A cyberattack can cause an organization to grind to a halt. Operations stop, data and assets are lost and the average cost today is now as high as $9.4 million. This is why organizations who want to protect their data, assets and reputation need a way to stop threats before they occur. A well-resourced and funded security team with a well-defined threat-hunting program can proactively monitor malicious activity, find vulnerabilities and put their organizations on the offensive.
But as effective as security teams want to be, many lack the tools, training and resources to lead an effective threat-hunting program. According to our newest report on the “Voice of a Threat Hunter,” only 41% of security practitioners think their threat-hunting program is “very effective,” leaving the rest saying it’s only somewhat effective or not effective at all.
How can security teams stay ahead of threats and make their efforts more impactful? Consider the following best practices for strengthening your intelligence sharing, team skills development and data collection.
Proactive threat hunting relies on having the right information to take actionable steps to prevent attacks. Throughout our report, respondents said that having more data, and a wider variety of data types, would help improve their threat-hunting program. Security teams can expand their strategies for sharing intelligence internally by adopting the following best practices.
First, consider the confidentiality and privacy of the information you’re sharing, and that it adheres to your organization’s security policies and any laws and regulations. Teams should also ensure that only those who need to know the information have access, and should classify the information based on its level of sensitivity.
As you share intelligence with your internal teams, only share information that is relevant and can be acted upon by the team it’s shared with — don’t overwhelm teams with all your collected data. Consider what format or medium the information needs to be shared in as well. This includes the size and complexity of the data, the audience it’s being shared with, and whether it needs real-time or historical analysis.
Sharing information internally to strengthen your threat-hunting program also means encouraging open communication so that information can be more effectively shared, and building trust as you do so. Finally, ask for feedback from the recipients and stakeholders on whether the information you shared was as helpful and actionable as they needed, and so that you can make improvements going forward.
One of the best resources a security team can have for threat hunting is a well-trained team, and respondents in our report say that trained and experienced threat hunting analysts are what make a threat hunting program effective. Security leaders can help develop their teams by investing in development programs to help close skills gaps, learn new technologies, or better understand modern tactics and trends. Offering continuous learning programs like regular training and workshops, attending industry conferences and participating in research initiatives can also help attract and retain top talent as well — especially considering that there are only 68 cybersecurity professionals per 100 job openings.
Help your team become more effective by leveraging automation and artificial intelligence in threat hunting as well. Not only can these tools help with more effective detection and response, but they can take repetitive, manual tasks off analyst to-do lists and free them up for more strategic and impactful tasks.
Make sure that you have methods in place to measure your threat-hunting program as well, so you can see areas of success and room for improvement. This can include tracking the number of threats detected, time to detection, time to response, and the impact of threat-hunting activities on the overall security posture of the organization. Not only can this help you identify areas of improvement, but having these numbers can help you communicate your threat-hunting program’s impact to the C-suite and board.
Finally, the top thing respondents want their threat-hunting program to have is more data to help them better understand their environment and the threats to it — having more network data is the top item they’d add to their program. Here are some best practices for helping gather the data you need to be more effective.
First, what are the data collection needs of your threat-hunting program? What type of data is required, and at what volume? What sources will you collect this data from? With those answers, evaluate your current infrastructure for gaps in the sources you currently use for threat intelligence, including network forensic detection, internet NetFlow telemetry and full packet captures.
Once you identify areas where you need to shore up your data collection, invest in tools that can collect, synthesize, normalize and store your data, and look into data lake capabilities as well. Be sure to integrate those tools into your SOC so that those who need the data have access, as studies have found that typically only 9% of SOCs centralize their data.
Another thing that can help with your data collection efforts is to have a clear data retention policy, which ensures that data is being stored and maintained correctly and that it’s being retained long enough to support the threat-hunting program. Finally, continuously evaluate your data collection and storage approach, and make changes as necessary to stay relevant, accurate and applicable.
With only 41% of security practitioners believing their threat-hunting program is very effective, now is the time to strengthen how you share intelligence across teams, how you develop your team’s skills, and how you can better collect data that can give you the actional information you need. With malicious activity only on the increase, now’s the time to give your team the tools and skills they need to more effectively protect your organization going forward.
Recent Articles By Author