ThreatWatch Hunt – Proactive Threat Hunting
Threat hunting can reduce dwell time, the time between a breach and its discovery. Shortening that time can make the difference between spending a few thousand dollars on remediation and millions to deal with a full-on compromise.
- Do you know if you’ve been hacked?
- Can you identify threats that don’t use known malware or indicators of compromise like “fileless” attacks that leave no files or malicious tools on a hard drive?
These are questions that keep IT security professionals up at night. With an average dwell time of 197 days and an additional 69 days to contain the breach (IBM 2018 Cost of Data Breach study), attackers have ample opportunity to plan and carry out the theft of intellectual property, customer data, and other valuable information. Each additional day it takes to identify and contain a threat provides opportunities for the attackers to access more records and a greater negative impact on your brand.
Companies that identified a breach in less than 100 days saved more than $1 million as compared to those that took more than 100 days. Similarly, companies that contained a breach in less than 30 days saved over $1 million as compared to those that took more than 30 days to resolve. (IBM 2018 Cost of Data Breach study)
What is Proactive Threat Hunting?
Proactive Threat Hunting goes beyond the traditional SOC-based threat hunting activities by looking for threat indicators from systems which may not be sending their system logs or that are outside the scope of logging.
Proactive Threat Hunting requires toolsets and technology beyond what normal Security Operations maintain to perform their day-to-day threat monitoring and triage activities. When proactive methods and technologies are used, it can reduce false positives, enhance the accuracy and speed positive confirmation of threat analysis/response activities in the SOC.
How it Works
ThreatWatch® Hunt integrates hunting toolsets and methods with Security On-Demand’s proprietary correlation and behavioral analysis capabilities, such as machine learning-based artificial intelligence and supervised learning models that use behavioral analysis of attack patterns. As part of the service, SOD will:
- Monitor the alerts, logs, and output provided by the advanced threat hunting activities
- Correlate such activity with logs, alerts, and other information received
- Validate the threat as part of the triage and investigation process
- Tune and provide continual feedback to ensure that normal system behavior is baselined
Once an alert for a potential threat is received, the data is correlated with other security information and then our SOC team will respond to further triage and investigate the suspicious activity.
The ThreatWatch Hunt service conducts periodic scheduled scans of network devices. Implants and threats discovered during a sweep initiate an alert to the ATLAS Analytics Platform.
ThreatWatch Hunt Benefits
- Close the gap between post event and time to detect
- Provides insight into malware that might be “hidden” on a device
- More cost-effective than additional real-time detection layers
- Denies ability of attackers to persist undetected
- Get analysis of entire customer environment, not just alerts from specific devices
- Enables us to look at every device on the network, not just devices we are collecting data from
- Easier to “hunt” for malicious threats
- Identify things holistically that don’t belong
- Tracks device state and identifies abnormal changes
- Layered detection – go beyond what security protection products can analyze