Waiting around for attackers to attack is often a fallback posture for overworked and overwhelmed security teams. When attackers show up at the gates, only then will the team kick into action, hopefully (but not always successfully) kicking the bad guys to the sidelines.
When your security team is mostly in reactive mode, your organization is missing out on an opportunity to take out the bad guys before they take you out. The proactive strategy for security should involve threat hunting, your most useful tool for gaining a deeper understanding of where and how attackers have breached or may breach network defenses.
If adopting proactive strategies like threat hunting is new to your security team, it’s important to first understand why you might have chosen a reactive posture as your default, instead of how you can hunt for threats. Your team may be in reactive mode because there is simply too much urgent work to do, or
because your security tools generate too many false positives.
Your team may also be suffering from “technology sprawl,” where you have too many tools that your team must implement, manage, integrate, and pivot between during investigations, taking time away from thinking through the best security approaches. If this is the case, you’re in good company: In ReliaQuest’s latest survey of enterprise IT and security professionals, 71 percent said they’re adding
security technologies faster than they’re adding the organizational capacity to productively use them.
Additionally, there are common limitations that prevent teams from taking a proactive threat hunting posture. For example, threat hunting requires very large data sets, from which teams can correlate trends, identify security gaps, and find anomalies. A threat hunt involving Windows Authentication traffic could require 30 days of data from 8-10 different Windows event IDs (i.e., 4624, 4625, 4769).
It’s very time-consuming for teams to manually pull and analyze this data and could take weeks to accomplish – so many may skip the effort.