3 Reasons the Next NIST Update Should Include Threat Hunting

    This post was originally published here by SQRRL.

    Are we giving our automated security tools too much credit for threat detection?Ā Nearly half of all threats go undetected by automated security tools (44%), according to aĀ recent LinkedIn pollĀ to theĀ 360,000+ memberĀ InfoSec Community. Hereā€™s why Sqrrl is arguing to add human-driven analysis to the list of ā€œappropriate activities to identify the occurrence of a cybersecurity eventā€.

    Recently, the Ā National Center for Standards and Technology (NIST) issued a call for revisions to its ā€œFramework for Improving Critical Infrastructure Cybersecurity.ā€ Sqrrl responded to this call by contributing some critical guidelines to include human-driven analysisĀ (commonly known as ‘threat hunting’)Ā in addition to automated threat detection systems.

    Hereā€™s three reasonsĀ to include ā€œthreat huntingā€ under the Detect Function that accounts for the timely discovery of cybersecurity events.

    1) Automated Detection and Threat Hunting Arenā€™t the Same Thing

    First, that threat hunting is inherently distinct from automated detection. Automated detection mechanisms, such as firewalls, IDS/IPS, SIEMs, and newer advanced analytic tools continuously run in the background firing off alerts using heuristics, matching algorithms, and statistical models. Threat hunting, on the other hand, is aĀ human-driven processĀ that is designed to look for the threats that automated systems miss. Hunters are continuously innovating and adapting to new attacker techniques, and often detecting attacks that sit in the gaps of automated systems.

    2) ā€œThreat Huntingā€ Is Arguably the Biggest Trend in Cybersecurity

    Second, threat hunting is one of the fastest-growing trends in cyber security and is rapidly becoming a security staple for SOCs. In a recent industry study,Ā 86% of security professionalsĀ stated that their firms engaged in some form of threat hunting. This number is likely to continue to rise as the industry standardizes detection methodologies which best incorporate automated and human-driven detection. Additionally, a 2017 Information Security Community study found thatĀ 79% of information security staffĀ feel that threat hunting should or will be their top priority in the upcoming year. Finally, Gartner (a top IT research and advisory firm) isĀ currently developing researchĀ to solidify threat hunting as one of the key functions of a SOC.

    3) ā€œThreat Huntingā€ is Proven to Reduce Attacker Dwell Time

    Third, threat hunting is critical to improving the efficiency and operational effectiveness of SOCs. The value from manual hunts derives from the fact that automated detection systems cannot catch 100 percent of attacks. Instead of just being focused on one or two steps of the attack kill chain hunters are able to identify intruders at any stage of an attack. Threat hunting allows analysts to mitigate the effect of breaches by identifying them before adversaries are able to act upon their objectives. In aĀ survey of 494 organizationsĀ conducted by the SANS Institute, 52% of respondents said that hunting techniques had found previously undetected threats on their enterprise. Additionally, 74% of respondents stated that threat hunting reduced their attack surfaces and 59% stated that threat hunting improved the speed and accuracy of their responses to threats.

    How Can you Help Ensure Human-driven Analysis Gets Recognized in NIST 2.0?

    Click here to add your thoughts on Twitter

    NIST will determine final revisions to its cybersecurity framework during its Cybersecurity Framework Workshop next month on May 16-17th.

    Ad

    No posts to display