Home » Security Bloggers Network » Threat Hunting and SOC

Threat Hunting and SOC

by Lester Obbayi on July 20, 2018

Introduction

“Threat hunting” refers to the process of proactively and repeatedly searching through networks to detect and isolate advanced threats that evade existing security solutions. Such solutions may include firewalls, intrusion detection systems (IDS), malware sandboxes and SIEMs. Normally, existing security solutions require investigation to be conducted after an incident or warning has occurred. However, with threat hunting, organizations hire skilled defenders who use advanced tools to find and mitigate hidden threats. In this article, we discuss how threat hunting can be consolidated with security operations center operations to yield maximum security for your organization.

An Overview of the Security Landscape

According to a 2018 Threat Hunting Report by Crowd Research Partners, threat frequency and severity is on the increase. The report compiles data from a survey that targeted security personnel within various organizations. Of the respondents, 52% say threats have at least doubled in the past year.

Based on this trend, we can see that the number of advanced and emerging threats will continue to outpace the capabilities of security personnel within organizations. In the same report, 76% of respondents reported feeling that not enough time is spent on searching for emerging threats within their organizations’ SOCs. When asked why they have not implemented a threat-hunting function, 45% cite lack of budget as being the main problem.

A third of the total respondents, however, feel more confident in their security team’s ability to quickly uncover advanced attacks. This compared to previous reports shows that threat hunting is gaining momentum.

Another 2017 threat-hunting survey of 306 IT and security professionals indicated that at many organizations, the process is still new and poorly-defined. Hunting programs are more often utilized in financial services, high tech, and military or government institutions, as well as companies that have been previously attacked.