Threat hunting is usually thought of as a series of investigative actions performed by analyst teams to cover detection gaps where automated tools fail. However, as these techniques become more and more widespread and standardized, wouldn’t it be more effective to automate a large part of those threat hunting activities?
Alex Pinto demonstrates how to automate threat hunting techniques to augment human activity by encoding analyst intuition into repeatable data extraction and processing technologies. Those techniques can be used to simplify the triage stage and get actionable information from potential threats with minimal human interaction. Alex then offer an overview of the hunting automation maturity model (HAMM), which organizes these techniques around capability milestones, including internal and external context and analytical tooling.
By elevating the quality of data available to your automation processes, you can efficiently simulate analyst intuition on some of the more time-consuming aspects of threat hunting. Incident response teams can then be more productive as soon as the initial triage stages, where instead of sifting through raw log data, they will be able to focus on consuming data products that provide a sixth sense on which events are worth additional analyst time.
Alex Pinto is the chief data scientist of Niddel and the lead for the MLSec Project. Alex is currently dedicating his waking hours to the development of machine learning algorithms and data science techniques to automate threat hunting (I know) and making threat intelligence “actionable” (I know, I know). If you care about certifications at all, Alex is currently a CISSP-ISSAP, CISA, CISM, and PMP. He was also a PCI-QSA for almost seven years but is a mostly ok person in spite of that.
©2017, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org