SANS Institute announces first European Summit
Thursday, January 2, 2020
Following its long success in America, the summit will bring its experts, networking opportunities, training and world-class speakers to London on 13th January 2020. The…
SANS Institute, the global leader in cyber security training and certifications, has announced its first Threat Hunting and Incident Response Summit in Europe.
Following its long success in America, the summit will bring its experts, networking opportunities, training and world-class speakers to London on 13th January 2020. The summit will be followed by a week-long SANS training event focused entirely on threat hunting courses.
The announcement coincides with the release of the SANS 2019 Threat Hunting Report which shows that threat hunting is still in its infancy with few dedicated teams in existence and differing views on what constitutes threat hunting and how to hunt.
“Many organisations use an alert-driven approach to threat hunting or use indicators of compromise [IoCs] to guide their hunts,” said Mathias Fuchs, a SANS instructor and co-author of the survey. “It seems that fewer organisations are using hypothesis-driven hunting—and that could leave them vulnerable to dangerous visibility gaps.”
Most respondents report using a variety of reactive approaches to threat hunting, including alerts (40%) or IoCs via a SIEM or other alerting system to find adversary tools or artefacts (57%). Such approaches are excellent supplements, but should not take the place of using proactive hunting techniques. Surprisingly, only 35% of respondents create hypotheses to guide their hunting activities.
Organisations continue to require threat hunters to work in multiple roles. Hunters report having major responsibilities for managing SOC alerts (34%) or incident response and forensics of breaches (26%). Very few organisations have moved to a dedicated hunt team over the past three surveys, indicating that threat hunting—and threat hunting teams—are still in their infancy.
“One reason we aren’t seeing more growth in dedicated threat hunting teams may be that organisations have difficulty measuring the benefits or organisational impact of threat hunting,” posits Josh Lemon, survey co-author and SANS instructor. “Being able to measure and show the performance abilities of a threat hunting team is critical to the life of a team and its engagement by the rest of the business; it's a metric that can make or break a team, its funding or its objectives.”