Time to get proactive about threat hunting
When Arnie Lopez of McAfee thinks about the many challenges that threat hunters face nowadays, trust him when he says that he feels their pain. Early in his career, he was a Security Engineer in a SOC who scrambled into action upon receiving the proverbial midnight call about an incident.
The system he was part of wasn’t perfect as they always were one step behind their adversaries. Still, they still held the line by deploying an assortment of security technologies to minimize any damage. Enterprises essentially adopted a reactive “whack-a-mole” approach, where defenders would address one-off vulnerabilities as they popped up. But we face a new cyber security landscape that makes it clear we need to adopt a new, more proactive approach to threat hunting.
Are we a target?
In the past, cyber security was generally treated as an afterthought by senior management. No longer. Company boards are finely attuned to the grave challenge that cyber security poses to their businesses. While boards are willing to make cyber security investments, they also want to make sure they’re getting the maximum return from investments in the tools that CISOs say they need.
However, they’re not going to be patient if their cyber security strategy still rests upon waiting for the next phishing email to infect the network before defenders start to swing into action. Enterprises don’t have the luxury, especially not in the current threat landscape where they are being targeted by cohorts of increasingly sophisticated attackers. This has implications for everyone involved in the enterprise cyber security chain – from the CISO to the most junior analyst on the SOC team.
Threat hunters must be able to synthesize external threat feeds and data into useful context to know whether the organization is a target. And they also need actionable information to take steps that bolster the organization’s overall security posture. This can involve anything from ordering a general lockdown to tweaking policies that better secure endpoints or the web gateway.
Unfortunately, this proactive capacity still remains out of reach for most companies. Fewer than 20% of breaches are getting stopped in a timely fashion because threat hunters lack the tools that might supply the kind of timely, actionable context Andy is talking about.
Boards aren’t going to be patient if their threat hunting approach is the equivalent of calling in the firemen only after the blaze starts. The organization needs to know ahead of time what’s happening in their cyber neighbourhood, not after the fact.
The Rise of the Strategic Threat Hunter
That puts added pressure on threat hunters to get ahead of the problem before it’s a problem. As the average cost of data breaches continues to climb, too much is at risk by keeping the status quo. Remediation and resolution after the fact no longer cuts it. But if threat hunters know ahead of time who is being targeted and what endpoints are going to be impacted, that’s a game-changer. At that point, they can take proactive measures to protect their organizations.
At McAfee, their portfolio of technologies not only extends protection across all endpoints and the cloud but also streamlines the process of investigation. This allows threat hunters to drill down across vectors, industries and regions. They cross-correlate known campaigns using industry and geographical threat activity with an organization’s own endpoint security posture derived from its security telemetry.
That’s a major boon for threat hunters who now can glean accurate insights into the potential constellation of potential security risks. They no longer need to manually pick through disparate pieces of data, separating out false positives from real indications of trouble. So, instead of wasting precious time on busy work, they apply their talents to the task of finding the most effective way to deal with incoming threats.
Even on a good day, the threat hunter’s job is hard enough. Without the necessary information to help understand the bigger picture, it looks more like Mission Impossible. But with a recently announced, uniquely, proactive, MVISION Insights in hand, threat hunters can finally flip the script to take the fight to the bad guys. Remember: the best defense is always a good offense.