Organisations Are Identifying Cyber Threats More Effectively

The SANS Institute Threat Hunting Survey report concludes that organisations are beginning to find cyber threats more effectively.

However, whilst techniques, tools and the scope of threat hunting is expanding, the practice is still relatively poorly defined amongst IT professionals. Most organisations are still reacting to alerts and incidents, instead of proactively seeking out intruders.

Moving from reactive to proactive

The survey of 600 IT professionals globally reveals a change in mindset from the respondents of the 2017 survey — where many respondents indicated that their threat hunting methods centered completely on reactive indicators, instead of proactively seeking out threats, and identifying and counteracting adversaries who may already be in their environment.

The 2018 survey found that 43% of respondents now perform continuous and more accurate threat hunting operations, compared to just 35% in 2017.

According to SANS authors Rob M Lee and Rob T. Lee, this is a strong indicator that threat hunting is growing in scope and need. However, the survey also reveals that most organisations that are hunting, tend to be larger enterprises or those that have been heavily targeted in the past. At the same time, 37% of respondents are still only performing threat hunting if triggered by an event or an alarm.

“Threat hunting is part of nonstandard security operations. It’s a good combination of threat intelligence and hypothesis generation based on likely and probable locations of intrusions into a network. Once an organisation begins consuming threat intelligence, natural hunting begins to take place,” said Robert M. Lee, SANS certified instructor and co-author of the report.

Rob T. Lee, co-author and curriculum lead for digital forensic and incident response training, SANS Institute added: “One of the most notable highlights of the 2018 survey is that it demonstrates a more accurate use of threat hunting in many organisations. This change in threat hunting practices has increased since the last survey in 2017, which showed many organisations typically were hunting incorrectly through traditional intrusion detection. In this year’s survey, many more organisations were using proper threat intelligence to help identify the best locations inside an organisation’s network to look for anomalistic behaviours that are direct indicators of threats.”

The change in mindset regarding security is cause for hope.

As more organisations perform threat hunting, dwell time will shorten even more in the coming years. The survey indicates that dwell time currently averages above 90 days, but “as recently as 2013, the average dwell time was over six months. The decline since then shows that the adoption of threat hunting and stronger analytical techniques have had a significant impact on reducing the overall dwell time of adversaries across most networks.”

Other findings include:

• Tech versus people: Organisations are prioritising buying tools over developing a well-versed staff with the analytical skills to run effective threat hunting programs. 41% of respondents said technology was the most important area for threat hunting spend; just 30% said staff. This is interesting, as the majority of breaches are caused by human error. And, one of the main points to come out of Information Age’s Cyber Security Month, has related to the importance of security awareness training for all employees.

Automated threat hunting doesn’t exist, so while technology can help identify mistakes and achieve speed, it’s the skills of the human that will be able to minimise disruption and damage to the network.

• Weapon of choice: The top three skills valued in threat hunting team members included log analysis (83%), threat analysis and the use of threat intelligence (73%), and a knowledge of baseline network activity (72%). Threat intelligence and hunting must go hand in hand to work effectively. Intelligence is key to effective threat hunting and focusing on people and training are paramount for that effectiveness.

• Looking to the future: When asked what improvements would be required to improve threat hunting tools and capabilities, the most frequent responses were better investigative functions (59%), and more staff with investigative skills (also 59%). Both of the top options relate to the effectiveness and efficiency of staff, as well as an increasing need for skilled personnel.

Information Age:

You Might Also Read:

How to Measure Cybersecurity Success

« Reputational Damage & The Human Factor In Social Media
A Self-Flying AI-Powered Drone That Can Track You »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Webroot

Webroot

Webroot delivers next-generation endpoint security and threat intelligence services to protect businesses and individuals around the globe.

Engage Black

Engage Black

Engage Black provides solutions for securing and protecting cryptographic keys, data at rest, and data in motion.

IS Decisions

IS Decisions

IS Decisions builds affordable and easy-to-use Access Management software solutions, allowing IT teams to effectively secure access to Active Directory infrastructures, SaaS apps and data within.

SafeCharge

SafeCharge

SafeCharge is a global provider of technology-based multi-channel payments services and risk management solutions for demanding businesses.

Asoftnet

Asoftnet

Asoftnet are specialists in IT security, IT forensics, IT service, websites, applications and mobile solutions.

totemo

totemo

Totemo offers solutions for the secure exchange of business information.

Zeguro

Zeguro

Zeguro provides complete cybersecurity risk assessment, mitigation and insurance, allowing you to easily manage your cyber risk.

Open Raven

Open Raven

Open Raven is the cloud native data security platform that prevents breaches driven by modern speed and sprawl. Restore full visibility and regain control within minutes, without agents.

Sylint

Sylint

Sylint is an internationally recognized cyber security and digital data forensics firm with extensive experience discretely addressing some of today’s biggest cyber breaches.

HARMAN International

HARMAN International

HARMAN designs and engineers connected products and solutions for automakers, consumers, and enterprises worldwide.

Avalanchio Technologies

Avalanchio Technologies

The Avalanchio platform gives you a complete solution to collect, process, and analyze security data to detect threats in real-time and analyze historical data using security DSL or SQL.

FCI

FCI

FCI is a NIST-Based Managed Security Service Provider (MSSP) offering Cybersecurity Compliance Enablement Technologies & Services to Financial Services organizations.

IBM Security

IBM Security

IBM manufactures and markets computer hardware, middleware and software, and offers hosting and consulting services in areas ranging from mainframe computers to nanotechnology.

TerraEagle

TerraEagle

Terraeagle is a boutique cyber security services company providing tailor-made solutions. Our core competency is in SOCaaS, MDRaaS & and Incident Response Retainer Services.

Sonar

Sonar

AI generated or written by humans, Sonar’s Clean Code Solutions cover your code quality needs, improving code reliability, maintainability, and security.

Tamnoon

Tamnoon

Tamnoon is the Managed Cloud Detection and Response platform that helps you turn CNAPP and CSPM alerts into action and fortify your cloud security posture.