itb-nz logo
Story image

Companies not utilising threat hunters correctly – study

17 Dec 2019

ThreatQuotient, a pioneer in the security operations platform market, announced the results of the SANS Threat Hunting 2019 study.

The most interesting result is the worldwide confusion about the role and tasks of a threat hunter.

The study, sponsored by ThreatQuotient and conducted by SANS, is based on data collected from 575 participating companies that either work with or operate their own threat hunting teams.

Unlike the Security Operations Centre (SOC) and Incident Response (IR) teams, threat hunters not only respond to network threats, they proactively search for them.

This involves making hypotheses on the existence of potential threats, which are then either confirmed or disproven on the basis of collected data.

“However, the reality within corporate IT is often different,” says ThreatQuotient CE regional sales manager Markus Auer.

“In many teams, the distinction between SOC, IR and threat hunting are too blurred, and threat hunters are used for reactive processes contrary to their actual role.”

The SANS study data confirms that most threat hunters react to alerts (40%) or data such as indicators of compromise from the SIEM (57%).

Only 35% of participants say that they work with hypotheses during threat hunting a process that should be part of the arsenal of every threat hunter.

“Responding to threats is important for security, but it is not the main task of the threat hunter.

“They should be looking for threats that bypass defences and never trigger an alert, Auer emphasises.”

The fact that threat hunting is still in its infancy is evident based on suboptimal prioritisation of resources.

“Many companies are still in the implementation phase and are more willing to spend money on tools than on qualified experts or training existing employees to be threat hunters,” says SANS certified instructor and study co-author Mathias Fuchs.

“When threat hunting is carried out, it is more of an ad hoc approach than a planned program with budget and resources.”

In fact, 71% of participating companies consider technology to be first or second in terms of resource allocation for threat hunting.

Only 47% of respondents focus on hiring new personnel and 41% on training employees.

Due to the proactive nature of threat hunting, companies often find it difficult to accurately measure the economic benefits of these security measures.

Ideally, experts prevent threats from becoming a critical problem in the first place. However, 61% of respondents said their overall IT security status has improved by at least 11% due to threat hunting.

These figures show that targeted threat discovery is important and that investing in dedicated threat hunting teams delivers measurable improvement in IT security for organisations.

Threat hunting teams benefit from a single security architecture that integrates seamlessly with existing processes and technologies.

Story image
Ericsson bolsters 5G portfolio with $1.1b Cradlepoint buyout
Ericsson will acquire Cradlepoint to create greater market share in the enterprise 5G space, boosting Ericsson’s existing 5G portfolio that includes IoT and enterprise network solutions.More
Story image
Beyond Limits hits $133 million in Series C investment round
The company, which focuses on demanding sectors such as energy, utilities and healthcare, says the investment will help to drive the global expansion of AI technology. More
Story image
Fiverr launches platform to bring freelancers closer to business
Fiverr says it wanted to create an integration that could fit into an organisation’s workflow and become ‘part of the digital onboarding experience’ for employees, meaning freelancers can access email, Slack, Dropbox, and the Fiverr Business team account.More
Story image
Google starts Android 11 rollout - a taste of what's new
Android 11 is now live – but if you don’t have one of the ‘selected’ OnePlus, OPPO, Pixel, realme, or Xiaomi phones, you might be in for a bit of a wait.More
Story image
Case study: MECCA has HCM makeover with Workday
The phased HCM makeover began in 2017, when the company made the decision to launch a three to five-year program to digitalise its human capital management technology so that it could simplify everyday requirements for its team members and enable them to self-serve. More
Story image
Gartner: By 2023, 65% of the world will have personal data covered under modern privacy regulations
“Security and risk management (SRM) leaders need to help their organisation adapt their personal data handling practices without exposing the business to loss."More