Reactive security practices will only get you so far.
rmsource will be the first to tell you that a strong prevention (not detection) strategy is the best foundation for any cyber security practice. In order to stand a fighting chance against today’s threat actors and the staggering volume of attacks, dynamic prevention must be incorporated into each layer of the network – Cloud, Edge, Endpoint…but is that enough?
Today’s threat actors are smart, sophisticated, well-funded and persistent. We can no longer bolt the doors and bar the windows and assume we’re keeping the bad guys out. The only way to truly protect ourselves is to always assume their already inside. In a recent article explaining how and why companies should incorporate Threat Hunting into their SOC practices Microsoft urges, “Assume breach and be proactive”.
So, what is Threat Hunting?
At a recent convention, a colleague described it as pulling on a loose thread to see where it leads. In the cyber security world, that could mean finding an anomalous event or log and looking for associated activity, or specifically searching for anomalies based on external research or analysis.
Have you ever investigated a host because you saw it using odd outbound ports in firewall logs, or looked for traffic to a recently published Command and Control domain in an analysis you read? If so, you’ve Threat Hunted.
Now, without the proper tools in place, Threat Hunting can seem like you’re constantly running down rabbit holes. This is where Check Point threat prevention platforms, such as the Sand Blast Agent, and Microsoft Azure Sentinel come in. Check Point provides the protection at the cloud, network perimeter and endpoint while Azure Sentinel has the hunting tools, dashboards and built in hunting queries to help you detect anomalies, conduct investigations and respond before it becomes an incident. Azure Sentinel has hunting tools, dashboards and built in hunting queries to help you detect anomalies, conduct investigations and respond before it becomes an incident.
Through an integrated partnership with Microsoft and Check Point, we pair the best protection, detection and response tools to provide a comprehensive threat hunting solution.
For more information regarding Microsoft’s Threat Hunting recommendations, please visit:
An additional great tool for understanding how malicious events and activities may be related is the MITRE ATT&CK™ (adversarial tactics, techniques, and common knowledge) framework: https://attack.mitre.org/Featured Post; Security