Threat hunting isn’t important to businesses, it’s a imperative. I can say this with confidence as a practitioner who has worked in security analysis, threat intelligence, SOC management, security policy and of course threat hunting in government and the private sector over the past 15 years. Throughout my journey, I’ve discovered that too many companies think that proactive security such as threat hunting is a “nice to have” thing and that true proactive security is unattainable.

This reality has only been reinforced now that I am on the selling side. I have the privilege of sitting in on meetings with potential clients, and I keep hearing SOC leadership and CISOs say that threat hunting is not something they care about. More surprisingly, I also hear a lot of pessimism around the concept of “proactive security”, with many believing it to be a pipe dream instead of being in their pipeline to deliver.

I’m here to tell you that not only does every industry need to start focusing on building or scaling their proactive security, they need to start doing it today. There is good news, however, and that is that building is entirely doable for organizations of all sizes, maturities, and industries.

The reality of the “threat landscape”

“Threat landscape” is a term often used carelessly in cybersecurity marketing circles that refers to all existing cyber threats that could impact an organization. The simple fact for most companies, however, is that to continue doing business in cyberspace, the threat landscape is not just a buzzword, it is something that must be fought, defended and processed, and the stats keep this in mind: there are now more than a billion known malware programs and variants, and more than 560,000 new pieces of malware are detected every day. The upshot of this rather staggering number is that data breaches hit a new high last year with 1,862 breaches identified, representing a 68% increase from 2020 and surpassing the previous record set in 2017.

Proactive security reverses the script on adversaries

The goal of most enterprise security programs is to mitigate the risks associated with this threat landscape – such as ransomware, nation-state adversaries, malware, vulnerabilities, and exploits. The disturbing reality, however, is that most of these threats begin life as something entirely undetectable, even by the most sophisticated modern security tools (and by extension the security programs and analysts who monitor them). This is because security tools can only detect threats that they to know on. This means that all but the most disconnected businesses are extremely vulnerable when a new threat emerges. Threat Hunting, however, flips the script on this paradigm and assumes that something is past. Hunting teams, or highly specialized analysts, proactively scan your environment for suspicious or malicious behavior indicative of users and programs that may negate a compromise. Once something is identified, they triage, investigate and respond.

But the benefits of threat hunting don’t stop there. When these hunting teams discover a previously unknown threat, they don’t just respond to it. They also build contents which is then deployed into existing security tools to ensure, in the future, that if this threat re-enters the environment, traditional security teams will be able to respond accordingly. Threat hunting does not only exist to hunt unknown threats, but they are also directly responsible for proactively improving the overall security posture of enterprises.

To address the explosive growth seen in the threat landscape today, security and business leaders must seek to take a proactive approach to security, leveraging practices such as threat hunting , to stay ahead of these emerging threats and complement their more traditional defenses.

With proactive security, anyone can hunt threats

How to start threat hunting? The practice of threat hunting is often seen as intimidating to organizations. Indeed, the perception is that threat hunting requires resources and security maturity unattainable for all but the largest enterprises. This may be true for the highly sophisticated fighter teams found in various military and intelligence agencies, but even a single, well-equipped fighter can begin the practice of proactive security for a company.

And by establishing a solid foundation of proactive security, a business can easily see the same benefits of threat hunting as much larger teams in government agencies, with just a fraction of the resources. One caveat, however, is that to establish this foundation, it’s important to equip your security teams to be successful in putting visibility first.

You can only hunt what you can see

It is essential to create visibility – at the network level and endpoint levels – primarily to ensure the success of proactive security. Indeed, a hunter is only as good as the data he has to hunt.

One of the key elements of this visibility is at the terminal level. By using tools such as endpoint detection and response (EDR) to record what is happening on an endpoint, you enable a threat hunter to observe user and code behaviors on that system. This allows them to establish a baseline of behavior on a given host, segment, and network and also to identify deviations from that baseline. It is in these deviations that these undetectable threats generally hide.

Another critical element for visibility is at the network level. Some may wonder why network traffic from NDR type tools matters when EDR records everything that happens on a system? The answer is that not all nodes on your network will have EDR installed. Things like guest networks, BYOD, IOT, ICS, and even a coffee machine can be networked, and if they reside on a network, they can be attacked. Network visibility allows hunters to identify suspicious or malicious communication patterns that could be missed by host-based tools like EDR. It should also be identified that while north-south visibility is essential, east-west visibility (including between network segments) is also very valuable, but can be more expensive due to the amount of storage it entails. can occupy.

By ensuring that your security teams have maximum visibility into the endpoints and networks in your environment, you maximize the chances of success for your security teams in general, but more specifically for your threat hunters.

Proactive security is a long-term strategy

While building a threat hunting capability – even if it’s just a single hunter – is a big step towards proactive security, it’s crucial to understand that threat hunting is a “long-term strategy”. Your hunting party may discover something on their first hunt, but like the real hunt, there will be many hunts where hunters return empty-handed. However, these cases should not be seen as failures, but rather as confirmation that an organization has not been affected by the behaviors sought. Again.

It is also important to realize that the value of threat hunting lies not just in a single hunt, but in iterative and repeatable hunts conducted at regular intervals. Even an unsuccessful search must be conducted continuously over the course of a year to provide regular and ongoing validation that an organization has not been impacted. This process can reassure business and security decision makers, especially during times of heightened concern. New emerging threats are starting to make the rounds in the news.

You don’t have to hunt solo

Proactive security, especially threat hunting, can seem out of reach, especially if you’re a medium to large organization with only a small team (or even a single threat hunter). A way to scale a small team, without adding additional expensive resources, to allow them to be more efficient and focus on the hunt itself and not pre-hunting work like research, testing and the validation. This can be done by partnering with a trusted provider to provide the hunt content that powers the individual hunts your team runs.

A vendor whose threat hunters are highly experienced and aligned with your organization’s hunting goals can deliver threat hunting content that is both human-created and validated. This can allow your threat hunters to execute more hunts faster, which can act as a force multiplier for your hunting team.

This is how organizations of any size and maturity can replicate the threat hunting practices of much larger teams. With the right foundation, even smaller and less mature teams can achieve the goal of proactive security.

The post Proactive Security and Why Every Business Needs It… Yesterday appeared first on Cyborg Security.

*** This is a syndicated blog from Cyborg Security’s Security Bloggers Network written by Josh Campbell. Read the original post at: https://www.cyborgsecurity.com/blog/proactive-security-and-why-every-business-needs-it-yesterday/


Source link

Previous

Stuart Rose says companies need a quick successor to 'lame duck' PM Johnson | Company

Next

TNT fishing lures win PitchIt! 2022 Minto Business Plan Competition

Check Also