Threat Hunting for the Riskiest 1 Percent
How to hunt for threats with speed and precision
“What’s our exposure?” is a question that requires an urgent and conclusive answer as soon as a potential threat is discovered. That dreaded question can come as an urgent message on Sunday when you’re with your family, as a text at the crack of dawn from management, or even as a phone call in the middle of the night. Regardless of when it shows up, the more urgent question to you becomes, “How quickly can you find the answer with total confidence?” After all, when it comes to threat hunting and incident response, time is of the essence.
Overcoming Threat Hunting Hurdles
Fact. Time is critical yet never enough. And when you’re dealing with threat hunting and incident response, TIME can be a real challenge. Here’s what I mean.
- Security analysts are typically inundated by large scale alerts day in and day out. Already drowning in a sea of events, they often find themselves dealing with a flood of false positives. Sure enough, it doesn’t help that many of them still rely on manual processes, oftentimes using multiple consoles and tools that don’t talk to each other.
- Incident responders have to sift through stacks of disparate data often lacking contextual information. This cumbersome process makes gathering and presenting evidence even more difficult and time consuming for them.
- IT security directors have a slightly different problem. They have to deal with the usual “do more with less” situation as a result of budget and staffing constraints. IP and asset protection, as well as dealing with the effort, time and cost involved in integrating many different technologies that are being used in-house are constantly on top of their mind.
Clearly, they all have something in common. They all spend too much time on tedious tasks than they really have to. Time that is essentially stolen from doing more innovative work, and quite possibly from family and other more important things.
But if done right, proactive threat hunting can outweigh these challenges. Combining threat intelligence with device-level security context improves your ability to detect threats more accurately, and therefore reduce the risk of compromise. In addition, automating manual tasks associated with threat research and incident prioritization and remediation boosts your ability to investigate threats and resolve incidents faster. That way, you can take back control of your time as you overcome these hurdles addressed above.
Go From Exposed to Empowered with Cisco
Faced with a dangerous malware threat, you’re tasked with answering this critical question. “How do I know if malware has evaded detection?” Yes, you can comb through every piece of research available about the threat. You can then scour through stacks of network logs across your environment to find anomalies and suspicious behavior. But how long will that take? Days, weeks or months? And, chances are your chain of command will not have the bandwidth (or patience) to wait that long for your definitive response.
There’s a better way. Proactively searching for the most dangerous threats and understanding the full scope of a compromise faster with our set of integrated tools helps boost your ability to conduct threat hunting and incident response activities.
As part of this integrated security architecture, Cisco Threat Response speeds threat hunting by gathering, combining, and correlating threat intelligence available from: 1) your recorded network and security data, 2) Cisco Talos, and 3) third-party solutions.
Equally important, AMP for Endpoints provides both preventative and investigative capabilities for rapid threat detection and response to the riskiest one percent of threats that evade front-line defenses. This allows your security analysts to: 1) search endpoint telemetry, 2) block malicious files across Windows, Apple, Linux, and Mobile platforms, 3) apply white lists and black lists, 4) perform advanced custom detections, and 5) retrospectively quarantine net new threats – automatically!
Cisco AMP for Endpoints together with Cisco Threat Response helps you find answers to the right questions, faster. So, you never have to ask the question ”Where do I begin” – with AMP, you will always know. AMP gives you prioritized alerting paired with a threat severity rating, letting you know what you need to look at first and how severe the incident could be. From AMP, you can pivot right into Cisco Threat Response to give you a single click understanding of every bit of data we have regarding the incident, what other vectors have seen it, where else the infection might have spread, and even the ability to begin containment right there. This allows you to hunt for threats in their infancy, setup the proper triage and execute incident response process faster!
Further, AMP for Endpoints integrate with both Cisco’s larger security portfolio, along with third-party tools like the recently announced advanced integration with IBM security, resulting in improved network visibility and faster threat hunting and incident response.
At the RSA Conference 2019, the cybersecurity community had seen Cisco’s proactive approach to threat hunting. If you had missed it, check out this video of threat hunting in action.
In this video, you can see how threat hunting for advanced threats using security tools from Cisco can be accomplished in minutes – not days or weeks – with just a few simple steps.