How the Best Security Operations Centers (SOCs) Hunt Threats
Sandboxing, endpoint detection and response (EDR) and user behavior analytics often play key roles in successful threat hunting, according to a study of more than 700 IT and security professionals conducted by antivirus software provider McAfee.
The McAfee “Disrupting the Disruptors, Art or Science?” report, released during the Black Hat USA 2017 conference in Las Vegas, indicated that mature security operations centers (SOCs), i.e. those that use advanced threat hunting tools and technologies, are three times more willing than others to automate parts of the threat investigation process.
In addition, the report showed that every level of mature organizations’ threat identification and investigation processes has automation options.
Seventy-one percent of the most advanced SOCs close incident investigations in less than a week, and 37 percent close threat investigations in less than 24 hours, the report indicated.
Comparatively, novice threat hunters only determine the cause of 20 percent of attacks, according to McAfee.
More Report Findings
Sandbox is the number one tool for first- and second-line SOC analysts, and higher-level roles typically rely on advanced malware analytics and open source tools, McAfee stated.
More mature SOCs use a sandbox in 50 percent more investigations than entry-level SOCs to examine and validate threats in files that enter their networks, McAfee pointed out.
The report also showed that other standard threat hunting tools include:
- Security information and event management (SIEM).
- User behavior analytics.
Meanwhile, more mature SOCs are two times more likely to automate parts of the attack investigation process, and 68 percent of all SOCs said better automation and threat hunting procedures will determine how they will improve their threat hunting strategies, McAfee said.
The Future of SOC Threat Hunting
Going forward, threat hunting backed by automation and analytics may drive organizations’ security operations, McAfee stated.
The success of threat hunters is based on a combination of human and machine learning, McAfee indicated, and automation may help threat hunters in a variety of ways, including:
- Reduce manual steps in the threat hunting process.
- Customize scrips for the threat hunting environment.
- Test new threat hunting ideas.
Furthermore, McAfee pointed out that leading threat hunters continuously use analytics to search for ways to improve their threat hunting strategies – something that provides a valuable lesson for novice threat hunters.
“Mature organizations think in terms of building capabilities to achieve an outcome and then think of the right technologies and processes to get there. Less mature operations think about acquiring technologies and then the outcome. It’s a classic top down versus bottom up approach. In this case, top down wins!” McAfee Principle Engineer Mo Cashman said in a prepared statement.