THREAT HUNTING 2017 REPORT PRESENTED BY

Similar documents
THREAT HUNTING REPORT

THREAT HUNTING REPORT

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

RSA NetWitness Suite Respond in Minutes, Not Months

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Building a Threat Intelligence Program

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Resolving Security s Biggest Productivity Killer

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Reducing the Cost of Incident Response

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

esendpoint Next-gen endpoint threat detection and response

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Attackers Process. Compromise the Root of the Domain Network: Active Directory

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

RiskSense Attack Surface Validation for IoT Systems

THE ACCENTURE CYBER DEFENSE SOLUTION

C T I A CERTIFIED THREAT INTELLIGENCE ANALYST. EC-Council PROGRAM BROCHURE. Certified Threat Intelligence Analyst 1. Certified

NEXT GENERATION SECURITY OPERATIONS CENTER

CLEARING THE PATH: PREVENTING THE BLOCKS TO CYBERSECURITY IN BUSINESS

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

RSA Cybersecurity Poverty Index

Traditional Security Solutions Have Reached Their Limit

GDPR COMPLIANCE REPORT

CYBERSECURITY RESILIENCE

Transforming Security from Defense in Depth to Comprehensive Security Assurance

ACHIEVING FIFTH GENERATION CYBER SECURITY

Reducing Cybersecurity Costs & Risk through Automation Technologies

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Incident Response Agility: Leverage the Past and Present into the Future

Pedal to the Metal: Mitigating New Threats Faster with Rapid Intel and Automation

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

An All-Source Approach to Threat Intelligence Using Recorded Future

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

MATURE YOUR CYBER DEFENSE OPERATIONS with Accenture s SIEM Transformation Services

2017 Trends in Security Metrics and Security Assurance Measurement Report A Survey of IT Security Professionals

DDoS MITIGATION BEST PRACTICES

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Managed Endpoint Defense

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

RSA INCIDENT RESPONSE SERVICES

Operationalizing the Three Principles of Advanced Threat Detection

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Reinvent Your 2013 Security Management Strategy

Security. Made Smarter.

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Fundamental Shift: A LOOK INSIDE THE RISING ROLE OF IT IN PHYSICAL ACCESS CONTROL

Threat Hunting in Modern Networks. David Biser

empow s Security Platform The SIEM that Gives SIEM a Good Name

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

4/13/2018. Certified Analyst Program Infosheet

Incident Response Services

RSA INCIDENT RESPONSE SERVICES

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

CROWDSTRIKE FALCON FOR THE PUBLIC SECTOR

The 2017 State of Endpoint Security Risk

Best wishes for 2018! Bryan Ware, CEO. Haystax Technology INSIDER THREAT PREDICTIONS FOR

A Practical Guide to Efficient Security Response

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

KNOWLEDGE GAPS: AI AND MACHINE LEARNING IN CYBERSECURITY. Perspectives from U.S. and Japanese IT Professionals

SIEM Solutions from McAfee

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Vulnerability Assessments and Penetration Testing

Symantec Security Monitoring Services

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

ForeScout ControlFabric TM Architecture

Are we breached? Deloitte's Cyber Threat Hunting

WHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

FOR FINANCIAL SERVICES ORGANIZATIONS

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

SIEM: Five Requirements that Solve the Bigger Business Issues

Designing and Building a Cybersecurity Program

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Integrated, Intelligence driven Cyber Threat Hunting

to Enhance Your Cyber Security Needs

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

Building Resilience in a Digital Enterprise

The Artificial Intelligence Revolution in Cybersecurity

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Cyber Resilience - Protecting your Business 1

MITIGATE CYBER ATTACK RISK

THE POWER OF TECH-SAVVY BOARDS:

Seven Steps to Ease the Pain of Managing a SOC

WHITEPAPER THE EVOLUTION OF APPSEC: FROM WAFS TO AUTONOMOUS APPLICATION PROTECTION

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

Transcription:

THREAT HUNTING 2017 REPORT PRESENTED BY

THREAT HUNTING 2017 REPORT TABLE OF CONTENTS Overview Key Survey Findings Familiarity with Threat Hunting Threat Hunting Priority Top Challenges for SOCs Confidence in SOCs Data Captured for Forensic Review Threat Detection by Automated Tools Vulnerability Scanning & Analysis SOC Threat Management Maturity Resources for Threat Hunting Time Spent on Threat Hunting Attack Discovery Financial Impact of Threats Threat Hunters Job Satisfaction Threat Hunting Adoption Barriers to Adoption Threat Hunting Performance Benefits of Threat Hunting Platforms Threat Hunting ROI Key Features of Threat Hunting Platforms Methodology and Demographics Threat Hunting Overview Sponsor Overview Contact Us 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 29 31

OVERVIEW Many organizations are quickly discovering that cyber threat hunting is the next step in the evolution of the modern Security Operations Center (SOC) to combat an increasing array of sophisticated threats from attackers. Threat Hunting refers to manual and machine-assisted methods of proactively and iteratively searching through networks and datasets to find advanced persistent threats (APTs) that evade existing security defenses. In 2017, the Information Security Community on LinkedIn conducted a comprehensive online research project to gain more insight into the state of threat hunting in security operation centers (SOCs). When the 330 respondents were asked what keeps them up at night, many comments revolved around a central theme of undetected threats slipping through an organization s defenses. Many responses included unknown and advanced when describing threats, indicating the respondents understand the challenges and fear those emerging threats. We would like to thank our sponsors for supporting this unique research: Cybereason DomainTools Infocyte Javelin Networks Palo Alto Networks Sqrrl Tenable We hope you will enjoy the report. Thank you, Holger Schulze Holger Schulze Founder Information Security Community on LinkedIn hhschulze@gmail.com Group Partner Information Security THREAT HUNTING REPORT 3

KEY SURVEY FINDINGS 1 2 3 4 5 Respondents state that the frequency of security threats their organizations are facing increased significantly. Over 80% of respondents say threats have at least doubled in the past year. Based on the current trend, the number of advanced and emerging threats will continue to outpace the capabilities and staffing of organizations to handle those threats. Threat hunting is becoming a top security initiative for many organizations. However, the inability to detect advanced threats and find expert security staff to assist with threat mitigation are the top two challenges SOCs are facing. As a result, about four in five respondents stated their SOC does not spend enough time searching for emerging and advanced threats. The main benefits of threat hunting platforms include improved detection of advanced threats, creating new ways of finding threats, and reducing investigation time. Threat hunting platforms can cut in half the time spent to detect a threat, and it improves the average time to investigate and address a threat by 42%. Nearly half of respondents state that an investment in a threat hunting platform pays for itself within a year given its ability to detect unknown, emerging and advanced threats. Confidence in organizations ability to uncover advanced threats is low. Two-thirds of SOCs report that they are falling behind in terms of capabilities to address sophisticated threats. Confidence is further undercut by the increasing number of successful cyber attacks and the time it takes many organizations to detect and respond to a breach - many data breaches still have an average dwell time of 5 months. Cybersecurity professionals who work with a threat hunting platform feel more appreciated, recognized, and valued by their organization. Virtually all respondents want to work for a SOC with lean-forward proactive security capabilities such as threat hunting, confirming the value respondents place on threat hunting capabilities to help them do their job more effectively. THREAT HUNTING REPORT 4

FAMILIARITY WITH THREAT HUNTING Among the respondents to the threat hunting survey, six in 10 have some knowledge or are very knowledgeable about the topic. An additional 25% were aware of threat hunting but had no knowledge about the topic. Q: How familiar are you with threat hunting? 15% I am unfamiliar with threat hunting 25% I am aware of threat hunting, but have no knowledge 18% I am very knowledgeable on threat hunting 60% Have a moderate or high degree of knowledge about threat hunting 42% I have some knowledge on threat hunting THREAT HUNTING REPORT 5

THREAT HUNTING PRIORITY Nearly four out of five respondents said that threat hunting should be or will be a top security initiative in 2017 with 42% saying that they strongly agreed with the statement. Over three-quarters of respondents believe threat hunting is of major importance. Q: What is your level of agreement with the statement Threat hunting should be or will be a top security initiative in 2017? 3/4 of respondents believe threat hunting is of major importance 42% 37% 11% 6% 4% Strongly agree Somewhat agree Neither agree nor disagree Strongly disagree Somewhat disagree THREAT HUNTING REPORT 6

TOP CHALLENGES FOR SOCS The top two challenges facing SOCs are the detection of advanced threats (hidden, unknown, and emerging) and the lack of expert security staff to mitigate such threats. More than half of the SOCs face these two top challenges. All the challenges mentioned in the survey were ranked by at least 30% of the participants, suggesting that SOCs are dealing with a broad array of issues on a day-to-day basis. Q: Which of the following do you consider to be top challenges facing your SOC? 70% Detection of advanced threats (hidden, unknown, and emerging) 59% The lack of expert security staff to assist with threat mitigation 49% 49% 47% 45% 32% Detection of rogue insiders/ insider attacks Slow response time to find or detect advanced threats Too much time wasted on false positive alerts Lack of confidence in automation tools catching all threats Lack of proper reporting tools Working with outdated SIEM tools and SOC infrastructure 30% Too much data to collect, aggregate, report and analyze 30% Other 7% THREAT HUNTING REPORT 7

CONFIDENCE IN SOCS The Challenges faced by SOCs, such as their inability to detect advanced threats, the lack of expert staff to assist, and the slow response time all weigh heavy on their level of confidence. Only 6% of respondents were fully confident in their SOC s ability to uncover advanced threats; only 26% of respondents were confident to very confident. Q: Using a scale of 1 to 5 where 5 is very confident and 1 not at all confident, how confident are you in your SOC s ability to uncover advanced threats? Moderately confident 45% 23% 3 20% 2 4 Not at all confident 7% 1 5 6% Very confident THREAT HUNTING REPORT 8

DATA CAPTURED FOR FORENSIC REVIEW When asked about the type of data their SOC log for forensics review, three in four respondents said they log and review firewall/ips denied traffic. Other commonly collected logs are firewall/ips allowed traffic, DNS traffic, and Web and email traffic. The importance respondents see in keeping different types of logs for forensic review is evident by the fact that each data option was logged by at least 30% of the respondents. Q: What kind(s) of data does your SOC log for forensic review later?.com.net 70% Firewall/IPS denied traffic 65% 60% Web and email DNS traffic filter traffic 58% 41% 40% 33% 16% Firewall/IPS allowed traffic Server traffic Packet sniff/ tcpdump Windows domain logs Unsure THREAT HUNTING REPORT 9

THREAT DETECTION BY AUTOMATED TOOLS Nearly half of all threats go undetected by automated security tools (44%). Respondents answers ranged from single digits to more than 90%, implying that there is a wide range of perceived effectiveness of automated tools. Needless to say, this bodes very poorly for the current state of industry readiness. Respondents overwhelmingly believe that their organization faced more security threats over the past year, with 82% saying threats occurred more frequently. In addition, nearly half (45%) stated the amount of threats they face have at least tripled or more in the past year. Q: What percent of emerging and advanced threats are missed by automation security tools? Q: Which of the following best describes the frequency of security threats facing your organization? Increased at the rate of 5x or more 12% Increased at the rate of 4x in the past year 9% Increased at the rate of 3x in the past year 24% Increased at the rate of 2x in the past year 38% 44% 4% threats go undetected by automated security tools Decreased Not changed in the past year 13% THREAT HUNTING REPORT 10

VULNERABILITY SCANNING & ANALYSIS Although identifying attacking threats seems to be of extreme importance to organizations, nearly 1 in 4 do not analyze vulnerabilities to determine if the threat is attacking a known CVE (Common Vulnerability and Exposure). 3 in 4 respondents stated they take measures to determine if a threat is attacking a known CVE for their organization. Q: When threat hunting, do you run a network scan/ analysis of common vulnerabilities to determine if the threat is attacking a known CVE? 76% YES Over 75% of respondents stated that vulnerability scanning and CVE patching is helpful in limiting potential threats. These results support the prior question in determining the importance of analyzing and acting on vulnerable areas for security purposes. Only a small minority believe that scanning for and patching CVEs is unhelpful. Q: How useful do you find network vulnerability scanning/ patching CVEs in helping you limit the risk of threats? 77% think vulnerability scanning and CVE patching is helpful in limiting potential threats 53% 24% NO 24% Very helpful Somewhat helpful 7% Neither helpful nor unhelpful 12% Somewhat unhelpful 4% Very unhelpful THREAT HUNTING REPORT 11

SOC THREAT MANAGEMENT MATURITY When it comes to the state of their organization s threat hunting capabilities, only 6% actually believe they are cutting edge, and 30% believe they are advanced. Nearly two thirds of respondents stated they re minimally compliant or even behind the curve when it comes to addressing emerging threats. Although emerging and advanced threats seem to be a major challenge for SOCs, little action is being taken to address them. Q: Which of the following best explains the status of your SOC in relation to addressing emerging threats? We are cutting-edge, ahead of the curve We are advanced, but not cutting-edge We are compliant, but behind the curve Our capabilities are limited at this time 6% 30% 27% 37% THREAT HUNTING REPORT 12

RESOURCES FOR THREAT HUNTING When asked for an approximate amount their organization spent on security detection and defense technologies to identify and stop advanced threats, answers varied significantly. On average, respondents stated approximately $550,000 with some amounts ranging up to $6-8 million dollars. Less than 2 in 10 employees within SOCs are threat hunting today. When asked approximately what percentage of employees were involved in threat hunting, the average response was around 14%. Q: Approximately how much do you spend on security detection and defense technologies to identify and stop advanced threats? Q: Approximately, what percentage of employees at your SOC are threat hunting today? 14% SOC employees involved in threat hunting $550,000 Average Spend on Technologies for Security Detection and Defense THREAT HUNTING REPORT 13

TIME SPENT ON THREAT HUNTING When compared to engaging in proactive and innovative detection, respondents spend nearly double the time with alert triage and reacting to security threats. An average of 43% of respondents time is spent reacting to security threats, while an average of 22% of respondents said that their time is spent proactively seeking threats. The rest of the time is spent on other activities. These results align with previous questions that revealed that many respondents organizations are behind the curve when it comes to taking steps to enhance their security and threat hunting capabilities. A staggering 4 in 5 respondents believe their SOC does not spend enough time searching for emerging and advanced threats. While many organizations and SOCs spend most of their time reacting to detected threats or other procedures, respondents clearly believe more time should be spent on proactively looking for these threats. Only 20% of respondents believe that their SOC spends enough time searching for emerging and advanced threats. Q: Do you feel enough time is spent searching for emerging and advanced threats at your SOC? Q: In a typical week, what percent of your time is spent with alert triage or reactive response to security threats versus engaging in proactive and innovative detection methods? 20% YES 2x time 22% Proactively seeking threats 43% Reacting to security threats 80% NO THREAT HUNTING REPORT 14

ATTACK DISCOVERY Attackers dwell on a network for an average of 40 days before they re discovered, according to the survey. Some respondents said attackers were discovered much faster while others said the attack could go undetected for as long as three months or even longer. Nearly all respondents agree that attackers dwell on a network for some period of time before they re discovered by the SOC. An average of 40% of security threats to the respondent s SOC are missed, while an average of 60% were identified. With over 4 in 10 security threats being missed by SOCs, there s significant potential for a breach. Q: Missed and Detected Security Threats? Q: On average, how long do attackers who breach your security defenses dwell in your network before they are discovered by your SOC? 40% MISSED Security Threats 40 DAYS Average time attackers dwell on networks until discovered 60% DETECTED Security Threats THREAT HUNTING REPORT 15

FINANCIAL IMPACT OF THREATS Nearly 2 in 5 respondents stated a security breach could have a financial impact of up to $1 million at their organization. Almost half of respondents were unsure of the financial impact an undetected threat that results in a breach would cause. This number represents a significant lack of awareness around the potential damage that undetected threats can cause. Q: What is the typical financial impact of a security threat which goes undetected and results in a breach at your organization? 2 of 5 of respondents think a security breach could have a financial impact of up to $1 million at their organization 47% 32% 7% 7% 4% 1% 2% Under $500,000 $500,000 to $999,999 $1 million to $2.9 million $3 million to $5.9 million $6 million to $9.9 million More than $10 million Unsure THREAT HUNTING REPORT 16

THREAT HUNTERS JOB SATISFACTION Overall, 61% of respondents in SOc without a threat hunting platform stated they feel appreciated, 53% say they are recognized, and 59% believe they are valued at their organization. However, respondents who work in a SOC that uses a threat hunting platform feel significantly more appreciated, recognized, and valued. Of those respondents, 72% state they feel appreciated, 61% state they are recognized, and 67% believe they are valued. Q: Do you feel the work you do is: Appreciated?, Recognized?, Valued? Respondents overwhelmingly stated that they would prefer to work in a SOC with lean-forward proactive security capabilities such as threat hunting, an opinion shared by nearly 95% of respondents. Respondents value the importance of threat detection capabilities for not only their own work, but also for their organization. Q: Would you prefer to work in a SOC with lean-forward proactive security capabilities, such as threat hunting? Appreciated 61% 72% YES 93% Recognized 53% 61% Valued WITH threat hunting platform 59% 67% WITHOUT threat hunting platform 7% NO THREAT HUNTING REPORT 17

THREAT HUNTING ADOPTION Nearly two-thirds of respondents stated their SOC does not currently use a threat hunting platform for its security analysts, indicating a lower adoption rate. Respondents agree that the need and importance to identify emerging and advanced threats is paramount but many organizations have yet to adopt technologies to do so. Q: Does your SOC currently use a threat hunting platform for its security analysts? 2/3 SOCs do not currently use a threat hunting platform Among those who do not use threat hunting platforms, more than 3 in 4 (76%) stated they would like to see their organization upgrade security capabilities by purchasing a threat hunting platform. This supports the themes in which detecting advanced threats is a major challenge to SOCs, magnified by a lack of expert staff, and the fact respondents believe not enough time or budget is allocated to threat hunting tools. Q: Would you like your organization to purchase a threat hunting platform for its security analysts? NO 24% NO 65% YES 35% YES 76% THREAT HUNTING REPORT 18

BARRIERS TO ADOPTION Lack of budget remains the top reason why SOCs have not adopted a threat hunting platform, an answer given by 35% of respondents. Lack of training on threat hunting was the second most common reason, said 20% of respondents. This puts more responsibility on threat hunting platforms to prove their value, accelerate onboarding times and improve comprehension with SOC staff. Q: What is the main reason your SOC does not have a threat hunting platform for its security analysts? 35% Lack of budget 20% 19% 11% 7% 9% Lack of training on threat hunting Not a priority for our SOC Platform fatigue, we have many platforms Lack of collaboration across departments Other THREAT HUNTING REPORT 19

THREAT HUNTING PERFORMANCE When asked to estimate the amount of time it takes to address threats without a threat hunting platform, the average time it took to detect a threat was 38 days, and the average time to investigate a threat was 26 days. Q: On average, how long does it take to detect / investigate threats without a threat hunting platform at your SOC? When asked to estimate the same time to detect and investigate threats with a threat hunting platform, a much different story emerged. With a threat hunting platform, the average time spent to detect dropped to 15 days and the average time to investigate the threat lasted just 14 days. The average time spent to detect the threat improved by 61% and investigating the threat improved by 42%. Q: On average, how long does it take to detect / investigate threats with a threat hunting platform at your SOC? WITHOUT A THREAT HUNTING PLATFORM WITH THREAT HUNTING PLATFORM Time to detect 38 days 15 days 2.5x improvement Time to investigate 26 days 14 days ~2x improvement THREAT HUNTING REPORT 20

BENEFITS OF THREAT HUNTING PLATFORMS The top efficiency benefits from a threat hunting platform as mentioned by respondents were improving the detection of advanced threats (72%), creating new ways of finding threats (68%), discovering threats they could not discover otherwise (67%), and reducing investigation time (66%). Q: What do you think are the main efficiency benefits from a threat hunting platform for security analysts? 72% Improving detection of advanced threats 68% 67% 66% Creates new ways of finding threats Discovering threats I could not discover otherwise Reducing investigation time 58% Saves time manually correlating events 56% Reducing time wasted on chasing false lead Ability to quick connect disparate sources of information 43% Reducing extra and unnecessary noise in the system 41% Reduces attack surface 40% Saves time scripting and running queries 39% Other 4% THREAT HUNTING REPORT 21

THREAT HUNTING ROI Nearly half of respondents believe an investment in a threat hunting platform would pay for itself within a year. A small minority of respondents stated the investment in a threat hunting platform would take three years or more to break even. Q: How long does it take for a SOC to break-even on the investment of a threat hunting platform? 44% believe the investment in a threat hunting platform would pay for itself within a year 32% 5% 3% 11% 7% 18% 10% 8% 4% Immediately Within days Within weeks Within months Within a year Within 2 yrs Within 3 yrs More than 3 yrs Unsure THREAT HUNTING REPORT 22

KEY FEATURES OF THREAT HUNTING PLATFORMS The most appealing features of a threat hunting platform are the forensic details and automated analytics (machine learning used for automating decisions). All features carried some appeal with respondents. None of the features received an average score below a 3 on a 1 to 5 scale of appeal. Q: Using a scale of 1 to 5 where 5 indicates very appealing and 1 indicates not at all appealing, how appealing is each of the following when selecting a threat hunting platform? Forensics detail Automated and packaged analytics Searchability 4.1 4.0 3.9 NOT AT ALL APPEALING VERY APPEALING NOT AT ALL APPEALING VERY APPEALING NOT AT ALL APPEALING VERY APPEALING Investigation workflow 3.8 Visualizations 3.8 Breadth of data sources 3.8 Automated mitigation 3.7 Sequence timeline 3.5 Storage capacity 3.4 THREAT HUNTING REPORT 23

METHODOLOGY & DEMOGRAPHICS The 2017 Threat Hunting Report is based on the results of an online survey of over 330 cybersecurity and IT professionals to gain more insight into the state of threat management in SOCs. The respondents range from security analysts and IT managers to CISOs. The respondents represent a representative cross section of organizations of varying sizes across many industries, ranging from financial services to telecommunications and healthcare. PRIMARY ROLE 20% 19% 19% 15% 11% 6% 5% 4% 2% Security Analyst IT Manager, Director or CIO Security Manager or Director CSO, CISO, or VP of Security Security Administrator Threat Analyst Systems Administrator Auditor Other COMPANY SIZE 22% 15% 11% 19% 13% 20% Less than 100 100 to 499 500 to 999 1,000 to 4,999 5,000 to 9,999 10,000 or more INDUSTRY 20% 14% 9% 8% 6% 5% 4% 33% Financial services, banking or insurance Telecommunications or ISP Healthcare Government Manufacturing Retail or ecommerce Energy or utilities Other THREAT HUNTING REPORT 24

THREAT HUNTING OVERVIEW THREAT HUNTING REPORT 25

UNDERSTANDING THE THREAT Today s attacks have become more sophisticated while their means and methods are increasingly difficult to detect. Upon gaining access to a network, most advanced persistent threats (APTs) work silently and stealthily to gather intel and gain more access to their target network. In the past, APTs using this methodology were extremely difficult to detect and sometimes were active for months or even years before being discovered. However, many SOCs are beginning to take the fight to the enemy by employing threat hunting techniques to seek out malicious activity before it is able to do significant damage. Mapping to the Cyber Kill Chain The clear majority of attacks faced by organizations today can be mapped via the cyber kill chain model. Under this framework, attackers will start out by gathering intelligence on and surveilling a network, exploiting weaknesses, and moving on to escalating privileges. However, at every level of the kill chain, attackers are vulnerable to detection and potential disruption. CYBER THREAT KILL CHAIN Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions on Objectives 1 2 3 4 5 6 7 By understanding how attackers utilize the kill chain, hunters can engage their targets before adversaries compromise or steal valuable information. In other words, monitoring, targeting, and engaging threats before they cause damage. In this process, hunters will start out by hypothesizing and mapping out potential means and methods that can be used by attackers. Hunters should therefore be able to collect actionable intelligence that enables them to further refine their data-gathering techniques and provides jumping-off points for future hunts. THREAT HUNTING REPORT 26

THE PYRAMID OF PAIN All attackers have signatures that can be used to identify who is attacking and how. These can include anything from the attacker s IP address, network/host artifacts, and tactics, techniques and procedures (TTPs). Collectively, these methods are referred to as Indicators of Compromise (IoCs). By identifying relevant IoCs and denying their use, hunters can make attacks upon their networks more time-consuming, costly, and difficult. In short, by picking out IoCs through the use of behavioral analytics, intelligence gathering, etc., hunters can pinpoint and deny potential avenues of approach to malicious actors. TTPs Tools Network/ Host Artifacts Domain Names IP Addresses Hash Values Tough Challenging Annoying Simple Easy Trivial This method of disrupting threats is encapsulated within the pyramid of pain model. The pyramid maps the levels of IoC that are used by adversaries and correlates them with the relative amount of inconvenience that can be caused by forcing attackers to change their techniques. By relying on behavior and data-driven intelligence (as opposed to reactive automated defenses), hunters are able to predict the tactics most likely to be used by adversaries. THREAT HUNTING REPORT 27

THE HUNTING MATURITY MODEL Each organization s ability to seek out IOCs can be mapped according to the hunting maturity model. The framework rates SOCs on their ability to utilize intelligence indicators and data collection to predict and identify threats. SOCs are assessed on their defense techniques (e.g. entirely automated vs intelligence-driven), their collection and use of data, and their adaptability. The model also evaluates SOCs based on the frequency, sophistication, and institutionalization of their hunt techniques. LEVEL LEVEL 4 LEVEL 0 NO THREAT HUNTING PROGRAM These teams either have no hunting capabilities and mainly perform incident response LEVEL 1 BASIC THREAT HUNTING These teams incorporate basic searching as their hunting techniques (searching for key indicators in datasets) Most hunting in this stage is not data driven and is conducted on an ad-hoc basis LEVEL 2 UTILIZING EXISTING PROCEDURES These teams incorporate published hunting procedures and techniques into their detection activities Threat hunting in this stage utilizes data collection, and is applied on a regular basis 3 CREATING NEW PROCEDURES These teams create new hunting procedures that can be followed (and published) based on organizational need Hunting at this level occurs on a frequent basis LEADERS IN THREAT HUNTING These teams incorporate all of the above practices but also automate successful hunts and use hunting results to improve automated detection systems, freeing up hunters to pursue new hunts This model provides SOCs with a broad-view outline for assessing their effectiveness, as well as laying out a roadmap for improving operational effectiveness. Under this framework, the most effective SOCs are those that consistently incorporate intelligence and lessons learned from hunts into alerts and automated responses, as well as those that invest in specialized, scalable tools for hunters. THREAT HUNTING REPORT 28

SPONSORS OVERVIEW Cybereason www.cybereason.com Cybereason is the leader in endpoint protection, offering endpoint detection and response, next-generation antivirus, and managed monitoring services. Founded by elite intelligence professionals born and bred in offensefirst hunting, Cybereason gives enterprises the upper hand over cyber adversaries. DomainTools www.domaintools.com DomainTools helps security analysts turn threat data into threat intelligence. Our solutions give organizations the ability to use create a forensic map of criminal activity, assess threats and prevent future attacks. Infocyte www.infocyte.com Infocyte is an endpoint threat hunting technology leader with an innovative solution that focuses on postcompromise detection of persistent attackers and cyberthreats. Infocyte s agentless hunt platform is designed to allow security and IT teams to rapidly assess endpoints for evidence of compromise to defend an organization s networks and critical information. Javelin www.javelin-networks.com Javelin protects what others cannot - the Active Directory. Javelin is the first Artificial Intelligence-based Autonomous Breach Detection, Investigation, Hunting and Containment Platform to protect the Corporate Domain environment. Javelin s lean forward approach reduces the effort, time and error when trying to identify and contain breaches. THREAT HUNTING REPORT 29

SPONSORS OVERVIEW Palo Alto Networks www.paloaltonetworks.com Palo Alto Networks is the next-generation security company, leading a new era in cybersecurity by safely enabling applications and preventing cyber breaches for tens of thousands of organizations worldwide. Built with an innovative approach and highly differentiated cyberthreat prevention capabilities, our game-changing security platform delivers security far superior to legacy or point products, safely enables daily business operations, and protects an organization s most valuable assets. Sqrrl www.sqrrl.com Sqrrl is the only cybersecurity solution purpose-built for threat hunting. Sqrrl s primary value proposition is to help analysts discover new, unknown threats that were neither previously detected nor properly prioritized. Tenable www.tenable.com Tenable transforms security technology through comprehensive solutions providing continuous visibility and critical context, enabling decisive actions to protect organizations of all sizes. Tenable eliminates blind spots, prioritizes threats and reduces exposure and loss. THREAT HUNTING REPORT 30

CONTACT US Interested in co-sponsoring the next cybersecurity report, or producing your own research? Contact Crowd Research Partners to learn more. info@crowdresearchpartners.com Produced by: All Rights Reserved. Copyright 2017 Crowd Research Partners. Please contact Crowd Research Partners if you would like to use this content. THREAT HUNTING REPORT 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback