POWERED BY
INTELLIGENT BRANDS // Enterprise Security
ThreatQuotient-sponsored SANS
study Threat Hunting 2019 shows
role of threat hunter often unclear
/////////////////////////////
ThreatQuotient has revealed
the results of the SANS Threat
Hunting 2019 study. The
study, conducted by SANS, is
based on data collected from
575 participating companies
that either work with or
operate their own threat
hunting teams.
T
hreatQuotient, a pioneer in the
security operations platform market,
has announced the results of the
SANS Threat Hunting 2019 study.
The most important result is the worldwide
confusion about the role and tasks of a
threat hunter. The study, sponsored by
ThreatQuotient and conducted by SANS
is based on data collected from 575
participating companies that either
work with or operate their own threat
hunting teams.
such as indicators of compromise from the
SIEM (57%). Only 35% of participants say
that they work with hypotheses during threat
hunting – a process that should be part of
the arsenal of every threat hunter.
“Responding to threats is important for
security, but it is not the main task of the
threat hunter. They should be looking for
threats that bypass defences and never
trigger an alert,” said Auers.
The fact that threat hunting is still in its
infancy is evident based on suboptimal
prioritisation of resources.
“Many companies are still in the
implementation phase and are more willing
to spend money on tools than on qualified
experts or training existing employees to
be threat hunters,” said Mathias Fuchs,
Unlike the Security Operations Centre (SOC)
and Incident Response (IR) teams, threat
hunters not only respond to network threats,
they proactively search for them. This
involves making hypotheses on the existence
of potential threats, which are then either
confirmed or disproven on the basis of
collected data.
www.intelligentcio.com
“When threat hunting is carried out, it is
more of an ad hoc approach than a planned
programme with budget and resources.”
In fact, 71% of participating companies
consider technology to be first or second
in terms of resource allocation for threat
hunting. Only 47% of respondents focus
on hiring new personnel and 41% on
training employees.
Due to the proactive nature of threat
hunting, companies often find it difficult to
accurately measure the economic benefits of
these security measures. Ideally, the experts
prevent threats from becoming a critical
problem in the first place. However, 61%
of respondents said their overall IT security
status has improved by at least 11% due
to threat hunting. These figures show that
targeted threat discovery is important and
that investing in dedicated threat hunting
teams delivers measurable improvement in
IT security for organisations.
Threat hunting teams benefit from a
single security architecture that integrates
seamlessly with existing processes and
technologies. The ThreatQ platform
enables such an architecture. The solution
accelerates and simplifies investigations
and collaboration within and across teams
and tools.
“However, the reality within corporate IT is
often different,” said Markus Auer, Regional
Sales Manager CE at ThreatQuotient.
“In many teams, the distinction between
SOC, IR and threat hunting is too blurred,
and threat hunters are used for reactive
processes contrary to their actual role.”
The SANS study data confirms that most
threat hunters react to alerts (40%) or data
Certified Instructor at SANS and co-author
of the study.
Markus Auer, Regional Sales Manager CE
at ThreatQuotient
It supports incident response and
threat hunting and serves as a threat
intelligence platform. Through automation,
prioritisation and visualisation, disruptions
can be minimised and high-priority threats
can be identified to enable more targeted
action and provide decision support for
limited resources. n
INTELLIGENTCIO
67