Is Your Threat Hunting Effective?
In this paper, we explore in more depth what exactly leads to the shortage of suitable personnel and how it affects security organizations’ capabilities to utilize threat hunting teams. To grasp the impact of staffing challenges on threat hunting operations, we take a closer look at the metrics organizations are using to measure threat hunting effectiveness.
We also explore if and how security teams use threat intel to attenuate some of the adverse effects that a shortage of resourceful threat hunters has on organizations. We focus on the features that threat intel should exhibit to be useful, rather than a nuisance.
Analysis of the survey results indicates that even though some form of threat hunting has arrived in most organizations, there appears to be no consensus on exactly how threat hunting should look. Mainly, we still see some confusion about the daily tasks of SOC analysts versus the functions of threat hunters. The majority of our survey respondents rely heavily on tools, such as SIEMs and endpoint detection and response (EDR) tools. Even though both solutions offer the capabilities needed to support an adequate threat hunting operation, they usually do not come with batteries included. Many respondents asserted that employing the right experts to build up and maintain advanced threat hunting is challenging. First, the demand for experienced threat hunters appears to outweigh the supply. The second challenge our respondents face
is the quality of threat intelligence. Even though the majority of respondents consume some type of threat intelligence for their hunting operations, only one of every three respondents said that they are highly satisfied with their sources.
The good news is that even though organizations are facing enormous challenges when introducing and running threat hunting operations, they still appear to benefit from them. Our results show that respondents are starting to put methodologies in place to measure the benefit of threat hunting. We believe that having these methodologies will lead to vast improvements in threat hunting operations, because measuring leads to more specific requirement definitions. These definitions help to shape threat hunting operations more precisely and make them more successful.
Begin your Hunt, and download your exclusive copy of the SANS Survey Is Your Threat Hunting Effective?