Threat hunting has splashed on the scene out of necessity. There are no guarantees in cybersecurity and best practice has evolved from a focus on prevention to an exercise in risk management.
The statistics that have shepherded threat hunting into the conventional security vocabulary are staggering:
- The cost of a breach in the U.S. estimated at $7.35 million or nearly double the $3.62 million it costs globally, according to reporting by Kelly Sheridan for Dark Reading (citing data from IBM and the Ponemon Institute).
- Cybersecurity spending reached $80 billion in 2016 and is forecasted to exceed $1 trillion over the next five years, according to a compilation by Steve Morgan for CSO Online. By contrast, cyber crime will triple by 2021 and cost upwards of $6 trillion in damages (citing figures from Gartner Research).
If you believe these estimates, then the economics of protection-only cybersecurity thinking is not sustainable. As Adam Lashinsky and Jeff Roberts noted in Fortune, “a penny of offense can defeat a dollar’s worth of defense.”
This is why businesses are indeed fighting back and threat hunting is an increasingly important part of that fight. Here are 10 trends we see evolving in this area.
1. The business case for threat hunting.
Threat hunting requires a combination of human intuition and technology but justifying the headcount can be challenging. How many people do you need and how do you quantify the return?
Steve Zurier reported for TechTarget that most major business units at GE have between five and seven people hunting for threats full time. Business units in GE, like GE Aviation, which Mr. Zurier interviewed, are comparable to a large independent enterprise.
And the business case is straightforward. “If a single breach can cost up to $1 million,” he writes, “saving just one breach a year could pay for a $1 million investment in threat hunting.”
A million dollar per breach is probably conservative, as other studies have suggested.
2. Threat hunting provides tangible value.
Threat hunting is providing real benefits, according to Kyle Wilhoit, a security researcher in a contribution to Dark Reading. He cites survey data by his employer, Domain Tools, that found about one-quarter of respondents say they spend 26 hours a week on threat hunting.
More importantly, 78% of that group “find value in hunting – specifically drilling down on forensic clues from emails, such as domain name, IP address, or email address, which ideally leads to information that makes the organization more secure.”
3. Priority info requirements should drive hunting.
Good fundamentals in the security operation center will mitigate roughly 90% of attackers, according to Bob Stasio writing for Security Intelligence by IBM. It’s that remaining 10% of attackers that’s dangerous and expensive.
To avoid a wild goose chase, he suggests setting high-level priorities to drive specific actions. For example, if an organization wants to know if it’s “missing threats hiding in the noise,” that priority would drive more specific questions to be answered through hunting.
“When are many low-level alerts connected to the same indicator?” is one example of a specific question and “Where do new threat intelligence indicators match logs from 30 to 90 days prior?” is another.
4. Threat hunting is still largely an ad-hoc process.
If you want to get started with threat hunting, but are not sure where to begin, you are not alone, according to reporting by Kathleen Richards. She cites research from SANS that suggests threat hunting is driven by SOC alerts and the process falls short of standardization.
“Less than half of respondents, 45%, said their process is largely ad hoc and dependent on what they need; 27% indicated they have defined their own hunting methodology; and 16% do not do any threat hunting.”
Even so, the research shows organizations get markedly better with experience – an impressive “60% of those surveyed cited measurable security improvements.”
5. Attacks rise, but detection gets better.
Attacks are coming faster, through more vectors, and are increasingly less and less expensive to launch, according to research from Trustwave. The same report, however, provides indications that threat hunting is proving a counterbalance.
“There is good news in that companies are detecting intrusions more quickly,” according to Ian Barker writing for BetaNews. “The number of days from an intrusion to detection is down from 80.5 days to 49. Breaches are being contained faster too, with an average of 2.5 days from detection to containment.”
6. A system to capture lessons learned.
Threat hunters should “stockpile” what they learn in the process so they never need to “hunt for the same thing twice,” writes Brett Williams of Carbon Black, in a contribution to CSO Online (Australia). “The investment in threat hunting tools and personnel is mostly wasted if there isn’t a feedback loop incorporated that illuminates lessons learned,” he concludes.
“A threat hunter continues to stockpile his/her knowledge, skills and tools. With the right tools, each new query becomes another automatic threat detector, so the hunter slowly gains ground and denies attackers access to more and more attack surface.”
7. Security analytics must evolve to support threat hunting.
Threat hunting today is a process of correlating intuition, intelligence, and analytics, but security information and event management (SIEM) systems haven’t evolved with security needs, reports the aforementioned Ms. Sheridan in a separate article also citing Poneman data. While 76% of SIEM users say the tool is “strategically important,” just “48% were satisfied with the actionable intelligence” the analytics produced.
She interviews Anton Chuvakin, a vice president at Gartner, who forecasts “incremental improvements instead of major change” in the immediate future.
“The future of SIEM will likely be an evolution, and not a revolution,” he said, according to the article.
8. Better analytics but don’t forget the data.
She contributed to a report that the release says predicts “by 2020, advanced security analytics will be embedded in at least 75 percent of security products.”
The trend in analytics is certainly encouraging but don’t overlook the sensors that will feed that data. The analysis is only as good as the data – if the inputs are weak, the output will be weak as well, no matter how advanced the analytical platform.
9. Better context means better hunting.
The preponderance of alerts, “generated by a typical SIEM rule,” are false positive, says Kumar Saurabh of LogicHub writing for HelpNetSecurity. Each alert takes even “a skilled security analyst” between 15-45 minutes to investigate, he says and with hundreds of alerts every day, that quickly overwhelms analyst resources.
“For example, imagine an analytics tool that could identify cancer, but the only attribute data being fed is biological gender. The tool might conclude men are more likely to get cancer than women. However, if you start feeding the tool additional attributes – diet, exercise, tobacco use, and family history – the analysis gets a whole lot more accurate.”
Looking at the same threats from different vantage points gives analytics tools the data it needs to correlate – and direct hunting attention.
10. Threat hunting is an integral part of an overall protection plan.
Spending on detection will drive most of the growth in security spending over the next five years, according to Sid Deshpande, a principal research analyst at Gartner. However, the shift in emphasis from protection to detection should be viewed as an augmentation of layered cybersecurity posture, not a replacement for one.
“While this does not mean that prevention is unimportant or that chief information security officers (CISOs) are giving up on preventing security incidents, it sends a clear message that prevention is futile unless it is tied into a detection and response capability.”
What trends do you see emerging in threat hunting?
If you enjoy this post, you might also like: Threat Hunting: Summaries of 5 Recent Cybersecurity Studies
Photo: Pixabay (CC0 1.0)