By Mark Terenzoni, Sqrrl CEO
This year’s RSA Conference has come and gone and my team and I had a blast heading to San Francisco to discuss the newest developments in cybersecurity, big data, and of course, threat hunting. Here are a few of the biggest takeaways that I got from talking to folks at this year’s Conference:
1. There has been a major uptick in interest in vendors that are providing threat hunting solutions. To quote Chris Gates, “with all the threat hunting going on at these vendor booths I can't believe there are any threats left to find.” However, in my opinion some vendors are muddying the waters in terms of what threat hunting is and isn’t. I don’t think “automated hunting” is possible, especially on the network level. Hunting, by definition, will always be human-driven. A Threat Hunting Platform can certainly simplify threat hunting, but we shouldn’t be equivocating next generation IDS to threat hunting. Additionally, I am sensing that there is still confusion on the differences between endpoint and network hunting. Nearly all of the Endpoint Detection and Response (EDR) firms are now messaging threat hunting, but this is a different type of hunting than what Sqrrl supports. EDR firms focus specifically on hunting for suspicious processes on individual endpoints. Sqrrl fuses endpoint, identity, network, and security feeds to enable hunting across all of them at Big Data scale. Both are highly valuable of course, and Sqrrl’s threat hunting capabilities are fully complementary to endpoint hunting.
2. Many more consulting firms and MSSPs are offering threat hunting as a service, but they aren’t typically providing or using a Threat Hunting Platform. Instead they are conducting their hunts on the customer's existing SIEM, which can be both inefficient and ineffective. Additionally, while more people are using graphs and linked data, these graphs are still largely static and don’t allow for interactive searches.
3. A lot more powerhouse cybersecurity firms are agreeing to share threat intelligence with one another through organizations like the Cyber Threat Alliance and DHS's Automated Indicator Sharing. This is certainly an encouraging sign, as it signals a strong tend towards cooperation within the cybersecurity industry and between industry and government. Threat intelligence analysis and threat hunting are fully complementary activities. Hunting tools should be able to fuse together threat intelligence feeds and marry them with network, identity, and endpoint datasets. I did notice some folks conflating threat intelligence analysis and threat hunting, and so this is another oversight to watch. The simplest form of threat hunting is searching for indicators derived from intelligence, but a Threat Hunting Platform must enable other types of hunts that are driven by friendly intelligence, hypotheses, and advanced analytics.
4. Good analysts are an increasingly scarce and precious resource. It was clear throughout the show that the industry is too understaffed to address the vast array of threats that it faces. As a result, any tool that helps increase efficiency or limits wasted time for analysts is a top priority for many SOC managers and CISOs.
Sqrrl Founder Ely Kahn, giving a demo of the latest Sqrrl Threat Hunting Platform
All in all, there were a lot of positive takeaways for threat hunting from this year’s RSA Conference. Hunting is gaining a lot of visibility and many people are recognizing the importance of threat hunters, even if best practices for hunting haven’t been adopted throughout the entire industry. If you want to see how your SOC stacks up, check out our Threat Hunting Maturity Model. For demonstrations on how to actively threat hunt using the latest version of Sqrrl, check out this video demo.