A report examining the role of humans in the investigation of cyberthreats and the planned use of automation in the security operations center has found that experienced threat hunters verify, on average, 90% of the root causes of attacks. They also embrace automation.
By contrast, McAfee’s Disrupting the Disruptor, Art or Science? report also found that new and inexperienced threat hunting organizations only determine the root cause in one-fifth (20%) attacks—likely due to their lagging use of machine learning and automation.
A threat hunter is a professional member of the security team tasked with examining cyberthreats using clues, hypotheses and experience from years of researching cyber-criminals. McAfee found that 71% of SOCs with a level 4 maturity closed incident investigations in less than a week because of the context provided by skilled threat hunters—and 37% closed threat investigations in less than 24 hours. These organizations also were twice as likely to automate parts of the attack investigation process (75% compared to 31% of organizations at the minimal level), and as a consequence, they are able to devote 50% more time to actual hunting.
Less experienced outfits are taking notice of these outcomes, and 68% of those surveyed said better automation and threat hunting procedures are how they will reach leading capabilities.
“Organizations must design a plan knowing they will be attacked by cyber-criminals,” said Raja Patel, vice president and general manager, Corporate Security Products, McAfee. “Threat hunters are enormously valuable as part of that plan to regain the advantage from those trying to disrupt business, but only when they are efficient can they be successful. It takes both the threat hunter and innovative technology to build a strong human-machine teaming strategy that keeps cyber threats at bay.”
Aside from manual efforts in the threat investigation process, the threat hunter is key in deploying automation in security infrastructure, the report found: threat hunters in mature SOCs spend 70% more time on the customization of tools and techniques than novice organizations.
“The successful threat hunter selects, curates and often builds the security tools needed to thwart threats, and then turns the knowledge gained through manual investigation into automated scripts and rules by customizing the technology,” the report noted. “This combination of threat hunting with automated tasks is human-machine teaming, a critical strategy for disrupting cybercriminals of today and tomorrow.”
The report found that the sandbox is the No 1 tool for first- and second-line SOC analysts, where higher level roles relied first on advanced malware analytics. Mature SOCs use a sandbox in 50% more investigations than entry level SOCs, going beyond conviction to investigate and validate threats in files that enter the network. More advanced SOCs also gain as much as 45% more value than minimal SOCs from their use of sandboxing, by improving workflows, saving costs and time, and collecting information not available from other solutions.
Other standard tools include SIEM, endpoint detection and response, and user behavior analytics—and these are all targets for automation.
“Automation and analytics are necessary and available, and for mature organizations, every level of the identification and investigation processes has automation options, particularly for sandboxing, endpoint detection and response, and user behavior analysis,” the report said. “Level 4 organizations show three times more willingness to automate parts of the threat investigation process versus SOCs at levels 0 through 3.”
Bottom line: Threat hunters are using a wide range of tools and techniques to find, contain, and remediate cyberattacks. As they mature in the role, and the security organization’s tools and processes mature along with them, threat hunters experience a significant increase in effectiveness. Their success is heavily based on human-machine teaming, combining the human judgment and intuition with machine speed and pattern-recognition.
“This research highlights an important point: mature organizations think in terms of building capabilities to achieve an outcome and then think of the right technologies and processes to get there,” said Mo Cashman, principle engineer at McAfee. “Less mature operations think about acquiring technologies and then the outcome. It’s a classic top down versus bottom up approach. In this case, top down wins!”