How to Enhance Threat Hunting in the Modern Enterprise

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Dave Armlin, the Field CTO for ChaosSearch, shares expert insights on enhancing your threat hunting efforts.

Cyber-attacks are becoming more widespread, sophisticated, and costly every year. According to a Deep Instinct report, ransomware grew by 435% between 2019 and 2020. The IT services company Parachute estimates that cyber-crime caused nearly $1T worth of damage last year, with the average data breach costing $6M to organizations that didn’t have robust security automation in place. 

Given these alarming trends, the U.S. Department of the Treasury announced a handful of actions to counter ransomware across the country. These actions include attempting to disrupt criminal networks and virtual currency exchanges responsible for laundering ransoms and increasing incident and ransomware payment reporting to U.S. government agencies, such as the Treasury and law enforcement groups. 

Yet, even with these commitments, the private sector is still at risk. FireEye found that 50% of CEOs don’t think their companies can combat cybersecurity threats. Even more alarming, the Ponemon Institute and IBM found that the average time to identify an organizational breach was 212 days while containing those breaches was 75 days. Simply put, it takes companies roughly 9.5 months to remediate cyber-attacks. 

Corporate leaders must be proactive in their cyber defense efforts to ward off cybersecurity threats and comply with the latest government regulations. More specifically, modern enterprises have to get better at threat hunting. While organizations have traditionally focused on securing the perimeter, threat hunting emphasizes identifying environments that have already been compromised to detect and remediate cyber-attacks.  

Fortunately, building a threat hunting capability isn’t too complex, assuming the correct data and tools exist. Here are the steps every organization should take to enhance their threat hunting proficiency and ensure they’re well-equipped to handle future cyber-attacks. 

Improve Data Retention

Data retention is foundational to a robust cyber defense. Without deep and broad data retention, organizations are limited in analyzing, making it hard to pinpoint potential vulnerabilities and address threats proactively. To optimize data retention, companies must implement sound data policies, particularly when it comes to sensitive information.  

One of the most important questions to ask on the data retention front is, “how long do we need to store data?” Fortunately, there are many industry-specific rules and regulations already that offer guidance for data privacy and retention. HIPAA, the healthcare patient data privacy law enacted in 1996, is one of the most well-known examples. Payment card industry (PCI) compliance is another mainstream standard that keeps credit card transactions secure. These are just two examples of government-driven data management policy.  

In general, if an organization stores personal data or private company information, leaders should have a clear data retention policy, especially regarding how long data should be maintained. Data retention policies can spell out when data is no longer critical for achieving enterprise goals, preventing people from getting rid of information that could potentially be useful down the road. 

Updating data policies and retention according to the latest guidelines helps companies make better decisions regarding what to do with their data. And when leaders know that data retention enables threat hunting, they can enact the correct protocols to maintain data as long as necessary to fight long-tail intrusions from advanced persistent threats (APTs). 

Leverage Threat Hunting Tools: Logs, SIEM, XDR

In addition to enhancing data retention, modern enterprises have to take full advantage of their log activity. Large companies generate billions of logs that represent user logins, application record changes, network service interruptions, and more. Log data, paired with thoughtful data retention policies, can strengthen cyber defense significantly, as IT teams have more information about who is accessing applications, how they are doing it, and when. 

Data teams that can collect logs, correlate events, describe patterns, and identify anomalies can leverage log analytics and threat hunting tools to control IT operations and neutralize threats. SIEM and XDR tools are two specific types of threat hunting tools that upgrade a company’s ability to find threats before they turn into significant problems.  

Security information and event management tools (SIEM) are characterized by their ability to provide real-time analyses about active threats and a network’s security posture. Extended detection and response (XDR) tools consolidate threat data from the web, cloud, servers, and email systems in one place, giving security teams a complete view of the threat landscape. XDR tools help study historical data and trends, while SIEM tools keep IT teams apprised of what’s happening today.  

SIEM and XDR tools, coupled with solid data retention policies and log analytics, empower organizations to detect and respond to threats faster, which is critical in today’s ever-evolving world. However, to be clear, SIEM and XDR tools are most effective for short-term operational use cases. To build a reliable cybersecurity function, companies should complement these tools with powerful data platforms capable of storing vast amounts of information over the long term for deeper analyses.  

Use Threat Hunting to Complement Perimeter Defenses

Companies today have to take a more aggressive approach to cybersecurity. The consequences of cybersecurity attacks are growing increasingly severe every year, and the U.S. government is cracking down on cyber threats, highlighting the urgent nature of the situation.  

Threat hunting is a crucial component of modern cybersecurity strategies and one that depends on an enterprise’s ability to sift through data to identify threats that have already evaded perimeter defenses. Threat hunting success hinges on an organization’s data retention policy and the tools used to conduct hunts. SIEM and XDR tools, specifically, build on robust data retention policies and make it easier for security teams to execute threat hunting across internal systems. When combined with a larger data platform that stores information at scale and facilitates deeper analysis without requiring much data movement, companies can accelerate accurate threat detection that has the potential to prevent millions of dollars in damages. 

Rather than hope that perimeter defenses keep malicious attackers out, enterprises now have to take matters into their own hands, proactively identifying threats and eliminating them as they materialize. Threat hunting will enable organizations to keep pace with tomorrow’s cyber threats—and the time to act is now. 


Dave Armlin
Latest posts by Dave Armlin (see all)