Threat hunting is proactively identifying and thwarting unusual network activity that could indicate an attempted security breach. It's a historically manual activity, making it time-intensive and arduous. It’s no wonder, then, why most organizations don’t have the time, budget, or resources to undertake it effectively…if at all. That’s why many organizations rely on “reactive” threat response solutions, including firewalls, intrusion detection, and SIEM to alert analysts to an event after it occurs. Without the resources to commit to proactive threat hunting, reactive solutions are the next best option.
But if threat hunting is on your to-do list this year, a little-discussed solution is the ability to turn a reactive threat response into a proactive one. Specifically, it’s very possible and economical to shift your SIEM from reactive to proactive to start leveling up your threat hunting capabilities.
The benefits of this shift can be significant. Proactive SIEM-supported threat identification can provide more context and improve threat response times. It also creates a proprietary understanding of your unique threats, which is more valuable and effective than relying solely on third-party threat intelligence. Additionally, it makes automating security rules more viable, especially to stakeholders concerned about impeding legitimate activity.
Let’s talk about the 5 steps to shift your SIEM from reactive to proactive.
1. Identify Your ‘Area of Influence’
Start by identifying where you want to focus first. Maybe it’s a particular system, a highly targeted group, or an activity where you suspect your organization may be vulnerable to attack. This will help you tailor your scope to make the best use of available resources and will come in handy in later steps.
2. Set Up a Centralized Log Management System
A centralized log management system aggregates network log information so that all log data is in one place. Centralizing your log management feeds information to analysts more quickly and delivers a more holistic view of network activity. It also sets the stage for step 3.
3. Augment Log Data with Third-Party Intelligence
Third-party intelligence is any relevant supplemental data source that helps you accurately determine a threat. This is the moment when your area of influence comes back into play since knowing the scope of your inquiry allows you to choose relevant resources to support it.
Third-party intelligence adds more context for faster analysis and accurate decision-making.It also increases your security team’s internal ‘learning curve’ about what indicates a threat actor versus benign activity. There are several types of third-party data sources available. Learn more by downloading our white paper on security log enrichment.
4. Pinpoint and Validate Your Conclusions
Once you’ve accumulated enough data relevant in your area of influence, regroup to determine what you’ve learned. This is an opportunity for analysts to get creative by identifying characteristics of threat actors and pinpointing commonalities in confirmed threats to draw data-validated conclusions. With those in hand, your team can brainstorm possible security rules to automatically thwart these types of threats in the future.
5. Automate Proactive Security Rules
It’s time to automate and test your freshly developed security. Because you’re working from your organization’s own data, automating “home-grown” rules can help minimize threat misidentification, which keeps stakeholders on board. Now your team is free to begin the process again with a new (or amended) area of inquiry.
Utilizing SIEM for proactive threat hunting allows you to develop and evolve a proprietary understanding of threats to your organization—and automate threat responses—in an economical and resource-resilient way. For more information on threat hunting and third-party threat intelligence sources, download our Threat Intelligence e-book and Reading the Tea Leaves white paper.