Threat hunting is the process of proactively looking for anomalies within a company’s network or devices and discovering if they represent the trails left by stealthy attackers. This is usually done by having a team of threat hunters, the cybersecurity experts that excel in areas such as malware analysis, pattern recognition, data forensics and data analytics.
While there is no doubt that the hunter is the essential factor in finding threats, it is important to understand that the amount of data that must be collected and analyzed makes it impossible to have an effective process without the help of technology. Threat hunting is done in a continuous loop, where the hunter formulates a hypothesis (e.g. is one of our endpoints remotely controlled by an unknown agent?) and tries to prove it by finding behavior anomalies on the network or existing devices.
While data collection and normalization were already done by SIEM solutions, threat-hunting platforms have advanced to the point where it is possible to combine machine-learning techniques and threat intelligence to automate a considerable part of the process, allowing experts to maximize their potential, making sure no threat remains undetected.
But which is the best solution for your company? Here are five well-known commercial threat-hunting platforms that will help you get the most out of your cyberthreat analysts.
One of the most mature threat-hunting platforms available, Sqrrl combines techniques such as link analysis, user and entity behavior analytics (UEBA), risk scoring and machine learning, creating an interactive visual chart that allows analysts to explore entities and their relationships. This makes it a simple yet powerful tool for hunters.
Sqrrl can collect data from an internal SIEM solution and outside sources, such as a threat intelligence feed. It does not install an agent on endpoints, but rather (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Claudio Dodt. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/EEkjdKcjly8/