Enterprises have put a priority on threat hunting to improve their overall security posture, but in many cases do not provide sufficient funding to acquire the level of skilled experience that could make a difference in their organizations
In a CyberRisk Alliance study conducted in November among 212 security professionals, respondents said they are hungry to add experienced threat hunters to their ranks, but still struggle to find the right people in an intensely competitive and specialized field.
Bottom line: Only larger organizations can afford the minimum annual salary of $250,000 that experienced threat hunters command.
Based on the responses from the survey, CRA points to four important findings:
1. Companies still think threat hunting is “pie in the sky"
For all the buzz around threat hunting these past two years, they are still a rarity in a security operations center. Why? They cost money and it takes time to see results. The CRA study did offer some hope in that 32% are now currently implementing a threat hunting program, so slowly but surely people will get trained and companies will fill these slots.
2. Qualified threat hunters are hard to find.
Yes, the age old problem: where do you find a threat hunter. Some 53% of respondents planning to implement a threat-hunting program in the next 12 months say they are concerned about the lack of qualified staff to conduct threat hunting. Companies expect a lot from a threat hunter: management expects competency in a range of subjects, as fluent in data forensics and analytics as they are in being able to translate technical findings into non-technical recommendations for business leadership. That’s a tall order and will require much more education.
3. Organizations still struggle with moving beyond reactive intelligence
While 7 out of 10 respondents use SIEMs and EDRs, these are not the tools that threat hunters rely on most. About two-thirds say their hunting does not allow for the collection of a high number of data types, and 61% indicate that data analytics and machine learning are not yet being used to refine and automate hunting methods. This results in is a culture of “catch-up,” in which the SOC operates in constant response mode instead of being empowered to build threat hypotheses and make new discoveries.
4. Threat hunters DO reap new rewards
Threat hunting expands the company’s security awareness and network visibility. The CRA survey found that 72% have achieved at least a 50% improvement in the speed and/or accuracy of threat response from their threat hunting programs.
Organizations looking to get started with a threat-hunting program should measure the organization’s current threat hunting maturity. Good resources include the following: the MITRE ATT&CK Framework, CIS Top 18 from the Center for Internet Security and NIST 800-171. Companies should also consider an extended threat and response (XDR) platform that integrates threat hunting tools into one package.
Other options: develop an incident response plan; decide if the organization wants to hire outside talent or develop the skills internally; and finally, if the talent simply doesn’t exist in the organization, carve out some time to offer training to some of the company’s more motivated staff.