Vendors may claim complete automation for threat hunting, but they are promising the impossible. PatternEx believes threat hunters need a co-pilot—not a replacement.
Let us agree on a "threat hunting" definition
This term has been used to describe many different roles and responsibilities. Most people will agree threat hunting contains two key focus areas:
- Proactive security – looking for threats or active breaches lurking in the environment (but not yet escalated or detected)
- Reactive security – investigating escalated alerts and finding out root cause and/or validating threat itself
Threat hunters will usually be associated with a SOC. Sometimes they will be part of incident response or security intelligence, depending on the organizational structure and size. At times, threat hunters may be considered Level 3/Subject Matter Expert in title. But in all cases, they will still perform the above tasks.
Can't we automate threat hunting completely?
Adversaries are very good at changing tactics or using multi-stage, low and slow attacks—all of which makes threat hunting a very challenging task that requires real-time context. So threat hunters have to learn from existing threat intelligence (internal and external to the organization), draw from past experiences, and generally use intuition to locate threats. Automation, even with AI, cannot replace the threat hunter.
The challenge, of course, is the technical sophistication and time it takes to achieve a successful hunt.
|SIEM and Tier 1
Analyst Based Detection
|Threat Types||Basic to Intermediate||APT, multi-stage, multi-entity|
|Efficiency||High coverage, fast||Narrow coverage, slow|
How can we improve the efficiency and speed of threat hunting?
Many threat hunting teams want a more mature threat hunting process. This maturity requires some automation and use of data science (to leverage AI technology) generally considered Level 4 or Level 5 of maturity (depending hunting maturity framework). At a high maturity level, threat hunting focuses on analysis—not the details of figuring out to get data, sort data, and write code to figure out patterns. In this regard, PatternEx can act like a co-pilot to threat hunters and get rid of the mundane task of managing data, sifting through data, and doing trial and error modeling around data analysis.
What value does PatternEx add to threat hunting?
Even with AI, the threat hunter must be core to the hunting process.
With that in mind, PatternEx's Virtual Analyst Platform provides the following key benefits to threat hunting teams:
- Automated correlation for pattern matching across multiple data sources and multiple entities
- Fast conversion of hunt findings into AI models that can be shared with other analysts
- Instant "playbooks" on hunt findings (for Tier 1/2 analysts) to run as part of their playbooks, no additional work needed
- Automated data science to leverage 50+ AI models "out of the box" or to create custom models without coding
If you or your organization need to increase the speed, efficiency, or maturity of your threat hunters, I encourage you to check out some resources that may help:
- Watch our webinar: AI Enabled Threat Hunting: Automation Through Auto Correlation
- Learn more about the technology
Or contact us for a deep dive discussion on how PatternEx can help mature your organization.