Threat hunting has become a fundamental security process within organizations. It targets threats that might have been missed by traditional detection methods like as firewalls, intrusion detection systems, malware sandboxes and SIEMs. This article covers the various considerations that need to be taken when outsourcing or developing an internal threat-hunting program.
Internal vs. External Threat Hunting
Internal threat hunting differs from external threat hunting in that it is an internally-managed function within the organization. The security department constitutes an incident response (IR) team that is responsible for handling and hunting threats that might plague the organization. Normally, a balance must be struck between human skill set and detecting tools to allow for an effective team.
Organizations that lack a threat-hunting function might seek to outsource it to cybersecurity companies that offer such services. This externally-managed function is what is known as external threat hunting. Internal and external threat hunting each have pros and cons that should be discussed.
Pros of an Internal Threat-Hunting Function
Having your own threat hunting function within your organization has a couple of pros to it. They include:
Compared with outsourcing threat-hunting functions to a third-party cyber-security company, assembling an internal threat-hunting team means you size of the team to work with and the necessary tools to use. If you like, you can gather these assets at a lower cost.
Ability to streamline
Internal hunting teams are normally compact in size. This allows you to streamline the hunting process by defining the datasets that are most critical and thus require the most attention. This allows your team to work efficiently and effectively.
Reduced infection dwell time
Hunting allows you to reduce the amount of time infections may dwell within your organization undetected, effectively preventing an otherwise catastrophic breach.
Hardened attack surface
Hunting allows you (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Lester Obbayi. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/gdgZN70GBvo/