The cloud-native platform for centralized log management
Analytics, visualizations, and workflows purpose built for practitioners
Leading firms gaining more value from their machine data
Any source, any velocity – centralize logs, metrics, and traces for full visibility.
Close the gap between detection and response with an analyst-focused, cloud-native approach.
Understand complex environments with visual analysis and KPIs that matter most.
The most recent articles & research from Devo
Threat hunting emerged as a new way to proactively identify threats in your environment. For high-performing SOCs, it’s a must-have activity that can mean the difference between a malicious hack or a normal, uneventful day. With the stakes so high, it’s time to look at what is threat hunting – the history, what it looks like today, and the future of threat hunting – particularly as adversaries become more advanced every day.
Just over a decade ago, security analysts shared information on malicious code among themselves only – no public announcement of a breach, and certainly no public reckoning. Instead, you would receive information about a threat from a colleague or friend, conduct an investigation to determine if the compromise occurred in your environment, and then adjust your security posture to prevent similar compromises. This system inspired a new industry paradigm for SecOps across the globe. A handful of vendors began to offer threat intelligence, and eventually, a whole slew of security providers developed threat intelligence for the industry as well as for different verticals.
Once these tools became widespread, SecOps needed to subscribe to threat intelligence to enrich detection tools, which is a failsafe approach to looking for future threats. But threats seldom appear in real time, so you need a robust historical log to search for past threats as well as potential future ones. In addition, detection tools don’t catch all intruders, inspiring the need for a proactive way of finding threats that break through your defenses.
Today, many organizations rely on SIEM tools for hunting, which offer a single pane of glass view into security events and gives you a method of broadly enriching data – a far cry from manually analyzing events.
Make no mistake: threat hunting has come a long way in the last ten years. But then again, so have adversaries. These days, the specter of modern attackers keeps CISOs up at night. To get a good night’s sleep, you should have access to all data, live, and you shouldn’t have to restore backups or manually insert other data sources that weren’t being logged. You need full, complete visibility without restriction. But, there are a few barriers to entry for achieving what today’s ideal SOC looks like:
Unfettered visibility is important, yes. But you must also hone skills to combat the next phase of how our adversaries are targeting us: through artificial intelligence and machine learning. Attackers are beginning to dynamically shift on the fly; they no longer require an employee to click a phishing email to gain access to data. Next generation attacks can execute from previews, shut off antivirus systems, escalate privileges, and even disable logs to hinder detection.
Continue to improve your organization’s security posture with full data visibility and robust threat hunting and intelligence. Understand that malicious adversaries are hiding in plain sight – such as in Windows Powershell designed for sysadmins – so threat hunting must evolve to look for tactics, techniques, and procedures (TTP), instead of focusing purely on static indicators of compromise. But, don’t leave old rules behind, either: static information like hashes are still a relevant part of security. It’s all about developing the right mix.
By Jason Mical
Sign up to stay informed with the latest updates from Devo.