Increasingly sophisticated cyberattacks are making the task of detecting breaches harder than ever. Advanced Persistent Threats are built with stealth in mind, providing hackers with as much time as possible inside the network perimeter before detection.
According to research published by IBM, it takes 206 days to first identify a security breach, and another 73 days to contain it. If this complete detect-remediate cycle can be completed in less than 200 days, the cost of the breach is reduced by nearly 26%.
However, according to a report from the Ponemon Institute, just 53% of businesses rate themselves as well-prepared to quickly detect a cyberattack.
Increasing proactivity increases speed of detection
Traditional SIEM platforms tend to overload security teams with a barrage of alerts, stretching their resources so they are forced into being mainly reactive. Microsoft Sentinel is extremely effective at analysing your event logs to detect security incidents. This is powerful and effective – but it can be improved even further.
Threat hunting in Microsoft Sentinel provides a proactive approach to threat detection. Using indicators provided by third party threat intelligence subscriptions and the powerful Kusto Query Language (KQL), Microsoft Sentinel can search, sort and filter logs to find issues that have not yet been identified as anomalous by the SIEM.
Threat hunting should help to narrow the window between breach and detection, improving your overall security posture – and helping to limit the potential damage.
Straight-forward – but not
There is one drawback to threat hunting with Microsoft Sentinel – the associated learning curve. To operate threat hunting in-house, your team will need to:
- Identify industry-relevant threat intelligence subscriptions and configure import into Microsoft Sentinel.
- Define Prioritised Intelligence Requirements (PIR) that set goals for your threat hunting efforts, aligned with your business strategy.
- Create threat hunting queries to pinpoint potential issues.
- Execute your query and analyse the matching results.
- Analyse and repair each issue.
Steps one, two, and to some degree, three, will only need to be completed a few times each year. Steps 4 and 5 however, must be undertaken regularly. Microsoft Sentinel accelerates discovery, but your team still needs the skills, time and resources to investigate and remediate the results.
As a result, most businesses are not able to dedicate enough time to proactive threat hunting to make it effective, which is far less than a truly proactive security strategy. Just 30% of cybersecurity professionals believe their businesses spend enough time on proactive threat hunting.
Achieving maximum benefits from threat-hunting
In an ideal situation your business could hire an analyst whose only responsibility is hunting threats. This is not only expensive, but there may not be quite enough work to occupy them full-time.
More realistic is the use of a third-party managed service. Your partner has the skills and experience to configure threat hunting in Microsoft Sentinel. And because they are already proficient in building the queries used to comb through logs, they can conduct threat hunts that align with your security priorities.
Perhaps most valuable of all however, is that a third party is not time-limited in the same way as your team. They can conduct more threat hunts more regularly, increasing the overall proactivity of your defence capabilities. And because these hunts are more regular, they will identify threats and breaches even earlier.
Ultimately, a good partner will help you improve your posture and reduce time to detection.