How Threat Hunting Flips the Traditional Approach to Cybersecurity
Organizations with serious concerns about being targeted by cyberattackers can accelerate incident response by assuming they are already compromised.
- by Jeff Falcon
I joined many of my colleagues in the information security community a couple of weeks ago for the annual gathering of the tribe at the RSA conference. We gather together every year and share our thoughts on the latest trends in security and, every year, a common theme emerges.
It looks like 2019 will be the year of threat hunting. Organizations that aren’t already in the process of building out a threat-hunting function asked about how to get started.
What Is Threat Hunting, and Is It Right for Your Organization?
Threat hunting takes the traditional approach to cybersecurity and turns it inside out. While most security controls are designed to keep intruders out, threat hunting adopts a mindset called the “presumption of compromise.” Threat hunters assume that malicious actors have already penetrated their organization, and they use a variety of security tools and techniques to hunt down the evidence that confirms this assumption. This allows organizations to accelerate their existing incident response efforts by detecting security incidents before they create a costly business disruption that can’t escape notice.
But threat hunting isn’t necessarily an effective tactic for every organization. Threat hunting requires significant investments of human and financial resources and, as with any investment, should be undertaken only if the potential returns justify the costs. In my mind, this requires an honest answer to two questions: How secure do we want to be? And how secure do we need to be? The reality is that some organizations find themselves in a threat environment where they face only common, routine threats. Those threats can often be sufficiently countered with traditional network and endpoint security tools and supplemented with an incident response program that kicks in when other tools detect a potential compromise.
Higher Stakes for High-Value Targets
Many organizations, however, face a much different threat landscape. Financial institutions, healthcare providers, government agencies and critical infrastructure utilities find themselves the targets of cybercriminals and nation-state adversaries. These sophisticated foes can attack in a stealthy fashion that might evade detection by a traditional array of defenses. These cases are where threat hunting moves from luxury to necessity.
Threat hunters rely on a common suite of security tools. Of foremost importance is a robust security operations center that receives data feeds from throughout an organization and provides continuous response to emerging incidents. The work of the SOC revolves around a second cornerstone: the security information and event management system. The SIEM serves as the central point of analysis and correlation for these data feeds. Finally, most incidents begin on an endpoint; therefore, the SOC must be fueled by a robust endpoint detection and response platform.
Organizations seeking to build out a threat-hunting capability don’t need to undertake this work single-handedly. CDW offers a variety of products and services that can assist with threat-hunting efforts. Our advisory services help organizations develop a threat-hunting strategy, while our professional services provide a full range of implementation capabilities. Together, our advisory and professional services can help your organization build an internal threat-hunting capability. CDW also offers an incident response retainer program as a service, through which we can augment your organization’s threat-hunting work on your behalf.