How ThreatQ Helps Bridge the Threat Hunting Skills GapLIZ BUSH
If you’re not familiar with the TAG Cyber Security Annual, you should be! It’s an interesting read with a different approach from many other cybersecurity reports out there. Now in its fifth year, the 2021 edition offers a discussion of market trends and industry insights from TAG Cyber analysts, as well as interviews with industry luminaries – many names and companies you’ll recognize. It also includes the annual outlook for the TAG Cyber Controls, used by cyber professionals to make sense of the many different types of protections available to prevent, detect or mitigate cyber risk. The controls (now up to 54) help security teams structure their work and determine what elements they should consider including as part of their security architecture.
ThreatQuotient co-founder Ryan Trost is featured among the industry experts interviewed this year. Ryan discusses what threat intelligence means today and how to tackle the challenge of finding the right data to assess business threats. Ryan also talks about threat hunting and how the term can mean different things to different people. Based on his experience, Ryan defines threat hunting as the process to discover, pursue and mitigate an adversarial foothold within an organization without the initial trigger of a SIEM alert or notification. He notes that while most security teams have some sort of threat hunting program in place, many are staffed by security analysts and incident responders. In fact, recent research finds that the adoption of threat hunting has jumped from 75% of organizations in 2018 to 85% of organizations in 2020, yet only 19% of these organizations have full-time threat hunters.
Depending on the size and scope of the network the “shared resource” approach can work. That’s where most organizations start because implementing a dedicated threat hunting program can be a tricky process. Full-time threat hunters are senior, well-seasoned analysts with experience identifying suspicious activity within an organization, and these types of resources can be hard to find.
The ThreatQ Platform can help bridge the threat hunting skills gap. It provides a single, collaborative environment that can include threat hunters, incident handlers and threat intelligence and SOC analysts. The platform automatically aggregates, deduplicates, normalizes, correlates, and prioritizes external and internal threat and event data, to build a broader picture of what is happening within an organization’s unique ecosystem. Security staff can gain and share a deeper understanding of relevant activity and what high-priority items to hunt for within the environment. They can conduct investigations collaboratively to search for and compare indicators across infrastructure and find matches between high-risk indicators and internal log data that indicate possible connections. Once a match is discovered they can slowly cast the net wider and identify second-tier indicators and attributes (i.e., malware associations, adversary relationships, similar event indicators, etc.) From there, they can export indicators to proactively block similar attacks in the future and adjust policies to strengthen defenses.
Threat hunting is just one of the many use cases the ThreatQ Platform supports. Customers also use the platform for incident response, spear phishing, alert triage, vulnerability management and threat intelligence management. Explore these uses cases and contact us to request a live demo.