The cloud-native platform for centralized log management
Products built on the Devo Platform
Leading firms gaining more value from their machine data
Any source, any velocity – centralize logs, metrics, and traces for full visibility.
Close the gap between detection and response with an analyst-focused, cloud-native approach.
Understand complex environments with visual analysis and KPIs that matter most.
The most recent articles & research from Devo
Threat hunting is a proactive, exploratory activity designed to identify unknown threats in an environment. The process is an investigative method of testing an evolving set of hypotheses using technology toolkits that both enable creative detective work and drive workflows based on new findings. Threat hunting techniques shift enterprises from reactive response to proactive identification, enabling them to get ahead in the fight against adversaries.
Threat hunting and threat investigation are two different functions within a SOC. Threat hunting is a proactive approach to identifying unknown threats, while threat investigation is a reactive approach to validating and understanding a known threat.
SOCs are plagued with high rates of data growth and organizational silos – both of which impact visibility. This is further aggravated by a constantly growing attack surface with new applications and services constantly being added.
For most SOCs, license costs and data storage make it too expensive to collect and store all security data for real-time and historical analysis.
Running queries against large volumes of data can slow response times. Some traditional solutions can take hours to run a query due to scalability and performance issues, threatening an organization’s ability to identify and respond to threats.
Threat hunting requires relevant context to accurately identify a sign of compromise, but it can be difficult and time-consuming to connect the dots across petabytes of data and multiple point products.
Modern threats are complex, multi-faceted beasts. Threat actors can now morph attacks on the fly, requiring analysts to hunt dynamically for tactics, techniques, and procedures (TTP).
Missing data can lead to a missed cyber threat, and if left undetected for too long, a potentially high-profile, expensive breach. SOCs leading the charge on threat hunting recognize the need for a single line of sight into all real-time and historical data for comprehensive analysis. This requires collecting, storing, and analyzing all security data in one place, regardless of type, source, or time-horizon, to test evolving hypotheses.
Threats run deep in an environment, remaining undetected for months, even years. Modern SecOps combines the analysis of live, hot data with historical analytics to accurately establish the threat path, tactics, and impact to the business. This requires a powerful data platform that can collect and store event data, always hot, for as long as necessary. The ability to easily look back and drill down into petabytes of data to identify patterns is critical for threat hunting.
Threat hunting does not always lead to a positive outcome. Hunters may test multiple hypotheses throughout the discovery process. As a result, they need agile querying capabilities to pivot, filter, and iterate on their analyses. Threat hunting platforms support creative detective work by enabling simple, fast queries at scale. This allows threat hunters to collect, analyze, and connect various data sets for richer context, without having to wait hours to see the query results.
The cyber threat hunting process for campaigns like advanced persistent threats, or APTs, is difficult in the absence of threat intelligence. Threat hunters tap into high confidence, high fidelity threat intelligence feeds curated by practitioners and indicators of compromise (IoCs) to inform their analyses. This includes integrating proprietary, third-party, and open-source intelligence, or OSINT, feeds in a single threat hunting platform. and automatically enriching hunts with relevant context.
Discover the history of threat hunting, what it looks like today, and how it will shape the modern SOC.
Learn how Devo enables you to proactively identify signs of compromise with full visibility and threat context at scale.
Watch our on-demand webinar with security veteran, Jason Mical, and learn how to construct the full threat story with Devo.