Learn from real-world practitioners in real-time during SANS San Diego Fall Live Online. Save $300 thru 10/21.


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS Institute Identifies Barriers to Effective Threat Hunting

New survey sheds light on how organizations are implementing threat hunting and potential areas for improvement.

  • Bethesda, MD
  • May 20, 2020

As more organizations implement threat hunting operations, a new SANS Institute survey, “Is Your Threat Hunting Effective?,” finds that they are facing common challenges with employing skilled staff and collecting quality threat intelligence.

“Without a sufficient number of skilled staff, high-quality intelligence, and the right tools to get visibility into the infrastructure, success with threat hunting will remain limited,” says survey author Mathias Fuchs. “A world where we’ll see a unified, widely accepted golden standard of threat hunting remains in the future, but we are headed in the right direction.”

The survey, sponsored by Cyborg Security, highlights key challenges, limitations, and successes that organizations self-identify about their approach to threat hunting. Results indicate that threat hunting has arrived in the majority of organizations:

  • 65% of respondent organizations report they are already performing some form of threat hunting
  • Another 29% are planning to implement threat hunting within the next 12 months

With the concept of threat hunting being relatively new for many organizations, however, only 29% of respondents consider themselves mature or very mature in their threat hunting, with nearly 68% self-identifying their threat hunting as immature or still maturing.

Many organizations indicate that one of their top challenges is finding and employing the right experts to enable them to maintain an advanced threat hunting operation. A second main challenge respondents face is the quality of threat intelligence upon which their threat hunting is based. Even though many organizations struggle to attract qualified threat hunters, only 21% of respondents currently outsource their threat hunting activities to external parties. Despite that, the majority of respondents rely on externally produced threat intelligence, yet only one-third of respondents claim they are highly satisfied with their sources. This presents an opportunity for organizations to improve, as well-curated threat intelligence can be leveraged to augment inexperienced threat hunters.

The survey data also showed that organizations are beginning to have methodologies in place that enable them to measure the benefit of threat hunting, which bodes well for broader industry.

“Measuring the benefits of threat hunting is important,” Fuchs says. “Good threat hunting means that you probably never hear from these teams. The only indication for upper management that threat hunting even exists is that they have to foot the bill. That might be a tough sell, so if we have more ways to express the benefit of threat hunting, funding might get better, which ultimately might advance the general maturity level of threat hunting in the industry.”

Dive deeper into the survey results and learn more about what makes for a successful threat hunting operation in the SANS webcast taking place on May 27, 2020 at 1:00 p.m. EDT (17:00 UTC), with survey author Mathias Fuchs and Cyborg Security CEO and founder Dave Amsler. Register to attend the webcast at https://www.sans.org/webcasts/113480

Those who register will be among the first to receive the associated report paper, also written by Mathias Fuchs, survey author and SANS Instructor.

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner’s qualifications via over 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (https://www.sans.org)