What’s the ROI of Threat Hunting?

How can IT security threat hunters measure success? That is one of the core questions raised by the new SANS 2019 Threat Hunting Survey, which was co-sponsored by Authentic8.

*

The  answer may lie in a strategy and tool selection that avoids mission and  cost creep, and results in measurable effects - and savings - to prove  it.

That’s our main takeaway from this year’s Threat Hunting Survey. Co-authors Mathias Fuchs and Joshua Lemon capture the different  needs and challenges within organizations that are just starting their cyber threat hunting program, versus those who are honing their skills and programs.

Definitions of Threat Hunting

What is threat hunting? The SANS survey results document a wide variety of methodologies, spending  priorities, tools deployed, training needs - and opinions about what  constitutes effective threat hunting practices.

"Many organizations use an alert-driven approach to threat hunting or use indicators of compromise [IoCs] to guide their hunts," says Mathias Fuchs, a SANS instructor and threat hunting expert. "It seems that fewer organizations are using hypothesis-driven  hunting—and that could leave them vulnerable to dangerous visibility  gaps."

Most respondents report using a variety of reactive approaches to threat hunting, including alerts (40%) or IoCs via a SIEM or other alerting system to find adversary tools or artifacts (57%).

Illustration: SANS 2019 Threat Hunting Survey Cover (Authentic8)

The SANS security professionals label such approaches as “excellent supplements [that] should not take  the place of using proactive hunting techniques.” Only 35% of  respondents create hypotheses to guide their hunting activities, they  point out.

One reason may well be that threat hunters have (too) much on their plate already. Organizations continue to require threat hunters to work in multiple cybersecurity roles. Cybersecurity professionals conducting threat intelligence report having major responsibilities for managing SOC alerts (34%) or IR and forensics of breaches (26%).

Threat Hunters Under Pressure

Another challenge threat hunters are facing, says report co-author Josh Lemon, is that organizations  have difficulty measuring the benefits or organizational impact of threat hunting.  Being able to measure and show the performance abilities of a threat hunting team, concludes Lemon, “can make or break a team, its funding or its objectives."

That’s why more threat hunting teams of all sizes are relying on Silo Research Toolbox, a cloud-based web isolation and research platform built for the rigors of threat research across the open, deep, and dark web.

Illustration: Covert Online Investigation Tools: How Yesterday’s DIY Is Today’s Negative ROI (Authentic8 Blog)

Source (excerpt): Economics of Silo Research Toolbox

Silo saves money and resources over the “DIY approach” of creating a threat hunting platform from off-the-shelf and open source solutions. Many threat hunters face questions in their organizations over the cost creep and  configuration, maintenance, and post-mission clean-up burden resulting  from the old approach.

Threat hunting teams that deploy Silo Research Toolbox save on average 89% annually over those who operate a custom-made solution, as an itemized comparison shows.

Download your FREE copy of the SANS 2019 Threat Hunting Survey now.