Author: Kate Adam, E8 Security
I’ve read a number of IT security articles extolling the value of threat hunting programs within security operations teams, and few weeks ago, during RSA Conference at San Francisco’s Moscone Center, many security vendors commended these same virtues.
In this crazy world where we’ve heard the phrase, “There is no silver bullet,” with regard to prevention technology at least several hundred times, developing threat hunting practices to root out and eliminate the threats that weren’t caught by perimeter and endpoint defenses is extremely prudent. However, not many security teams have a threat hunting practice, so the big question is: what’s keeping them from taking their security operations team beyond mere detect-and-respond procedures?
Threat hunting denotes proactivity in a role that has traditionally been reactive: detect and respond — reactivity is connoted in the name — and going from reactive to proactive is more difficult than it sounds. Security analysts who investigate the “detected” incidents to mount a response can’t simply abandon their posts and devote their time to hunting for threats. Especially at a time when — as the security industry keeps stating — there are more open cybersecurity positions than qualified people to fill them, mature security programs with dedicated threat hunting programs are few and far between.
Shifting to a proactive stance isn’t a pipe dream, though. It’s just that many organizations are still struggling to effectively investigate, triage, and respond to security alerts, so proactivity is a few too many steps ahead. How can security operations teams come to a place with their current resources where they can set up and begin to shift into threat hunting, while still responding to the regular flow of alerts?
Behavioral analytics is a fairly new technology within the realm of security and it is just now gaining traction within the market. Most behavioral analytics vendors focus on their products’ threat detection capabilities, but they’re missing what may be more valuable to potential customers: making security operations more efficient. Behavioral analytics done well automates a lot of the tedious work that security analysts currently do manually.
First, for every alert they investigate, security analysts spend time foraging through DHCP logs to figure out which device had a particular IP address at the time an incident was detected, and from there, root through directory logs to find out who was using that device. Device IPs change all the time, from session to session as users move around the office, and hop on and off of the corporate network. Behavioral analytics done well eliminates the need to correlate IP addresses, devices, and usernames via spreadsheet; this is a fundamental capability because figuring out the “who” behind every action is what allows certain necessary analytics (such as peer group analysis) to work effectively in the first place. It’s much more meaningful to understand what normal behavior looks like for a user or device, than for an IP address.
Second, security analysts spend more time toggling between many different UIs to figure out what happened before and after the alerted incident, which is necessary to determine the timeline, true severity, and scope during investigations. Effective security investigations are all about context: is this a false positive, does this system have the most recent patch, why is this user using this application, etc.? Behavioral analytics done well connects disparate security events together to tell the full story of abnormal and malicious behavior, including which alerts are a part of the same attack, which anomalous actions are related, and how they are related.
Third, security analysts must spend even more time searching through different systems to retrieve logs that are relevant to the investigation as evidence of their findings and conclusions. Behavioral analytics done well provides the relevant log events behind a detected anomaly, directing analysts to the log information they’re looking for to mount a response without having to build search queries.
All these manual tasks lengthen the amount of time between detection and response, which in turn contributes to both dwell time of a threat and the backlog of incidents that security operations teams must overcome before they can shift their focus to threat hunting.
Transforming security operations from a reactive function to a proactive one is more involved than some vendors would have you believe. However, if the ultimate goal is an effective security operations team with a proactive threat hunting practice, you can get there — but if you can’t afford to fall, you’ve got to make sure you know how to walk before you try to run. Behavioral analytics can facilitate and ease this transition by cutting investigation time from hours to minutes using your existing security resources, and can take your security operations team to the next level: threat hunting.