thresholds and lack of context make it difficult to hunt for threats. Thresholds must be set very low for a narrow set of indicators to test a hunting hypothesis, yet most alerting technologies overwhelm analysts with false positives and sometimes filter out true positives. Alerts also aren’t presented with any context, so it is difficult to prioritize and know where to focus attention.
- Most organizations staff threat hunting teams with incident response and/or SOC analysts which can be a good use of resources depending on the size of the network. Unfortunately, their efforts are almost always hampered by having to switch between applications. Only 6% of respondents say their hunters and analysts can work within one consolidated system for hunting and response, making them less productive and more prone to failure.
But there is a solution, as researchers find that “many challenges for threat hunting and SOC teams can be met by using and customizing SOAR platforms.” ThreatQuotient’s approach to SOAR platforms and threat intelligence management, makes the ThreatQ platform ideally suited to help threat hunting teams accelerate hunting and improve effectiveness. Here’s how:At ThreatQuotient, we believe you cannot defend against what you do not understand, so threat intelligence is critical to ensure a SOAR platform is using the right data to execute the right actions. We have deep roots in threat intelligence management with our ThreatQ platform, but we also encompass SOAR capabilities within our solutions. To begin with, we aggregate data in the ThreatQ Threat Library and automatically normalize it for analysis and prioritization. This includes events and associated indicators from inside your environment, for example from your SIEM system, log management repository, case management system, endpoint detection and response (EDR) tools and other security infrastructure. You can augment and enrich this data automatically with threat data from the multiple sources you subscribe to – commercial, open source, government, industry, existing security vendors – as well as integrating quickly and fully with new frameworks that emerge, like MITRE ATT&CK.
Our automated scoring framework provides you with the ability to customize global risk scores, filtering out what’s noise for you and prioritizing intelligence based on parameters you set around indicator source, type, attributes and context, as well as adversary attributes. To ensure you remain focused on high-priority threats and to reduce false positives, the self-tuning Threat Library automatically learns, recalculates and reevaluates priorities based on a continuous flow of new data and context into ThreatQ.
ThreatQ Investigations provides a shared environment that can include threat hunters, incident handlers and SOC analysts. Without having to switch between tools, security staff can quickly assess what other research has been performed and by whom, what tasks need to be assigned, and how all the data relates. Through collaboration and documentation, ThreatQ optimizes SOAR workflows so that team members are able to focus on advanced threats and make better decisions. As a SOAR platform, ThreatQ also integrates with your security controls so you can send the right data back to the right tools across your ecosystem to accelerate response.
In its fifth year, the survey finds that 85% of organizations now have threat hunting operations, up from 75% in 2018. With this growth, the technologies and tools available to threat hunters have also matured – a welcomed trend to help drive successful operations.
And if you haven’t had a chance, download your copy of the SANS 2020 Threat Hunting Survey today and see how your threat hunting program compares to your peers’.