Threat hunting has become a fundamental security process within organizations. It targets threats that might have been missed by traditional detection methods like as firewalls, intrusion detection systems, malware sandboxes and SIEMs. This article covers the various considerations that need to be taken when outsourcing or developing an internal threat-hunting program.
Internal vs. External Threat HuntingInternal threat hunting differs from external threat hunting in that it is an internally-managed function within the organization. The security department constitutes an incident response (IR) team that is responsible for handling and hunting threats that might plague the organization. Normally, a balance must be struck between human skill set and detecting tools to allow for an effective team.
Organizations that lack a threat-hunting function might seek to outsource it to cybersecurity companies that offer such services. This externally-managed function is what is known as external threat hunting. Internal and external threat hunting each have pros and cons that should be discussed.
Pros of an Internal Threat-Hunting FunctionHaving your own threat hunting function within your organization has a couple of pros to it. They include:
Cost-effectivenessCompared with outsourcing threat-hunting functions to a third-party cyber-security company, assembling an internal threat-hunting team means you size of the team to work with and the necessary tools to use. If you like, you can gather these assets at a lower cost.
Ability to streamlineInternal hunting teams are normally compact in size. This allows you to streamline the hunting process by defining the datasets that are most critical and thus require the most attention. This allows your team to work efficiently and effectively.
Reduced infection dwell timeHunting allows you to reduce the amount of time infections may dwell within your organization undetected, effectively preventing an otherwise catastrophic breach.
Hardened attack surfaceHunting allows you to determine the areas more prone to infection and harden the organization, anticipating an attack. This makes it more difficult for attackers to penetrate the organization.
Exposure to external threatsHunting exposes new threats to your attention and allows you to keep tabs with the security landscape, especially with the current state of increasing ransomware attacks against organizations worldwide.
Cons of an Internal Threat-Hunting FunctionInternal threat-hunting faces several challenges that might prevent your organization from establishing a team to handle it. These challenges include:
Talent shortageBuilding an incident-response team requires gathering competent cybersecurity skill capable of detecting threats within the organization. The shortage of these skills is something you should be prepared to deal with, especially in the long run, by conducting training for new members to the IR team.
The process is involving and time-consumingHunting is an involving process, and getting management to agree to the development of such a function may be met with opposition. Later, we will discuss the points you should note while building the ultimate threat-hunting team and how you would build a business case to get this approved at your organization.
Accuracy of responseYou should be aware that the accuracy of your responses will vary greatly depending on the level of skill you choose to adopt within your organization, and the tools at their disposal. Internal hunting teams are prone to missing some threats, as compared to cybersecurity companies that focus on hunting and have dedicated numerous resources for that.
Pros of an External Threat-Hunting FunctionDue to some of the challenges above, some organizations have chosen to outsource their threat hunting. The following are some of the advantages that come with outsourcing this function.
Near-perfect responsesWith an outsourced threat-hunting function, you are most likely to receive more accurate, faster responses. This is because companies that handle this task focus entirely on hunting and have honed their skills with time.
Continuous activityOutsourced hunting is a continuous activity that runs on a 24/7 basis. Considering the large amount of data generated, especially by large organizations, security companies offer threat-hunting services especially since they have developed in-house tools that aid them in conducting the hunting process.
Cons of an External Threat-Hunting Function External hunting is expensiveOutsourcing this function to a company that handles such activities is an expensive affair, mostly since hunting is a round-the-clock affair that requires incredible cybersecurity skills and well-trained, certified threat hunters.
Data security and privacyMost organizations battle with the idea of outsourcing functions such as threat hunting because of the nature of the work they are involved in. In this age of data privacy and the recent GDPR regulations, the loss of customer data and intellectual property might be the difference between the success and failure of an organization. As a result, organizations will tend to consider having an internal threat-hunting function.
Considerations when Outsourcing Threat HuntingIn order to ensure effective security, a number of considerations must be put in place before outsourcing threat hunting.
Reliance on Traditional Detection MethodsThreat hunting is only as good as the data it collects. For example, according to this 2018 threat hunting report, only 37% of organizations were leveraging user behavior activity to feed their threat-hunting program, and only 54% were using data collected from Active Directory. Things got worse. Only 19% had integrated file activity monitoring into their threat-hunting platforms. Before outsourcing threat hunting, it is important to understand how much information is being collected and if traditional detection methods are being excessively relied upon.
Cybersecurity TalentCybersecurity skills shortages are nothing new, but this is causing recruiting chaos according to new research. CSO Online reports that 45% of organizations claim to have a problematic shortage of cyber skills. 70% of organizations report the skills shortage has had a direct impact, such as increased workload for existing staff, the need to hire and train junior employees, and that old problem of staff reacting to emergency issues rather than engaging in strategic planning or training.
It is therefore necessary to determine the cybersecurity skill of security personnel within the organization, and if it is adequate enough to handle threats. If not, then you would have to consider outsourcing threat hunting functions.
Headcount ChallengesOrganizations often face much bureaucracy and politics when it comes to enforcing ideas. For example, convincing management of the need to expand the incident response/threat hunting team might be met with opposition that could lead to a shortage of personnel to handle situations. This is something that should be considered before outsourcing threat hunting.
Complexity of Staying Informed on Security