By David Monnier, Chief Evangelist, Team Cymru Fellow
It’s challenging to be on a security team these days. Organizations are expanding their cloud capabilities, yet 45% of breaches happen in the cloud. Most security teams receive over 500 security alerts per day. And it’s estimated that the average attack takes 212 days to detect.
Having a threat hunting program in order to detect and take action against malicious actors lurking in your environment is a necessity for security teams intent on being more proactive in keeping their organization safe. With the right tools, data, visibility, and training, security teams can be effective at preventing attacks before they start.
But what if they lack those tools, data, visibility, and training? Unfortunately many security teams today do, and in our recent report on the “Voice of a Threat Hunter,” we found that the majority of security teams deem their threat hunting program only somewhat effective, or not effective at all.
We’ve worked with a number of companies to strengthen their threat hunting programs over the years. Here are three challenges security teams face today, and steps you can take to strengthen your operations for a more effective tomorrow.
Challenge 1: Lack of threat hunting tools
Threat hunting analysts need the support of various tools and technologies in order to make them effective at finding malicious activity, patching vulnerabilities, and having the intelligence to respond to attacks.
However, security teams say that the biggest thing holding their threat hunting back is a lack of tools. Without tools to measure, benchmark, and analyze, security teams don’t have the data, insights, and visibility to truly understand the current state of what they’re trying to protect. Not having tools that offer automation means that security analysts are burning out handling manual, repetitive tasks each day as well.
Solution: The solution is adopting new tools (probably easier said than done, especially if you lack the budget for it). Threat hunters would benefit from tools for endpoint detection and response, tools that can better collect and store data, and tools that provide more visibility into their cloud environment. Additionally, since 88% of security teams have challenges with their current SIEM, SOCs need updated, more modern tools to provide a comprehensive look at their security stance and initiatives.
How will you know which tools will be beneficial for you? Start by evaluating the needs of your threat hunting program, like what type or scale of data you need, and which sources you need it from. Then look at your infrastructure to evaluate your sources and identify any gaps that need patching. As you evaluate new tools to bring into your organization, look at its functionality, how it integrates with your current tools, how well it can scale, its performance and usability. Also, take into consideration the reputation of the vendor, and any licensing and maintenance costs associated with adoption.
Challenge 2: Poorly understood and/or undocumented baseline activity
Security teams are also challenged by not having a full understanding of what their baseline activity is. Having a well-documented and well-understood baseline means that you know what “normal” is for your organization, and anything that doesn’t fall under “normal” needs to be investigated.
By not having an understood baseline, the organization doesn’t have enough visibility into their environments or isn’t collecting enough intelligence to have a firm sense of its state. Also, not having a baseline for normal means that analysts can’t gauge what behavior is acceptable and what’s not, leaving the organization vulnerable to malicious activity being assumed as standard.
Solution: Knowing what your baseline activity is starts by having the data over time to tell you what normal activity should look like in your organization. This can be accomplished by having the right tools and technologies in place to give you visibility into your environment, and to collect the right data needed from endpoint sources that can give you more insight into who is accessing your system.
Expanding past just knowing what “normal” looks like, security teams can benefit from having standardized policies and protocols that define not only things like configuration settings and identity and access management across the organization, but defines the response to suspicious activity as well. This is especially key considering that 35% of security practitioners in our report attribute the effectiveness of their threat hunting program to having formalized processes and procedures for conducting threat hunts.
Challenge 3: No executive-level support of threat hunt program
Finally, many security teams say they lack support from leadership around their threat hunting program. C-suite and board executives want to make sure that the organization is safe and protected, but they likely don’t have the understanding to comprehend what a threat hunting program is and why it’s necessary.
Similarly, security team leaders know very well the actions they take on a daily basis to keep the organization safe, but don’t often have simple answers to questions the board or C-suite may ask. Or they’re not sharing documentation about their work with their C-suite, which is happening in 56% of companies. Ultimately, this can lead to a disconnect that may impact organizational and financial support of the security team.
Solution: The solution here is to focus on improving communication, and practicing how to communicate security initiatives and successes in simplified terms, and doing away with security jargon. Don’t just give data about your security efforts, but write up in executive friendly format about threats that were uncovered and what their impact would have been on the company if left undetected. Ideally you’re already measuring your security efforts, and those metrics can help tell the story of your security efforts as well.
Expanding and Strengthening Your Threat Hunting Program
Security teams want to stop threats before they become an attack, and want to proactive protect their organization, but too often they’re lacking the tools, intelligence, training, and support to effectively do so. Let 2023 be the year your security team strengthens and expands its threat hunting program.
ABOUT DAVID MONNIER
David Monnier is CIO, Chief Evangelist, and Fellow at Team Cymru who has 20+ yrs experience in cyber intelligence and has presented keynote insights more than 100 times in over 30 countries.
[Image by DCStudio on Freepik]
