Threat hunting is becoming a critical role in defeating bad actors, according to a report from an IT security company, titled Disrupting the Disruptors, Art or Science? It also covers the evolution of the security operations centre (SOC). Looking at security teams through four levels of development—minimal, procedural, innovative and leading, the report from McAfee finds that advanced SOCs devote 50 percent more time than their counterparts to actual threat hunting.
A threat hunter is defined as a professional member of the security team tasked with examining cyber-threats using clues, hypotheses and experience from years of researching cyber-criminals, and is incredibly valuable to the investigation process. Per the survey, companies are investing in and gaining different levels of results from both tools and structured processes as they integrate “threat hunting” activities into the core security operations centre.
As the focus on professional threat hunters and automated technology increases, a more effective operations model for identifying, mitigating and preventing cyberthreats has emerged: human-machine teaming. In fact, leading threat hunting organisations are using this method in the threat investigation process at more than double the rate of organisations at the minimal level (75 percent compared to 31 percent), according to the IT firm.
Raja Patel, vice president and general manager, Corporate Security Products, McAfee said: “Organisations must design a plan knowing they will be attacked by cybercriminals. Threat hunters are enormously valuable as part of that plan to regain the advantage from those trying to disrupt business, but only when they are efficient can they be successful. It takes both the threat hunter and innovative technology to build a strong human-machine teaming strategy that keeps cyber threats at bay.”
Findings
Sandbox is the number one tool for first and second line SOC analysts, where higher level roles relied first on advanced malware analytics and open source. Other standard tools include SIEM, Endpoint Detection and Response, and User Behaviour Analytics, and all of these were targets for automation. On average, seventy-one percent of the most advanced SOCs closed incident investigations in less than a week and 37 percent closed threat investigations in less than 24 hours.
For more on threat hunting, including the report and executive summary, visit https://www.mcafee.com/soc-evolution.
