Parting the Clouds in Threat Hunting

October 27, 2020
Eric Hanselman
Principal Research Analyst, 451 Research
Parting the Clouds in Threat Hunting

It’s getting cloudier and cloudier for security professionals and that can be a good thing. As their organizations put cloud to work in more applications, security teams are being tasked with integrating a much broader set of telemetry to make sense of their environment. Building situational awareness is challenging enough with existing environments. But that move to integrate more cloud can be a catalyst for teams to take the step into analytical tools that make them more productive and effective.

In a recent study by 451 Research, part of S&P Global Market Intelligence, 57% reported that they’ve either already deployed or are implementing hybrid cloud environments that blend on-premises systems and off-premises clouds. That means they’re already having to deal with a host of new types of information that these systems throw off and the increased volumes that are available. While more data creates the opportunity for better insights, the skills needed to operate in these new worlds can be in short supply.

Another 451 Research study from the same time shows that the most acute skills shortages reported are in cloud platform expertise, cloud-native functions and tools, followed closely by information security. This combination can mean that, not only does the long-term shortage of information security practitioners persist, but the lack of those with cloud-capable skills may be surpassing it. Organizations must understand that they can’t expect to hire their way out of these problems.

The use of analytics in security has grown significantly, driven by a long-term need to find force multipliers for burdened teams. That demand has led to a proliferation of the use of terms like artificial intelligence (AI) and machine learning, often with dramatic claims of its efficacy. The use of these terms has become so widespread, that another study of ours in late 2019 had them in the No. 2 spot as the most overhyped security trends or buzzwords, right after blockchain. That’s an indication of how difficult it is for security professionals to make sense of the raft of claims that are flooding the market.

So what’s a poor CISO to do in this situation? Despite the perceptions of hype, analytics are the way to move forward and increase both productivity and effectiveness. But they need to keep two things in mind: (1) All AI isn’t created equal and (2) certain telemetry sources are more equal than others.

On the telemetry side of the calculus, data sources that are more trustworthy beat out others. Even in cloudy worlds, network sources have many advantages. They’re a solid source of truth and are resistant to attacker detection. Many cloud environments won’t be able to provide a network tap, so security teams have to be able to ingest flow logs and access records and use systems that can correlate them.

For analytics, it’s important to consider what models are being used and how they’re put to work. Unsupervised learning techniques promise the ability to operate with little management, but no successful systems are fully unsupervised. More mature approaches build and tune models that can target different sources and correlate across different telemetry data. They’ll use multiple models and assess the outputs to narrow event generation to those with the right level of confidence.

The combination of the right data and the right analytics can help to part the clouds for security teams and help them to secure what is an important resource for the modern enterprise.

To learn how security operation teams are leveraging modern behavior-based network detection and response (NDR) to threat hunt and stay ahead of attackers schedule a demo.