Security Organizations can no longer keep up with the volume of security events on their networks, nor can they see and understand the attacker launching an attack in a vulnerable crevice of their network. The alert fatigue and false positives are more than well documented. And, it’s only getting worse: vastly distributed networks make it harder to see what is happening, and attackers are crafting better campaigns to get through, remaining hidden for weeks, months and years. It is time for organizations to change their approach from an organizational and process perspective, first and foremost.
New vendors and solutions abound to “solve” the problem with the latest silver bullet; a better sandbox, better learning algorithms, and big data to show you what you have been missing. And the reality is, particularly in an advanced attack campaign-based world, it is how security organizations form their Incident Response and Security Operations function today. The majority of organizations have spent the past two decades becoming more effective at preventing with next-gen firewalls and endpoints, and triaging the voluminous event activity arising from their SIEM deployments. It is an inherently Infrastructure-focused endeavor. And while there is chapter to continue to make this more efficient, the book is closed on that approach being the answer to waging more effective defenses against advanced attack campaigns.
This is where organizations must evolve their security analysts into proactive threat hunters. It’s these ‘hunter’ teams who have seen real dividends in improving their posture and time to identify attacks. Further, many organizations have begun a threat intelligence function to man the considerable sources of intelligence data (often in manual form) that a hunter can use to guide his or her efforts. Of course, As a result, their response and dwell times are typically measured in hours, not days. But the approach has begun to democratize, and many more teams within financial services and other verticals are starting their journey to hunt, looking for what might be next. The more advanced organizations are hiring not just skilled political and human intelligence specialists to train teams, but also visual thinkers and experts who can visually craft the connection points of an attack. And we can now point to the actual business benefits of instituting these types of programs and functions. As part of a year-long set of interviews, we have uncovered four different “profiles” of security organizations, what they spend and measure, and how they end up performing as a result.
The results are very interesting. Organizations that spend the same on security can have vastly different outcomes depending on how they are organized. We have seen major differences in both dwell time and time to contain between “Hunting Organizations” and “Detect and Respond Experts” that spend the same. Please check out our assessment here, give us feedback on how these different organizational approaches are working
The post Connecting the dots: Business benefits of threat hunting appeared first on Arbor Insights - Our People, Products and Perspective.