Improving Threat Hunting with Managed Security Services

by Tim Bandos on Wednesday December 28, 2016

Our Guide to Threat Hunting series concludes with tips for using managed security services to bolster your threat hunting program.

Over the past few weeks our Guide to Threat Hunting series has covered the fundamentals of threat hunting, what you should do to prepare to hunt for threats, the tools and skills you’ll need for threat hunting success, and how to navigate the five stages of threat hunting. Today we’re concluding the series with an article on a valuable asset to any threat hunting program: managed security services.

When do Managed Security Services Make Sense?

If any of these apply to your organization it may make sense to outsource or augment your threat hunting and/or incident response team with managed security services:

Security talent shortage: The severe security talent shortage, especially for cybersecurity professionals, is preventing you from finding and retaining the people you need to build a threat hunting or IR team.
Headcount challenges: The political climate of your organization makes it difficult to gain approval for the 3-5 people you need to build an effective threat hunting or IR team.
Complexity of staying on top of sophisticated threats: Modern malware is sophisticated, targeted, and difficult to detect. According to Verizon’s latest Data Breach Investigations Report, companies on an average went more than 200 days between the time they were breached and the day they discovered the incident. As attacks (and attackers) get smarter, preventing the loss of sensitive data on your own gets harder and harder.

Building the Business Case for Managed Security Services

Engaging a managed security service provider will require organizational buy-in, from IT and security leadership to your CFO or even CEO. So where do you start in building the business case for hiring an MSSP?

Never let an incident go to waste! If your team doesn’t have the correct resources or adequate funding, I always recommend leveraging each and every incident as an opportunity to build your case. Go to upper management and say this: “The breach or incident that just occurred was a result of lacking a more robust security program with layered controls. In order to be more effective at detecting/preventing future attacks, we need A, B, and C.”

When I first started out doing this type of work at my last job, we operated on a shoe string budget. I was on a team of one: just me. There was no one to rely upon so I started to develop our capabilities myself. But as soon as we had our first incident or two, that’s when I was able to start building a case for a budget and adding on to our architecture. Following those initial incidents we implemented passive defense tools and then developed active defense procedures through people, process, and technology. Finally, we strived for a data-driven defense process that was based on intelligence and ultimately the individuals at the top understood the value of a cybersecurity investment when I reported metrics on the number of breaches we prevented.

Digital Guardian’s Managed Security Program for Advanced Threat Protection

As director of cybersecurity at Digital Guardian, I have the job of leading our Advanced Threat Protection Managed Security Program. The program combines security researchers and analysts’ expertise, Digital Guardian’s Next Generation Data Protection Platform, and a centralized threat intelligence management system. This combination enables Digital Guardian to detect and remediate threats faster and more efficiently. You can expect the highest level of protection from threats including polymorphic malware, zero-day attacks, advanced persistent threats (APTs), ransomware, and attacks involving sophisticated data theft methods.

You can learn more about our managed service program here and here, and for more threat hunting tips, check out our eBook: Stopping Cyber Threats - Your Field Guide to Threat Hunting.