Sqrrl Blog

Mar 15, 2016 6:22:00 PM

What Is a Threat Hunting Platform: Part 2 - Benefits and Sqrrl

In Part 1 of this blog series we discussed the concept of a threat hunting platform and the capabilities that a THP provides to security analysts that are looking to proactively find threats hidden in their data. In part 2 of this series we will take a look at the benefits that a THP can deliver and present Sqrrl as an example of a best-in-class THP.

Key Benefits of a Hunting Platform

There are 3 main benefits gained by using a THP.

  1. Find threats your other tools are missing. With the cost of an average cyber incident numbering around $6.75 million, any organization needs to be diversifying its detection capabilities to include hunting. Proactive detection is the best way to locate attackers in your network if they have made it through your automated detection systems. Even the best hunters need the right tools, and THPs can greatly enhance the proactive detection of threats that evade other defenses. Effective hunting can lower the dwell time of an adversary from an average of 205 days to just a few hours. Analysts get a better understanding of a network from contextual visualizations, which lets them investigate with more precision and clarity than what is afforded by traditional row-based log analysis or the use of custom tools. A THP eliminates the fragmentation in the hunting process across many tools.

  1. Increase analyst productivity and efficiency. A SOC that deploys a THP will see an increase in analyst efficiency that can result in costs saving and/or the ability to take on new security activities. A THP increases efficiency and productivity in a few different ways. First, a THP, such as Sqrrl Enterprise, can automate and improve the context for searches and analytics that are typical of a hunt. Secondly, a THP can improve collaboration across a hunt team by allowing analysts to jointly pursue an investigation, share searches, and ensure proper access controls. Such collaboration can help tier 1 and tier 2 analysts undertake more advanced hunting procedures.

  2. Make better use of your existing data Many enterprises today cannot effectively make use of all the data available to them. Often times large datasets, such as flow data, are not fully leveraged because of storage limitations. Also, datasets, such as threat intelligence, are siloed from other datasets. THPs should have Big Data storage capabilities, which allow organizations to fuse together large, disparate datasets, giving them the ability to more effectively leverage the data already available to them. Figure 1 depicts how a THP can unite datasets from your SIEM with other relevant datasets and serve as a critical piece in an “active defense” security architecture.

If you're still unsure of how to hunt, check out the Framework for Threat Hunting.


Fig. 1 How a THP Fits into a Security Ecosystem

Sqrrl Enterprise as a Comprehensive Hunting Platform

Sqrrl Enterprise is a hunting platform that helps organizations detect and respond to advanced threats as quickly and efficiently as possible. Sqrrl Enterprise brings best-in-class capabilities to each of the four requirements of a THP.

Exploration: Sqrrl’s THP takes a unique approach to managing security data through the Behavior Graph, which uses linked data models to represent entities (e.g. users, files, URLS, or host machines) and allows an analyst to contextually see and track the relationships between them. Linked data models predefine and automate search pathways, so that analysts can just click through visualizations to proceed in an investigation rather than have write custom search scripts. To help a hunter have an idea of where to start an investigation in a sea of data, Sqrrl Enterprise organizes various entities and possible detected anomalies according to the risk that they have been evaluated to have (powered by the analytics mentioned below). Customizable dashboards and queries let a hunter maintain relevant starting points to begin investigations, and expanding the relationships between entities in the Behavior Graph is fluid, enabling continuous question chaining. This key capability, in addition to Sqrrl’s more traditional raw data exploration features, allows analysts to easily locate threats through visualizations and contextual searches.


Fig 2. Sqrrl Behavior Graph with Simple Relationship Expansion

Analytics: The use of analytics with Sqrrl’s investigative capabilities gives an analyst even more power and rapid clarity in finding threats and anomalies. Sqrrl Enterprise leverages User and Entity Behavioral Analytics (UEBA) which power risk scoring and kill chain-oriented detectors. Used in conjunction with the Behavior Graph and the relationships intrinsically built into it, Sqrrl's risk-based entity profiles can establish a norm with more depth and dimension than more traditional behavior analytics. This depth is various kinds of transactions and associations beyond just factors like login patterns. Kill chain-oriented detectors are passive analytics that focus on adversary Tactics, Techniques, and Procedures (TTPs) and entity behaviors to find anomalies and starting points for hunts. They focus on TTP-based behaviors including beaconing, lateral movement, data staging, and exfiltration. Here too the Behavior Graph enables sophisticated analysis that is simply not possible with other means. By utilizing graph analytics, Sqrrl can find and correlate connections (paths on a graph) between two suspicious events, and better understand their significance, giving analysts a more insightful picture of what is happening.


Fig 3. A Lateral Movement Detector Profile, Powered by Sqrrl Analytics

Collaboration: At the core of all investigations done through Sqrrl are linked data models that can be used in common by multiple analysts. These models let analysts maintain a common ontology of how entities within a network relate to each other, and have a single pane of glass with which they can collectively conduct an investigation in the same terms. Sqrrl lets analysts record and playback investigations so that they can glean information from the work already done by another analyst. Investigations recorded in this way can be annotated and commented on. By allowing hunters to share searches and active investigations with others on their team, Sqrrl facilitates the collaboration that is key to an effective hunting team.


Fig 4. Collaborative Annotation of a Saved Investigation 

Data: Sqrrl’s big data foundation allows for secure petabyte-scale data storage using Hadoop. Sqrrl consumes disparate datasets gathered all around your network, as well as alerts from other solutions. It then handles the heavy lifting of fusing everything together into linked data models, organized based on relationships from which more contextual meaning can be extracted. This lets analysts focus more of their valuable time on undertaking hunts and disrupting attacks. Gathering and contextualizing information from different sources accounts for a critical step in developing an effective analysis both of vulnerabilities in your own infrastructure and of threats menacing you over time.

THP Technology


Sqrrl Capabilities


  • Visual search and investigation

  • Comprehensive query language

  • Sqrrl Behavior Graph for linked data visualization and contextual search

  • Reports and dashboards

  • Custom SQL-like and graph queries

  • Forensic raw data drill down on datasets


  • Out-of-the-box analytics

  • Customizable analytics

  • Advanced UEBA including TTP detectors that leverage machine learning and graph algorithms

  • Fast creation of custom analytics using anomaly filters and dashboards


  • Common frame of reference

  • Analyst workflow tools

  • Linked data models (aka ontologies) provide shared language

  • DVR/instant replay, case files, and annotations for investigation sharing to enable collaboration across analysts


  • High scalability to store long historical record

  • Multi-tenancy / multi-level security

  • Multi-petabyte scalability 

  • Fine-grained access controls, encryption, and audit

With the right tools, even the most complex tasks are made easier. The difference is between working with disparate tools and datasets and working with a streamlined  Effective and scalable hunting is difficult to carry out, but a threat hunting platform like Sqrrl enables you to increase your hunting maturity with relative ease. Interested in more detailed information on Threat Hunting? Download our Framework for Threat Hunting Whitepaper:

Download the White Paper


Topics: Cyber Threat Hunting, Hunting Platform