30 Jul The Important Distinction between Threat Hunting and “True” Threat Hunting
Is threat hunting any different than “true” threat hunting?
It is if you can’t get started right away. There is a big difference between a threat hunting technology and a threat hunting solution. That’s something security leaders should thoroughly understand when evaluating options.
With some exceptions (which we’ll get to in a moment) you often can’t just take your shiny new tool out-of-the-box and start hunting threats with it. Instead, the technologies to do this tend to come in pieces for collecting, storing, indexing, querying, analyzing and visualizing the data that enables threat hunting.
As a result, enterprises that set out to buy a threat hunting tool can find themselves engaged in a tedious process of designing, acquiring, learning and integrating many technologies into a single comprehensive threat hunting environment.
This process can last months, and maybe even years, and can put security teams in the unenviable position of spending more time building a threat hunting IT system than actually securing their networks.
Let us explain.
If you read some of the descriptions solution providers put forth about threat hunting, you would have good reason to conclude, that if you bought that product today, you’d be able to start threat hunting right away. The truth is you can’t because there are usually many other parts that you also need.
What parts? Here are some of the foundational pieces:
- Sensors to collect data;
- A repository to manage and index the data;
- Query tools to explore the data;
- Analytical tools to process the data; and
- Visualization tools to illustrate trends and anomalies.
But just buying those pieces isn’t enough either. This is because there are planning and implementation duties that are necessary to get it right. They have to be compatible with each other and work together seamlessly towards a well-defined outcome. Typically, those duties include:
- Designing the threat hunting environment – systems, schema and technology selections;
- Implementation – deployment, configuration, integration and analyst training; and
- Systems management – the routine administration of the tools and data.
All that has to be done before getting to the objective of using the system to actually threat hunt – and by extension, the ultimate goal of protecting the business from threats that may have evaded automated detection.
That’s all fine and well if your enterprise is endowed with the people, budget and time to build your own threat hunting system, but most aren’t. This is one of the reasons why Bricata is so different.
True Threat Hunting, Out of the Box
We’ve taken to calling it true threat hunting because it truly does provide the capability to start threat hunting immediately – sometimes within minutes of setting it up.
How? The product ships with all of the parts described above. We’ve already gone through the process, so security organizations don’t have to. The only thing that remains is the act of initializing the system with your own network’s data and then hunting down threats.
It’s important to underscore that the Bricata platform is not just a collection of parts, but a carefully designed and integrated platform that enables the threat hunting repository to auto-configure, continuously populate, and self-manage.
So, the term true threat hunting is our way of conveying that Bricata is an entirely ready-to-go, end-to-end threat hunting environment that delivers threat hunting out-of-the-box. You can start threat hunting on day one. That’s true threat hunting and it is a big difference.
If you enjoyed this post, you might also like:
6 Ways Modern Threat Detection Keeps the Enterprise Ahead of Cybersecurity Trends