01 May 5 Useful Benchmarks on Threat Hunting for the Security Operations Center
Some 44% of emerging threats are missed by security tools. That’s according to a survey of 300 security and IT professionals by Cybersecurity Insiders published late last year.
Concerns like these are why 70% of survey respondents said detecting unknown threats that are already hiding inside the enterprise is the top challenge facing security operations centers (SOCs).
The possibility that existing tools are missing activity already inside is a clear demonstration that security needs new ways to identify threats. The survey suggests that sitting back and triaging alerts is not only reactive – but may mean security misses things all together.
This has propelled threat hunting to one of the top cybersecurity priorities today. The report defines threat hunting as the “manual and machine-assisted methods of proactively and iteratively searching through networks and datasets to find advanced persistent threats (APTs) that evade existing security defenses.”
The essence of threat hunting is a combination of data and human intuition – security has a hunch it wants to investigate. The idea is simple – proactively hunt for threats to reduce time-to-detection, dwell time and ultimately, protect the enterprise.
The survey yielded several interesting findings that serve as benchmarks for understanding the threat hunting trend – and how your organization stacks up to peers.
1) Threat hunting awareness grows
A conversation about courses of action in cybersecurity requires everyone to have a common lexicon. As such, the survey asked respondents how familiar they were with threat hunting:
- 18% said they were very knowledgeable
- 42% said they had some knowledge
- 25% were aware of the concept but not knowledgeable
- 15% were unfamiliar
That adds up to about a 60/40 split and it’s probably fair to say most security professionals have an idea what threat hunting is from a conceptual perspective.
2) Organizational maturity of SOCs
The maturity of any organization typically reflects how efficiently it operates. For example, in a mature organization, roles are well defined, processes are documented and some performance metrics are tracked to understand if things are improving – or declining.
Immature organizations usually don’t have much of this, and as a result, people run around like their hair is on fire. It’s hard to get ahead in that environment that is in a constant state of reaction.
So how mature are SOCs? Here’s how respondents say their SOC stacks up:
- 6% said cutting-edge and ahead of the curve
- 30% said advanced but not cutting-edge
- 37% said compliant but behind the curve
- 27% said their capabilities are limited
Improving the maturity of an SOC is important because it enables the organization to systematically dedicate resources to proactively hunt threats.
It’s worth noting here, that respondents tend to come from larger organizations. More than 60% reported working for employers with 500 or more employees – with a wide distribution all the way up to global businesses with tens of thousands of employees.
3) How do SOCs approach threat hunting
Where do organizations get started with threat hunting? The survey provided a good indication when it asked respondents what types of log data they use for forensic review. Here’s what respondents said:
- 70% Firewall/IPS denied traffic
- 65% Web and email filter traffic
- 60% DNS traffic
- 58% Firewall/IPS allowed traffic
- 41% Server traffic
- 40% Packet sniff/tcpdump
- 33% Windows domain logs
The challenge here is that usually there is a sizable volume of data to sift through and that takes a lot of time. It’s like looking for a needle in the proverbial haystack.
This is one area that Bricata is focused on improving with an intelligent approach to packet capture (PCAP) and backtracing. Bricata captures relevant raw data about packet transfers associated with security alerts on the internal network (think the lateral movement of malware).
This means when the IDS triggers an alert for unusual network activity such as a significant, but unexpected, software installation or disk erase operation, it will also begin PCAP targeting the packets in that stream of known interest. The packet data is immediately available to search through and hunt down threats.
It also provides backtracing which enables users to replay previous packet captures against the current set of threat intelligence. This helps identify incidents that would only be visible to new threat intelligence.
4) Time and resources spent on threat hunting
Security organizations have three resources they can allocate to any given task – people, time and tools. The survey produced benchmarks for all three.
The report said on average, about 14% percent of SOC personnel were involved in threat hunting tasks. Those people spend about 22% of their time proactively hunting threats compared to 43% of time spent reacting to threats.
This means the SOC spends about twice as much time reacting to alerts as they do searching for threats. Perhaps predictably, the vast majority of those survey (80%) felt this was not enough time.
While two-thirds of respondents said their organization does not currently use a threat hunting platform, it did provide some level of detail for comparison:
“When asked for an approximate amount their organization spent on security detection and defense technologies to identify and stop advanced threats, answers varied significantly. On average, respondents stated approximately $550,000 with some amounts ranging up to $6-8 million dollars.”
That said there is considerable enthusiasm for investments in threat hunting: “76% stated they would like to see their organization upgrade security capabilities by purchasing a threat hunting platform.”
5) The key benefits of threat hunting
The obvious benefit to the business is improved security and reduced risk. To that end, some 44% believe a threat hunting investment would yield a return on investment (ROI) within one year of purchase.
Given other studies have found the cost of a breach is an estimated $3.62 million globally – and $7.35 million in the U.S. – a single thwarted attacks would provide return several times over.
The study revealed specific benefits to the SOC – steps along the path of proactive protection. Those included the following:
- 72% said improving the detection of advanced threats
- 68% said creating new ways of finding threats
- 67% said discovering threats they could not discover otherwise
- 66% said reducing investigation time
This has important implications in the context of detection. Respondents to this survey said the average dwell time – the time it takes to detect attackers already through the defenses – was 40 days.
According to the report “without a threat hunting platform, the average time it took to ‘detect’ a threat was 38 days. By contrast, “with a threat hunting platform, the average time spent to ‘detect’ dropped to 15 days.”
* * *
The full report is available online from Cybersecurity Insiders and is well worth a read: 2017 Threat Hunting Report.
If you enjoyed this post, you might also like:
How Enhanced Network Metadata Resolution Facilitates Network Threat Hunting