ThreatQuotient, a pioneer in the security operations platform market, today announced the results of the SANS Threat Hunting 2019 study.
The study, sponsored by ThreatQuotient and conducted by SANS is, based on data collected from 575 participating companies that either work with or operate their own threat hunting teams.
Unlike the Security Operations Center (SOC) and Incident Response (IR) teams, threat hunters not only respond to network threats, they proactively search for them. This involves making hypotheses on the existence of potential threats, which are then either confirmed or disproven on the basis of collected data.
Markus Auer, Regional Sales Manager CE at ThreatQuotient, said: “However, the reality within corporate IT is often different. In many teams, the distinction between SOC, IR and threat hunting is too blurred, and threat hunters are used for reactive processes contrary to their actual role.”
The SANS study data confirms that most threat hunters react to alerts (40%) or data such as indicators of compromise from the SIEM (57%). Only 35% of participants say that they work with hypotheses during threat hunting – a process that should be part of the arsenal of every threat hunter. “Responding to threats is important for security, but it is not the main task of the threat hunter. They should be looking for threats that bypass defenses and never trigger an alert,” Auer emphasizes.
The fact that threat hunting is still in its infancy is evident based on suboptimal prioritization of resources. “Many companies are still in the implementation phase and are more willing to spend money on tools than on qualified experts or training existing employees to be threat hunters,” says Mathias Fuchs, Certified Instructor at SANS and co-author of the study. “When threat hunting is carried out, it is more of an ad hoc approach than a planned program with budget and resources.”
For more news visit here.