Threat hunting: Build or buy?
Faced with ever-evolving threats in this cyber-fueled world, threat hunting is critically important.
But your ability to apply a consistent level of analytic rigor and produce valuable findings while threat hunting relies heavily on your available tech and expertise. Plus, finding the time and space to effectively implement and participate in threat hunting can be difficult.
So, what’s the best option – build your own hunting program or buy a hunting service?
In my previous blog post, I explained what hunting is and why it’s important for security practitioners to understand the value it provides to detection and response.
In this blog post, I’m going to cover what to consider as you add hunting to your org’s security program (like cost and security team capacity) and your options when you don’t have the resources to build the threat hunting program yourself.
A history lesson
In the 1950’s, my wife’s grandfather — Bill McPhee — created the first computer-based predictive behavioral model to identify patterns of human behavior. According to author Jill Lepore’s 2020 book, If Then, this model may have played a role in helping elect John F. Kennedy Jr. (JFK) to the presidency.
By identifying patterns of potential voter behavior.
It all started with a hypothesis — can advanced data analysis of historical voting patterns be used to predict or influence election outcomes?
To test the hypothesis, a smart group of people used specially designed technology to analyze historical voting data among different voter groups. These groups were assigned by a collection of shared characteristics (religious affiliation, income level, gender, geographic location, etc.). The analysis identified behavioral patterns within these voter groups that helped JFK’s team tailor campaign messaging for those specific audiences. And those audiences ultimately played a major role in his narrow victory.
The use of advanced data analysis to confirm or disprove a hypothesis is still as prevalent today as it was then.
For example, it’s a key component of threat hunting. A strong hunting program requires 1) an understanding of known attack behaviors 2) awareness of your attack surface (so what is at risk) to inform hypotheses for good hunts; and 3) the right data and expertise to not only ensure that you can remove the signal from the noise, but that you can create good, repeatable paths for analysis.
And that analysis with hunting is far more advanced using a combination of code and humans to conduct cross-correlation and frequency analysis to help extend the monitoring of an infrastructure beyond the one-sided view you can expect with detections.
You need to maintain your hunting program if you want it to succeed. A good hunting program includes tools and processes that ensure analytic rigor (e.g. repeatable analysis and results), a sound feedback loop for hunts, and a team that stays up-to-date on the latest research and how best to use your security tools. All of this requires human resources, time, and a strategy that allows you to evolve your program as needed.
Build? Cost of building a hunting program
The hurdle that many orgs have to overcome is whether to buy or build a threat hunting program. And if building, can the program be effectively implemented and managed on an ongoing basis?
Let’s take a look at a few cost estimates associated with building a security operations centers (SOCs), closely aligned with similar figures outlined by Ponemon Institute in 2021.
SOC-related costs are good indicators of hunting costs because many hunting programs rely on the same tech and staff as the org’s SOC.
Typical SOC cost averages:
- Annual salary for a security analyst: ~ $115,000.
- Intended annual spend for tools:
- ~$180,000 – SIEM
- ~$340,000 – Security Orchestration Automation Response (SOAR)
- ~330,000 – Extended detection & response (XDR)
- Spending on security engineering to make it all work. Cost: ~ $2.5 Million per year
Also, looking at recent data from a SANS study, we see that most orgs don’t have full-time hunting staff. Just 19 percent of respondents were “working as full-time threat hunters at their organizations”and 75 percent of orgs were hunting “using staff that also fulfill other roles within the organization.”
To keep things simple, let’s exclude the budget for security engineering. We’ll also assume all of the relevant people and tech are working on threat hunting 25 percent of the time. Check out the total amount in the chart above. Excluding the cost for security engineering, the average cost of a hunting program (at 25 percent of the annual SOC spend) could easily meet or exceed $200,000.
This breaks down to approximately $16,000 per month for a hunting program that may not be fully used.
Then you need to take into account that those hunting efforts are likely limited to a particular tech platform – like your endpoint detection and response (EDR) tool and infrastructure like Windows Active Directory (AD). Those hunting efforts would have limited visibility across the whole environment.
Does that cost seem reasonable?
To us, it only seems reasonable if, for example, you’re able to identify something during every hunt that reduces the dwell time (time spent undetected in the environment) of an attacker. But finding an attacker is never a guarantee.
Plus, hunting with limited visibility, experience, or time can yield sub-par results and findings. And since hunting isn’t a full-time effort for many orgs, the struggle to implement, manage, and measure hunting continues.
As a result, many orgs find themselves spending a lot of money to build a hunting program that doesn’t provide useful results and is difficult to maintain.
- “When they aren’t focusing on threat hunting, 75% of respondents are focusing on incident response or forensics. Just over half (51%) performed a security architecture/engineering role, and a little over a third (37%) performed system administration functions.”
- “Almost half (45%) of respondents run an ad hoc hunting process that is dependent on their needs. That makes it more difficult to have dedicated resources for threat hunting and leads to less consistent results. Also, most respondents measure the success of threat hunting on an ad hoc basis, making it even more difficult to get numbers that justify employing enough dedicated threat hunters.”
- “Because threat hunting requires the allocation of budget and resources, measuring the effect it has is important. In last year’s survey, we established that most organizations still struggle to measure threat hunting in a consistent way.”
To sum it up: a lot of orgs are making efforts to strengthen their security (at considerable cost) with investments that often include or align with threat hunting.
Yet, these same orgs use staff for hunting whose primary responsibilities are tied to other groups (like SOC or Incident Response). Even with a larger focus on hunting, these orgs often have limited time available to dedicate to hunting and limited visibility into their infrastructure.
Also, without a good process and tools to capture and track results, it’s hard to measure the impact of these hunting efforts over time.
Buy? Value of buying a hunting service
So, if your org knows threat hunting is important but doesn’t have the time and resources to dedicate to effective hunting, what’re your options? Is it worth engaging an outside service to augment the efforts you’re already making? Can a hunting partner give you extra coverage and peace of mind?
To us, it’s a resounding yes.
The best part? You also save money.
According to Aite-Novarica Group’s recent Threat Hunting Impact Report, “Adding this service should be an easy decision for clients to make in light of the value provided. For less than the cost of bringing a single threat hunter on staff, organizations can benefit from a fully managed hunting service utilizing highly experienced hunters and an automated hunting platform.”
Hunting partners should also give you guidance on how to use hunting strategically and set up measurement frameworks. Here at Expel, we’ve identified ways to track the effectiveness of using our hunting service. For example, when an org implements short-term remediations or long-term operational tools and processes as the result of our hunt findings, we track the outcomes over time.
Stay tuned for an upcoming blog discussing one of these tracking tools in more depth – our resilience recommendations.
Ready to learn more? Watch my Fireside chat with ISMG: “The evolution of threat hunting and why it’s more important now than ever.”