What’s the ROI of threat hunting?

How can IT security threat hunters measure success? That's one of the core questions raised in the SANS Threat Hunting Survey, co-sponsored by Authentic8.

The  answer may lie in a strategy and tool selection that avoids mission and  cost creep, and results in measurable effects - and savings - to prove  it.

That’s our main takeaway from this year’s Threat Hunting Survey. Co-authors Mathias Fuchs and Joshua Lemon capture the different  needs and challenges within organizations that are just starting their cyber threat hunting program, versus those who are honing their skills and programs.

Definitions of Threat Hunting

What is threat hunting? The SANS survey results document a wide variety of methodologies, spending priorities, tools deployed, training needs - and opinions about what constitutes effective threat hunting practices.

"Many organizations use an alert-driven approach to threat hunting or use indicators of compromise [IoCs] to guide their hunts," says Mathias Fuchs, a SANS instructor and threat hunting expert. "It seems that fewer organizations are using hypothesis-driven  hunting—and that could leave them vulnerable to dangerous visibility  gaps."

Most respondents report using a variety of reactive approaches to threat hunting, including alerts (40%) or IoCs via a SIEM or other alerting system to find adversary tools or artifacts (57%).

Silo saves money and resources over the “DIY approach” of creating a threat hunting platform from off-the-shelf and open source solutions. Many threat hunters face questions in their organizations over the cost creep and configuration, maintenance, and post-mission clean-up burden resulting from the old approach.

Threat hunting teams that deploy Silo for Research save on average 89% annually over those who operate a custom-made solution, as an itemized comparison shows.