This post was originally published here by Luis Maldonado.
Today we are announcing an exciting new partnership with Deloitte in support of their Managed Threat Hunting Services. This partnership reflects our firm belief that threat hunting services will benefit organizations of all hunting maturity levels. As we work with security teams in a wide variety of industries, we are hearing increased interest and discussion around Threat Hunting-As-A-Service (THaaS). While a common driver for the interest has been a skills shortage, it’s becoming clearer that a service approach isn’t only for organizations with staffing constraints. These services can also benefit companies that are either growing a hunting practice or looking to sharpen the skills of existing hunters.
It is with this belief in mind that Sqrrl has developed a Threat Hunting Maturity Model .The model has 5 levels and adopting THaaS enables your firm to quickly climb the Hunting Maturity Model
The question you need to ask yourself is, “is THaaS right for my organization”? Here are a few questions to answer to help you determine how a THaaS offering would help your organization.
Is your security team short-staffed?
For short-staffed organizations, evaluating THaaS as a means of implementing threat hunting is great choice. THaaS providers can provide multiple deployment and management options in which they can run a full hunt practice for you. The obvious benefits here are that you don’t have to have any hunters on staff to reap the benefits of the service. If you have some hunters but have limited DevOps capacity, THaaS vendors can manage the operational aspects of the hunting platform enabling hunters to focus on high value hunting rather than ops tasks like data wrangling.
Is your organization trying to get started with Threat Hunting?
If your organization is just getting started with a funded hunt initiative, THaaS offerings can help you launch your hunt programs, establish hunting fundamentals, and mentor emerging threat hunters. Getting started is often bemoaned as one of the toughest parts of hunting, so employing a THaaS vendor to install and configure your hunting platform and provide packaged procedures and content can help you tackle this first hurdle. Once you’re up and running, the next step is to establish best practices so THaaS training courses can help your team learn how to develop a hunting loop process, employ analytics and integrate hunting into your existing SOC practices. As your hunters start to gain proficiency, THaaS mentoring services can ensure they are implementing best practices and are poised for growth
Once established, maintaining and maturing a hunt practice will continue to give return on investment after each cycle. Hunt teams will improve the creativity of their hunts, the efficiency of their hunt cycles, and the quality of the content they develop throughout this process. At its core, hunting is about finding new ways of detecting incidents, i.e. continual improvement. Like any continual improvement process, threat hunting should be constantly evaluated but doing so objectively can be challenging. This is another great opportunity for enlisting help from a THaaS provider.
THaaS vendors provide services, such as “hunting health checks”, which will examine your current practices, content, and results, then recommend areas of improvement based on techniques they’ve developed through working across multiple organizations. THaaS vendors can even provide templates of hunting content such as procedures, tools and analytics that can provide new ideas and opportunities for improvement.
If your organization is facing one or more of these challenges, it could make sense to move forward with a managed threat hunting as a service:
- Talent pool shortages: the lack of available talent is preventing you from being able to find or retrain the experts you need to field a threat hunting team
- Organizational challenges: you may have difficulty gaining approval from your organization to get the people you need to build a threat hunting team
- Increasing complexity of detecting advanced threats: as malware becomes more sophisticated and easier to detect, it makes preventing the loss of sensitive data more difficult and can threaten to overwhelm your security team.
We believe every organization should hunt but realize that it’s not a “one size fits all” endeavor. The good news is that hunt services can help, regardless of your size or level of maturity. Now more than ever threat hunting is accessible to you, so get out there and find some evil!