Enterprises increasingly understand the benefits of proactively hunting for cyber threats lurking in their environments. According to a recent study by Cybersecurity Insiders, some 83% of security pros today think that threat hunting should be a major component of their security programs.
The trouble is that most organizations are just barely treading water to keep up with the security detection and response status quo, let alone transforming the way they hunt for threats.
That same study showed 70% of organizations admit that they don’t have adequate time to search for emerging and advanced threats in their security operation centers (SOC). More tellingly, only about 15% of SOC employees are involved in threat hunting in any capacity.
As we see it, there are three major factors that are holding back the progress that enterprises are trying to make on threat hunting today:
SOC analysts are drowning in low-quality, unvetted threat data. Dig into the typical threat intelligence feeds that vendors pump into SOCs today and you’ll find a laundry list of indicators of compromise (IOCs) chock full of IP addresses marked as malicious that have zero context around how, when, or why the IP was tagged as ‘bad.’ Because attackers constantly change their infrastructure and behaviors, these IOCs have a limited window of ‘freshness’ where that data remains relevant. Unfortunately, much threat intelligence today doesn’t add the context of this ‘decay model’ into the information streamed to analysts.
Not only does this increase the noise from false positives and false negatives, but generally makes it difficult for threat hunters to swiftly connect the dots between relevant clues generated by active threats in their environments.
Meantime, vendors across the cybersecurity world trump up the promise of machine learning (ML) and artificial intelligence (AI) as the magic wands to wave on this voluminous store of unqualified security data. The marketing spiel is that you can just let the ML/AI engine do the work of cleaning, normalizing, and contextualizing data.
The truth, though, is that ML/AI depends on algorithmic training to work right. And so, ML/AI is only as good as the data that gets fed into the models and rule sets, as well as the people designing the rule sets. Right now the technology is very rudimentary for threat hunting, and is likely to stay that way for a long time.
Keeping the limitations of ML/AI in mind, most cybersecurity veterans understand that the only way that we’re going to find the most acute and the most hidden advanced threats is through human-powered threat hunting. People are best able to adjust to the changing strategies of adversary, and by getting informed eyes on raw data it is possible to find the most relevant activity and follow the attack chain to find stealthy attacks. Great threat hunters are able to create their own custom content based on that data to drive their hunts. But the security skills shortage makes it impractical for every organization to build out teams of specialized experts who can dedicate the kind of time they need to develop that content and run threat hunting activity.
These blockers to threat hunting make it necessary for enterprises to look for an accelerant to break through the cybersecurity status quo. The threat hunting professionals at Cyborg believe the key ingredient to that accelerant is people-powered content that helps organizations contextualize unvetted threat intel and search activity in their environments using security tools they already have and the people they already have on staff in-house. With the right contextual content, organizations shouldn’t have to scramble to outsource threat hunting activities or hire legions of in-house threat hunters.