McAfee has polled over 700 IT and security professionals from a diverse set of countries, industries, and organization sizes about the role of threat hunting and the evolution of the security operations center (SOC).
Per the survey, companies are investing in and gaining different levels of results from both tools and structured processes as they integrate “threat hunting” activities into the core security operations center.
Looking at security teams through four levels of development – minimal, procedural, innovative and leading – the resulting report finds that:
- On average, 71 percent of the most advanced SOCs closed incident investigations in less than a week and 37 percent closed threat investigations in less than 24 hours
- Novice hunters only determine the cause of 20 percent of attacks, compared to leading hunters’ verifying 90 percent
- More advanced SOCs gain as much as 45 percent more value than minimal SOCs from their use of sandboxing, improving workflows, saving costs and time, and collecting information not available from other solutions
- More sophisticated security organizations get far better leverage from their threat intelligence investments by emphasizing local, private and paid intelligence sources
- More mature SOCs are two times more likely to automate parts of the attack investigation process
- Successful cybersecurity teams are three times as likely to automate threat investigation
- Advanced SOCs devote 50 percent more time than their counterparts on actual threat hunting
- Threat hunters in mature SOCs spend 70 percent more time on the customization of tools and techniques
- Sandbox is the number one tool for first and second line SOC analysts, where higher level roles relied first on advanced malware analytics and open source. Other standard tools include SIEM, Endpoint Detection and Response, and User Behavior Analytics, and all of these were targets for automation.
The threat hunter playbook
A threat hunter is a professional member of the security team tasked with examining cyberthreats using clues, hypotheses and experience from years of researching cybercriminals, and is incredibly valuable to the investigation process.
Aside from manual study in the threat investigation process, the threat hunter is key in deploying automation in security infrastructure.
The successful threat hunter selects, curates and often builds the security tools needed to thwart threats, and then turns the knowledge gained through manual investigation into automated scripts and rules by customizing the technology.
This combination of threat hunting with automated tasks is human-machine teaming, a critical strategy for disrupting cybercriminals of today and tomorrow.
In fact, leading threat hunting organizations are using this method in the threat investigation process at more than double the rate of organizations at the minimal level (75 percent compared to 31 percent).