Gartner Blog Network

My “How to Hunt for Security Threats” Paper Published

by Anton Chuvakin  |  April 6, 2017  |  Comments Off on My “How to Hunt for Security Threats” Paper Published

My mini-paper on threat hunting is out! Review “How to Hunt for Security Threats” (Gartner GTP access required) and provide feedback here.

The abstract states “Technical professionals focused on security are starting to explore the mysterious practice of “threat hunting” to improve their security monitoring and operations. This requires uniquely skilled personnel and wide-ranging data collection across the IT environment.”

As usual, a few fun quotes follow below (but really, the entire thing is very fun!):

  • “Threat hunting helps with threats that bypass both preventative and detective controls, and enables organizations to uncover threats that would otherwise remain hidden. Hunting success relies on a mature security operations center (SOC) and cyberincident response team (CIRT) functions.”
  • “For most organizations, hunting becomes an option after they have maximized their alert triage and detection content development processes and matured their security incident response functions, but still need to look beyond additional incremental improvements.”
  • “One organization reported that, for it, hunting is a way to flip the age-old security maxim, “the defender needs to close all holes, but the attacker needs to just find one hole to get in.” Specifically, with hunting, an attacker’s sole mistake is likely to lead to their discovery and removal, while the defender can cast its net many times to find the mistake.”
  • “In order to operationalize your threat-hunting activities, mature them to a high level and teach them to new analysts and aspiring threat hunters, some structure needs to be created. How can one apply structure to a creative, analyst-led process? The answer lies in giving the threat hunter broad creative boundaries but still retaining the process attributes and wider components of the most successful threat-hunting efforts.”
  • “If your organization has a production SIEM (or log manager) deployment and an EDR deployed and operational, you have the tools for your starter threat hunts.” [but, as I say a dozen times in the paper, hunting is really not about the tools – but about people]

(sadly, my flying pink elephant metaphor didn’t survive the editors)

So, get the paper HERE and provide feedback HERE.

Related posts on threat hunting:

Related posts on paper publication:

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: analytics  announcement  future  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.