Time to Get Proactive About Threat Hunting

By on Jul 13, 2020

When I think about the many challenges that threat hunters face nowadays, trust me when I say that I feel their pain. Early in my career, I was a Security Engineer in a SOC who scrambled into action upon receiving the proverbial midnight call about aincident.  

The system I was part of wasn’t perfect as we always were one step behind our adversaries. Still, we still held the line by deploying an assortment of security technologies to minimize any damage. Enterprises essentially adopted a reactive “whack-a-mole” approach, where defenders would address one-off vulnerabilities as they popped up. But we face a new cyber security landscape that makes it clear we need to adopt a new, more proactive approach to threat hunting. 

Are We a Target? 

In the past, cyber security was generally treated as an afterthought by senior management. No longer. Company boards are finally attuned to the grave challenge that cyber security poses to their businesses. While boards are willing to make cyber security investments, they also want to make sure they’re getting the maximum return from investments in the tools that CISOs say they need.   

However, they’re not going to be patient if their cyber security strategy still rests upon waiting for the next phishing email to infect the network before defenders start to swing into action. Enterprises don’t have the luxury, especially not in the current threat landscape where they are being targeted by cohorts of increasingly sophisticated attackers. This has implications for everyone involved in the enterprise cyber security chain – from the CISO to the most junior analyst on the SOC team.  

Threat hunters must be able to synthesize external threat feeds and data into useful context to know whether the organization is a target. And they also need actionable information to take steps that bolster the organization’s overall security posture  this can involve anything from ordering a general lockdown to tweaking policies that better secure end points or the web gateway.   

Unfortunately, this proactive capacity still remains out of reach for most companies. Fewer than 20% of breaches are getting stopped in a timely fashion because threat hunters lack the tools that might supply the kind of timely, actionable context I’m talking about. 

Boards aren’t going to be patient if their threat hunting approach is the equivalent of calling in the firemen only after the blaze starts. The organization needs to know ahead of time what’s happening in their cyber neighborhood, not after the fact. 

The Rise of the Strategic Threat Hunter 

That puts added pressure on threat hunters to get ahead of the problem before it’s a problemAs the average cost of data breaches continues to climb, tomuch is at risk by keeping the status quo. Remediation and resolution after the fact no longer cuts it. But ithreat hunters know ahead of time who is being targeted and what endpoints are going to be impactedthat’s a game-changer. At that point, they can take proactive measures to protect their organizations. 

At McAfee, our portfolio of technologies not only extends protection across all endpoints and the cloud but also streamlines the process of investigation, allowing threat hunters to drill down across vectors, industries and regions. We cross-correlate known campaigns using industry and geographical threat activity with an organization’s own endpoint security posture derived from its security telemetry.   

That’s a major boon for threat hunters who now can glean accurate insights into the potential constellation of potential security risks. They no longer need to manually pick through disparate pieces of data, separating out false positives from real indications of trouble. So, instead of wasting precious time on busy work, they apply their talents to the task of finding the most effective way to deal with incoming threats.  

Even on a good day, the threat hunter’s job is hard enough. Without the necessary information to help understand the bigger picture, it looks more like Mission Impossible. But with a recently announced, uniquely, proactive, MVISION Insights in hand, threat hunters can finally flip the script to take the fight to the bad guys. Remember: the best defense is always a good offense. 

Check it out—our Chief Scientist Raj Samani weighs on MVISION Insights. 

About the Author

Arnie Lopez

Arnie Lopez is Vice President Worldwide Systems Engineering. Arnie is a 25-year veteran in Silicon Valley’s Technical Community with experience in Networking, Cloud and Security Solutions.

Read more posts from Arnie Lopez

Subscribe to McAfee Securing Tomorrow Blogs