Oftentimes in security, the practice of threat hunting is aspirational, as organizations consistently find themselves bogged down with alerts and forced to act on threats retroactively. That being said, more organizations are realizing that proactively hunting threats enables earlier detection, reduces dwell time, and improves defenses against future attacks. This year, Cybersecurity Insiders conducted their third annual threat hunting research project in hopes of understanding the evolution of threat hunting and how organizations of different maturity levels are utilizing this discipline. With more companies adopting threat hunting, the 2019 Threat Hunting Report provides insight into why companies are leveraging threat hunting, what tools and data they’re utilizing, and what challenges SOCs face while trying to enable threat hunting.
This year’s survey confirmed that while threat hunting is still an emerging discipline, it’s gaining popularity amongst security organizations. 77% of respondents stated that they have a moderate or high degree of knowledge about threat hunting. Additionally, a third of respondents are confident to very confident in their team’s ability to uncover advanced threats. The survey also revealed that the majority of respondents reported their threat hunting budgets are expected to increase over the next 12 months. This will be used to invest in security staff, new threat hunting technologies, and managed security services.
So we know companies are prioritizing and investing in threat hunting, but why? Well, when asked about the top benefits of threat hunting, 62% said it improves detection of advanced threats, 59% said it reduces investigation time, and 51% said it saves time from manually correlating events. Giving time back to analysts is key, as it allows them to work on other time intensive tasks.
This survey also shed light on the tools and data being leveraged for threat hunting. Utilizing threat hunting tools is a powerful way to achieve visibility across infrastructure and identify new threat patterns. The survey reported that the top technologies that organizations are utilizing for threat hunting are SIEM (55%), NGFW/IPS/AV (53%), Vulnerability Management (48%), and Network IDS (47%). In addition to using threat hunting tools, SOCs are also incorporating various data sources to gain additional context on indicators. The survey found that the most utilized data includes external threat intelligence feeds (57%), file activity data (51%), and system patch status (47%). This demonstrates that most SOCs that are threat hunting are utilizing both threat hunting tools and multiple data sources.
Although we’ve made some great strides this year, the industry still has a long way to go before SOCs fully embrace proactive threat hunting. In fact, 52% of respondents stated that they are behind the curve when it comes to threat hunting. While there is some great evidence that threat hunting is on the rise, there are still some barriers companies need to get over before they can even think about taking a proactive approach. For example, 70% of respondents stated that they don’t have enough time to spend searching for emerging and advanced threats in their SOC. Additionally, according to the survey, only 15% of SOC employees are involved in threat hunting. Without the tools and resources, it is very difficult for companies to prioritize threat hunting and reap the benefits.
The survey does give us hope that while we still have a way to go before threat hunting a common practice amongst SOCs, companies are starting to realize the benefits of threat hunting and are taking steps to invest and prioritize this practice.