Democratizing Threat Hunting: How to Make it Happen for Everyone

A report for everyone at every level of security, the Security Outcomes Study was released in December.  In the report, we surveyed more than 4,800 IT, security and privacy professionals to find out what matters most in their security practice.  Topics such as tech refresh, risk management, and incident response were examined from the perspective of a roadmap for success in an information security program for organizations of all sizes.

The findings of the Security Outcomes Study are interesting, with correlations that generate strong inferences between topics. To understand more deeply how the findings of the report are applicable to those who work with the day-to-day operations, from intelligence gathering, to all the other security operations, we decided to interview a security practitioner.

An expert’s eye on the findings

We spoke with Eric Hulse, Director of Security Research at Cisco to gain his insights into what were some of the most interesting findings of the study, and how it can be used to achieve success in a security program.

Eric found the study to be useful, as it shows there is a business impact in performing certain best factors.  “The report does a great job of amalgamating and highlighting why these topics are important. Having this data at our hands allows us to align our risk exposure to do some of the important work.” Eric stated quite clearly that “there is nothing more vexing to an IT professional than conveying to superiors why something needs to be. This report helps us align those reasons and obtain buy-in from management as they understand the criticality of why something needs to be done”.

Cost minimization – a CEO’s best friend

Another example of how the report reflects findings that align with management as well as with the security operations is through the findings about the value of threat hunting.  In the past, most executives viewed cybersecurity as a rear-view mirror problem; cybersecurity was a reactive practice.  This is not necessarily the best business strategy. After all, the threat landscape is much different now than it was just a few years ago, and businesses are more at risk to threats today than ever before — and therefore a better, more proactive measure like threat hunting is now imperative.

Threat hunting serves the dual purpose of managing top risks, as well as avoiding major incidents.   Both risk, and cost are top of mind for the C-suite. The greater the threats, the longer they stay undetected and unresolved, the greater the cost to the brand when a breach happens.  This also results in a greater cost for repair and cleanup, both technically, and reputationally.  Proactively hunting for threats minimizes the risk and cost of a breach.  Not only that, but it goes towards cost-minimization, as well as minimizing unplanned work.  These are the types of things that raise the confidence of the team all the way up to the C-Level.

Effect of various practices on desired outcomes

A practitioner’s roadmap to success

From a practitioner’s perspective, threat hunting enables us to better work through our incident response capabilities. Eric Hulse makes a note that one figure in the Security Outcomes Study indicates that 40% of respondents were less likely to agree that they learned anything from prior instances.  However, this only fortifies the importance of threat hunting.  “Every incident needs to be propagated over to threat hunting to build and continue to establish more hypotheses and vectors for future hunting.”

Percent of respondents who strongly agree their firm allows each security practice

One may wonder why an organization would go directly to threat hunting as a security approach, rather than the traditional route of pen testing?  Thanks to the recent efforts of many dedicated professionals, Cisco has become a “change agent” that helps democratize and simplify threat hunting for organizations.  When we consider all the various professional “breach investigation” reports and “institute” findings of the last few years, many of them remark about the “dwell time” of a cyber incident, that is, how long the attackers remained undetected in a system prior to the discovery of the breach event.  With technology advancements and improved feature sets, including products like Cisco’s Secure Endpoint Premier with SecureX Threat Hunting puts threat hunting well within the reach of all companies, no matter the size or security maturation level they have already achieved.

Don’t throw out the old

To be clear, all the legacy methods are still valid as part of a layered defense. The respondents in the Security Outcomes Study make the point that a tech refresh is among the most important factors of a successful security program.  There is a strong connection between threat hunting and tech refresh.  For example, one of the problems of old technology is that it is often forgotten, or never updated, leaving it in a vulnerable state.  Threat hunting can help to uncover these weaknesses, which will further emphasize the need for updated technology.

Practices most strongly correlated with overall security program success

It is understandable that many organizations are not at the point of security maturity to incorporate threat hunting into their defense posture.  That makes a stronger justification for keeping a proactive tech refresh at the top of every budget discussion.  In time, tech refresh and threat hunting should be part of the standard security approach in all organizations.  Eric puts it very bluntly, “At its essence, security is about managing risk. However, when you are assigning architectural controls to mitigate that risk, it lacks validation.  Threat hunting is part the next evolution of risk management.”

It becomes evident that the Security Outcomes Study has something for every level of the corporate security chain.  As Wendy Nather, Head of Advisory CISOs, Duo Security at Cisco so eloquently puts it at the beginning of the report, “This is not a marketing report to toss in your swag bag and ignore; this is a report to cuddle up with and read over and over again. In fact, this report will change how we think about running infosec programs.”

Recommended reading (and listening):