{"id":320844,"date":"2024-05-21T05:00:43","date_gmt":"2024-05-21T12:00:43","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=320844"},"modified":"2024-05-21T09:12:56","modified_gmt":"2024-05-21T16:12:56","slug":"upgrade-your-soc-and-hunt-down-threats","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2024\/05\/upgrade-your-soc-and-hunt-down-threats\/","title":{"rendered":"Prowling the Wilds \u2014 Upgrade Your SOC and Hunt Down Threats"},"content":{"rendered":"<p>It would be nice to imagine our SOC analysts as the apex predators of the IT jungle, stalking the network perimeter and tracking the scent of trespassing attackers. But, for most SOCs and their analysts, that\u2019s far from the reality of their operations. Most are overwhelmed by data points and ill-equipped to correlate and analyze them. Analysts, who wish they could proactively hunt down threats and remediate vulnerabilities, are too busy churning through alerts and documenting false positives. According to our <a href=\"https:\/\/www.paloaltonetworks.com\/resources\/research\/unit-42-incident-response-report\">2024 Unit 42 Incident Response Report<\/a>, 90% of SOCs say they rely on manual processes.<\/p>\n<p>It\u2019s not just a haystack that SOC analysts are combing through; it\u2019s a hay mountain. They are sniffing for even a trace of compromise. Forget finding a needle. Most don\u2019t even know how many needles there are.<\/p>\n<p>SOC leaders need to outfit their analysts with the right gear and training. <a href=\"https:\/\/start.paloaltonetworks.com\/modernize-your-soc-playbook.html\">Upgrade your SOC<\/a> and analysts, so they can hunt down the threats lurking in your network.<\/p>\n<h2><a id=\"post-320844-_nm77uhknb8j4\"><\/a>SOC Analysts Are Burnt Out<\/h2>\n<p>Everyone knows there is still a shortage of cybersecurity professionals. Federal initiatives, like <a href=\"https:\/\/www.nist.gov\/itl\/applied-cybersecurity\/nice\" rel=\"nofollow,noopener\" >NICE<\/a>, seek and promote \u201can integrated ecosystem of cybersecurity education, training, and workforce development,\u201d but the demand for qualified professionals continues to outpace the supply.<\/p>\n<p>No one feels the strain more than SOC leaders, who struggle to keep their SOC staffed 24\/7 with experienced personnel. Analysts are fleeing SOCs in droves, and <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/60-soc-analysts-planning-quit-next\/\" rel=\"nofollow,noopener\" >industry reports<\/a> provide some answers as to why:<\/p>\n<ul>\n<li>71% say they\u2019re burnt out by SOC work.<\/li>\n<li>69% claim their SOC is understaffed.<\/li>\n<li>60% say the workload is increasing.<\/li>\n<li>64% spend more than half of their time performing manual tasks.<\/li>\n<li>66% indicate that the majority of work could be automated.<\/li>\n<li>60% said they plan to quit their jobs.<\/li>\n<\/ul>\n<p>SOC analysts say they spend too much time investigating and reporting false positives. They\u2019re overwhelmed by disparate data points and forced to triage alerts. They also claim that reporting is one of their least favorite tasks and consumes most of their time, especially when the majority of reports say \u201cNothing to see here.\u201d<\/p>\n<p>Threat hunting appeals to budding and enthusiastic cybersecurity professionals, but the reality of SOC life sends them searching for new opportunities.<\/p>\n<h2><a id=\"post-320844-_5h6hypa47rqr\"><\/a>Why SOC Analysts Are Walking Away<\/h2>\n<p>Infosec professionals are typically excited about SOC work; at least in theory. They know that automated processes and smart tools could empower them to make high-level decisions about potential threats.<\/p>\n<p>Most discover, however, that manual processes and poorly tuned tools make the SOC a miserable place to work. Instead of proactively hunting for vulnerabilities and advanced persistent threats on the network, they spend all their time just trying to catch up.<\/p>\n<p>The majority of SOC work revolves around investigating alerts generated by dozens of tools. Consider the extraordinary number of devices in an enterprise organization. Each generates its own logs and produces a data trail that may contain indicators of attack and\/or compromise (IOAs and IoCs):<\/p>\n<ul>\n<li>Firewalls\n<ul>\n<li>A large number of connection attempts are made from a single IP address in a short period (a potential denial-of-service attack).<\/li>\n<li>A user attempts to access a restricted resource from an unauthorized location (potentially compromised account).<\/li>\n<\/ul>\n<\/li>\n<li>Intrusion Detection System (IDS)\n<ul>\n<li>A known malware signature is detected on a system (a potential malware infection).<\/li>\n<li>A user attempts to exploit a known system vulnerability (potential privilege escalation).<\/li>\n<\/ul>\n<\/li>\n<li>Security Information and Event Management (SIEM)\n<ul>\n<li>Multiple failed login attempts occur for a critical system account (a potential brute-force attack).<\/li>\n<li>A user account with high privileges accesses sensitive data outside of regular working hours (a potential insider threat).<\/li>\n<\/ul>\n<\/li>\n<li>Endpoint Detection and Response (EDR)\n<ul>\n<li>A program attempts to access unauthorized files or folders (potential ransomware encryption).<\/li>\n<li>A user's device connects to a known malicious domain (a potential phishing attempt).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>The average SOC receives tens of thousands of alerts each day. Without tools that can automatically aggregate and categorize relevant telemetry, SOC analysts are burned out chasing ghosts across treacherous, unmapped terrain.<\/p>\n<h2><a id=\"post-320844-_jymcxukpbso2\"><\/a>Hunting the Wilds<\/h2>\n<p>Analysts would prefer to be prowling the wilds and <a href=\"https:\/\/www.youtube.com\/watch?v=yHwDTXt8Vjo\" rel=\"nofollow,noopener\" >proactively hunting for threats<\/a>.<\/p>\n<p>Threat hunting is the systematic pursuit of hidden threats within your network. It's a multipronged approach that involves fortifying defenses against attackers and flushing out advanced persistent threats (APTs). Hunters employ various tactics:<\/p>\n<p><strong>Indicators of Attack and Tactics, Techniques and Procedures (TTPs)<\/strong><\/p>\n<p>Hunters search for patterns associated with known attacker behavior, such as unusual data exfiltration attempts (large file transfers at odd hours) or reconnaissance activities (probing for vulnerabilities). This often involves analyzing network traffic logs and endpoint activity for suspicious patterns.<\/p>\n<p><strong>Indicators of Compromise <\/strong><\/p>\n<p>These are specific signatures of malware or malicious activity, such as a known command and control (C2) server address or a specific malware hash. Hunters can leverage threat intelligence feeds and internal security data to identify potential IOCs.<\/p>\n<p><strong>Hypothesis-Driven Hunting<\/strong><\/p>\n<p>This involves developing hypotheses about potential threats based on industry trends, intelligence reports or internal security incidents. Hunters then test these hypotheses by searching for specific indicators or patterns within network data.<\/p>\n<p><strong>Specialized Techniques<\/strong><\/p>\n<p>There are various techniques used in threat hunting, such as network traffic analysis, memory forensics and endpoint analysis. The specific techniques used will depend on the nature of the hunt and the available data.<\/p>\n<p>The right tools are crucial for threat hunting. Well-tuned solutions can connect the dots across disparate data sources, helping analysts prioritize legitimate threats for investigation.<\/p>\n<p>For example, security platforms that offer threat-hunting capabilities can automate some tasks, like log analysis and threat correlation, and provide context for analyst investigations with threat intelligence feeds.<\/p>\n<h2><a id=\"post-320844-_fp4v0frtogjl\"><\/a>Upgrading SOC Operations<\/h2>\n<p>There\u2019s just too much data to correlate and analyze \u2014 activity from every device on the network, including nodes that facilitate inbound and outbound traffic from anywhere in the world. Automation is inevitable.<\/p>\n<p>Many SOCs get buried by their tools, triaging alerts that are almost always false positives. SOCs need smart, calibrated tools that can connect thousands of inputs and analyze activity from a multitude of perspectives.<\/p>\n<p>Most SOCs struggle to reconcile insights generated by their tools \u2014 XDR, SOAR, ASM, SIEM, etc. Solutions like <a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cortex-xsiam\">Cortex XSIAM<\/a> combine these components and connect all the data points to generate legitimate leads.<\/p>\n<p>Cortex XSIAM leverages AI models for advanced analysis that streamlines the decision-making process, which enables analysts to spend less time investigating and documenting dead-end leads, and more time hunting for large game.<\/p>\n<h2><a id=\"post-320844-_r4ccg78xi0f0\"><\/a>Make the Proactive Shift<\/h2>\n<p>A successful threat-hunting program offers several benefits beyond simply identifying and mitigating threats:<\/p>\n<ul>\n<li>Reduced Dwell Time \u2013 Threat hunting helps identify threats earlier in the attack lifecycle before they can cause significant damage.<\/li>\n<li>Improved Security Posture \u2013 Threat hunting identifies weaknesses in your security posture. By proactively searching for threats, you can identify and address vulnerabilities before attackers can exploit them.<\/li>\n<li>Enhanced Threat Intelligence \u2013 Threat hunting can help you develop a deeper understanding of the threats targeting your organization. Leverage the knowledge gained from investigations to improve your security strategy and inform future hunts.<\/li>\n<li>Boosted Analyst Morale \u2013 Threat hunting empowers analysts by giving them opportunity to proactively use their skills and knowledge. This can help to reduce burnout and improve overall job satisfaction.<\/li>\n<\/ul>\n<p>Attackers have evolved, leveraging automation and AI to launch more sophisticated campaigns. The modern SOC needs to meet this challenge head-on with superior firepower. SOC analysts should command fleets, not paddle around in a rowboat.<\/p>\n<p>Take a machine-led, human-powered approach to threat hunting. Fight fire with fire \u2013 upgrade your SOC and your analysts with AI-powered tools that give them advantage.<\/p>\n<p>Want to learn more? Find out how <a href=\"https:\/\/www.paloaltonetworks.com\/unit42\/respond\/managed-threat-hunting\">Unit 42 Managed Threat Hunting Services<\/a> can help you proactively hunt down threats in your environment. You can also <a href=\"https:\/\/www.paloaltonetworks.com\/resources\/webcasts\/investigation-and-threat-hunting-virtual-hands-on-workshop\">register for our upcoming workshop<\/a> to sharpen your investigation and threat hunting skills.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SOC leaders need to outfit their analysts with the right gear and training. Upgrade your SOC and analysts to hunt down the threats lurking in your network.<\/p>\n","protected":false},"author":133,"featured_media":320845,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6717,483],"tags":[8906,8854,635],"coauthors":[1222],"class_list":["post-320844","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-products-and-services","category-unit42","tag-cortex-xsiam","tag-incident-response-report","tag-soc","sec_ops_category-product-features"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2024\/05\/AdobeStock_621254974-edit-2.jpeg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/320844","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/133"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=320844"}],"version-history":[{"count":3,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/320844\/revisions"}],"predecessor-version":[{"id":320859,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/320844\/revisions\/320859"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/320845"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=320844"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=320844"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=320844"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=320844"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}