McAfee report reveals secrets of successful threat hunters and SOCs

Effectiveness comes with complementary investments in human-machine teaming.

  • 6 years ago Posted in
McAfee has published Disrupting the Disruptors, Art or Science?, a new report investigating the role of cyberthreat hunting and the evolution of the security operations centre (SOC). Looking at security teams through four levels of development—minimal, procedural, innovative and leading, the report finds that advanced SOCs devote 50 percent more time than their counterparts to actual threat hunting.
 
The Threat Hunter
Threat hunting is becoming a critical role in defeating bad actors. A threat hunter is a professional member of the security team tasked with examining cyberthreats using clues, hypotheses and experience from years of researching cybercriminals, and is incredibly valuable to the investigation process. Per the survey, companies are investing in and gaining different levels of results from both tools and structured processes as they integrate “threat hunting” activities into the core security operations centre.
 
As the focus on professional threat hunters and automated technology increases, a more effective operations model for identifying, mitigating and preventing cyberthreats has emerged: human-machine teaming. In fact, leading threat hunting organisations are using this method in the threat investigation process at more than double the rate of organisations at the minimal level (75 percent compared to 31 percent).
 
“Organisations must design a plan knowing they will be attacked by cybercriminals,” said Raja Patel, vice president and general manager, Corporate Security Products, McAfee. “Threat hunters are enormously valuable as part of that plan to regain the advantage from those trying to disrupt business, but only when they are efficient can they be successful. It takes both the threat hunter and innovative technology to build a strong human-machine teaming strategy that keeps cyber threats at bay.”
 
Key findings:
Results:
·         On average, seventy-one percent of the most advanced SOCs closed incident investigations in less than a week and 37 percent closed threat investigations in less than 24 hours
·         Novice hunters only determine the cause of 20 percent of attacks, compared to leading hunters’ verifying 90 percent 
·         More advanced SOCs gain as much as 45 percent more value than minimal SOCs from their use of sandboxing, improving workflows, saving costs and time and collecting information not available from other solutions
Strategies:
·         Sixty-eight percent say better automation and threat hunting procedures are how they will reach leading capabilities
·         More mature SOCs are two times more likely to automate parts of the attack investigation process
·         Threat hunters in mature SOCs spend 70 percent more time on the customisation of tools and techniques
 
Tactics
·         Threat hunters in more mature SOCs spend 50 percent more time on actual threat hunting
·         Sandbox is the number one tool for first and second line SOC analysts, where higher level roles relied first on advanced malware analytics and open source. Other standard tools include SIEM, Endpoint Detection and Response, and User Behaviour Analytics, and all of these were targets for automation
·         More mature SOCs use a sandbox in 50 percent more investigations than entry level SOCs, going beyond conviction to investigate and validate threats in files that enter the network
 
The Threat Hunter playbook: human-machine teaming
Aside from manual study in the threat investigation process, the threat hunter is key in deploying automation in security infrastructure. The successful threat hunter selects, curates and often builds the security tools needed to thwart threats, and then turns the knowledge gained through manual investigation into automated scripts and rules by customising the technology. This combination of threat hunting with automated tasks is human-machine teaming, a critical strategy for disrupting cybercriminals of today and tomorrow.
Research shows ‘game needs to be changed,’ with security innovation years behind that of the...
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that...
Atos has launched Atos OneCloud Sovereign Shield, a set of solutions, methodologies, and...
New distribution agreement set to bolster Westcon-Comstor’s Zero Trust offering in more markets...
Research from Avast has found that employees in almost a third (31%) of Small and Medium...
This year, over half of MSPs or their end customers have been attacked by ransomware but only 53%...
Trend Micro has published new research revealing that 90% of IT decision makers claim their...
Cyber consultants call on businesses to act now, or risk budgets shrinking further in ‘real...