Are we giving our automated security tools too much credit for threat detection? Nearly half of all threats go undetected by automated security tools (44%), according to a recent LinkedIn poll to the 360,000+ member InfoSec Community. Here’s why Sqrrl is arguing to add human-driven analysis to the list of “appropriate activities to identify the occurrence of a cybersecurity event”.
Recently, the National Center for Standards and Technology (NIST) issued a call for revisions to its “Framework for Improving Critical Infrastructure Cybersecurity.” Sqrrl responded to this call by contributing some critical guidelines to include human-driven analysis (commonly known as 'threat hunting') in addition to automated threat detection systems.
Here’s three reasons to include “threat hunting” under the Detect Function that accounts for the timely discovery of cybersecurity events.
1) Automated Detection and Threat Hunting Aren’t the Same Thing
First, that threat hunting is inherently distinct from automated detection. Automated detection mechanisms, such as firewalls, IDS/IPS, SIEMs, and newer advanced analytic tools continuously run in the background firing off alerts using heuristics, matching algorithms, and statistical models. Threat hunting, on the other hand, is a human-driven process that is designed to look for the threats that automated systems miss. Hunters are continuously innovating and adapting to new attacker techniques, and often detecting attacks that sit in the gaps of automated systems.
2) “Threat Hunting” Is Arguably the Biggest Trend in Cybersecurity
Second, threat hunting is one of the fastest-growing trends in cyber security and is rapidly becoming a security staple for SOCs. In a recent industry study, 86% of security professionals stated that their firms engaged in some form of threat hunting. This number is likely to continue to rise as the industry standardizes detection methodologies which best incorporate automated and human-driven detection. Additionally, a 2017 Information Security Community study found that 79% of information security staff feel that threat hunting should or will be their top priority in the upcoming year. Finally, Gartner (a top IT research and advisory firm) is currently developing research to solidify threat hunting as one of the key functions of a SOC.
Source: Cole, Eric, “Threat Hunting: Open Season on the Adversary,” SANS Institute InfoSec Reading Room, 2016
3) “Threat Hunting” is Proven to Reduce Attacker Dwell Time
Third, threat hunting is critical to improving the efficiency and operational effectiveness of SOCs. The value from manual hunts derives from the fact that automated detection systems cannot catch 100 percent of attacks. Instead of just being focused on one or two steps of the attack kill chain hunters are able to identify intruders at any stage of an attack. Threat hunting allows analysts to mitigate the effect of breaches by identifying them before adversaries are able to act upon their objectives. In a survey of 494 organizations conducted by the SANS Institute, 52% of respondents said that hunting techniques had found previously undetected threats on their enterprise. Additionally, 74% of respondents stated that threat hunting reduced their attack surfaces and 59% stated that threat hunting improved the speed and accuracy of their responses to threats.
How Can you Help Ensure Human-driven Analysis Gets Recognized in NIST 2.0?
NIST will determine final revisions to its cybersecurity framework during its Cybersecurity Framework Workshop next month on May 16-17th.