The value of threat hunting
Monday 15th February 2021 | 4 minute read
Preventing security breaches should already be a strategic priority – but if you need convincing, the Cost of a Data Breach 2020 report from IBM uncovered some alarming statistics. The average cost of a data breach was found to be £2.91m ($3.86m USD). Some industries fared worse than others, with the healthcare sector averaging £5.38m ($7.13m USD) per breach.
What is threat hunting?
Threat hunting involves actively examining your infrastructure in search of potential malware or malicious actors that might be lurking in your endpoints or network. It differs from traditional threat management approaches that focus on investigations after a threat or breach has been detected.
Why go proactive?
The increasingly complex and extended IT infrastructure that organisations are having to deal with, coupled with rising levels of sophistication in cyber-attacks, means that even with the most robust tools and processes in place, attempts to prevent security breaches can never be 100% effective.
In addition, the traditional, reactive approaches are exactly that – simply reacting to things that have already happened – and this is no longer enough either.
Research by Ponemon found that the average breach lifecycle was 279 days, but this can be reduced through proactive approaches such as threat hunting. The same research also found that by reducing that lifecycle to less than 200 days, the cost of the breach decreased by 37%, providing clear impetus to be more proactive.
Decreasing the risk
But how do you know there’s a threat or a breach? Usually only after the damage has already been done. This is clearly too late, so security teams need to take a more pre-emptive approach to mitigate the risks of damaging attacks, which threat hunting provides.
The sooner you can identify and resolve a security breach, the narrower the window for data exfiltration to occur.
Microsoft's Azure Sentinel is a SIEM platform that supports threat hunting for applications and services, allowing for better visibility and therefore improved detection and resolution of issues across your entire IT estate.
New to Azure Sentinel? Check out our eBook 'The Operational and Commercial Benefits of Azure Sentinel'.
Preventing security breaches
The implications of a security breach go well beyond the immediate issues surrounding loss of data or IP. Aside from the potential fines from the Information Commissioners Office (ICO) the reputational damage and loss of customer trust could have much longer lasting effects.
The good news is that these can be avoided, or at least minimised, by detecting any threats as soon as possible after the initial breach and before any data has been exfiltrated. Proactive threat hunting in a key weapon here to help reduce the time to detection of any threats that might have bypassed existing security products.
Reducing dwell time
Bearing in mind that no strategy can be 100% effective, reducing the dwell time (the time from when the attacker gains access, to when the threat is eradicated) is the next priority to limit any damage as much as possible. And it’s not just about the internal benefits of dealing with threats early, it’s also about the external implications of not addressing them, such as reputational damage.
Proactive threat hunting is key here, but it’s important to consider what it is you’re looking for so that you can achieve more useful results in the time allocated. Defining Prioritised Intelligence Requirements (PIRs) and keeping up to date with the latest intelligence on emerging threats are fundamental steps in your threat hunting process – you can learn more in our next blog “Getting started with threat hunting”, coming out on 18th February.
Azure Sentinel also allows you to build structure and processes around threat hunting. This means threat hunting becomes more repeatable and efficient because there is no need to create new processes each time a new threat is identified. It can also broaden the visibility and understanding of the activities taking place of your estate which can be used to improve overall security posture.
Reduction in costs
Remember, the cost of successful data breaches can be eye-watering. By employing threat hunting to identify undetected threats and resolve breaches more quickly, the overall cost of the incident also falls.
The Cost of a Data Breach 2020 report also estimates that shortening the hackers’ window of opportunity will save more that £800,000 – per event. That’s a significant slice of IT budget that can be reinvested in growing the business.
Working smarter with a partner
Security skills are in high demand making it extremely hard to source the individuals you need to build a well-rounded team. Government figures suggest that 30% of UK businesses lack the advanced security skills they need to protect themselves. Worse still, the Cost of a Data Breach Report highlights security skills shortages as a major contributing factor to the high cost of a security incident.
Closing the skills gap
Organisations need to close the gap, so are looking to partners to help – recent research from Sophos indicates 65% are outsourcing some or all of their IT security efforts.
By partnering with a security expert, you can take advantage of their knowledge and experience to ensure your assets are properly protected. They can build you a robust, tested response framework to help deal with breaches quickly and efficiently, using cutting edge technologies like Azure Sentinel for delivery.
But outsourcing can deliver other benefits too.
Partnering with a proactive security service provider who offers daily threat hunting duties, frees your own security team up to focus on strategic projects to grow the company or dedicate resources to resolving issues that threaten it. You know that new security issues are not being overlooked and that your staff resources are being deployed where they will have the greatest effect.
Freed from threat hunting duties, your team can devote their energies to optimising processes and operations to increase efficiency and effectiveness. Your partner will also help to develop processes and routines that automate activities, reducing the need for manual intervention and accelerating threat responses. Remember, the quicker a threat is detected and mitigated, the lower the overall cost to your business.
Understand how to further improve security operations with AI/ML in our latest eBook 'How ML and AI have enhanced incident detection and response management'.
Partnering with such an expert also means you can get access to a team of skilled analysts, working as an extension of your own in-house team to carry out this function on your behalf, even on a 24x7 basis if needed – as hackers don’t work the usual 9am-5pm! This kind if service is not only valuable but also cost effective when compared to recruiting and training additional in-house staff.
Ongoing benefits of threat hunting
Whether you chose to undertake threat hunting with your existing team or you chose work with a partner, the gains from adopting a more proactive strategy are significant and vary from a reduction in costs to being able to operate a more streamlined, efficient security function. Eliminating security breaches, or remediating them faster, can create massive savings for your business.
To learn more about threat hunting services from Maple Networks and how your business will benefit from rapid detection of security threats that fly under the radar, please get in touch.