Disrupting the DisruptorsThreat Hunting and the Evolution of SOC Survey
www.mcafee.com/soc-evolution
2Date, specific business group
Research objective
What are the current and predicted best practices for threat hunting for different maturity levels of organizations? Impact of automation, artificial intelligence, and
machine learning Specific tactics of hunters sedimenting into core SOC
operations Role of sandbox technology Key tools to perform threat hunting Role of threat intelligence
Report: Disrupting the Disruptors, Art or Science?
3Date, specific business group
Study specifications• 727 interviews
• Data was collected via online interviews
• Interviews took place in May 2017
Sample source• McAfee customers, comprised from the Security Product Advisory Council (SPAC)
Worldwide, English speaking customers
• General Market sample
US, Canada, UK, Germany, Australia, New Zealand, Singapore
Target audience• Organizations must have more than 1000 employees
• Respondents must spend at least 20% of their time performing Threat Hunting
• And must have Sandbox and SIEM in order to qualify
Significance test• Differences between segments (either company size or
country, etc.) as indicated in this report are based on two-sided tests with a significance level of 95%
• If findings of a certain segment are significantly higher than an other segment this has been indicated
example
Research objective & study specifications
4Date, specific business group
Company size (based on number of employees)
34% 8% 8% 7% 5% 4% 3% 3% 27%
Country
Large enough bases for north America, Europe and Asia
US CA UK AU GE IN NZ SG Other
# interviews per region
302296
129
34% 8% 21% 4% 19% 1% 2% 10% -
Enterprise
Audience
31% 30%
16%13%
6% 5%
1k-2,5k 2,5k-5k 5k-10k 10k-50k 50k-100k > 100k
Commercial
5Date, specific business group
The Hunting Maturity Model, developed by Sqrrl's security technologist and hunter David Bianco
Respondents were asked to place their organization into one of 5 levels
6Date, specific business group
Nearly half of the organizations (45%) surveyed would like to be at level 4, three years from now.
Maturity Model – Companies WANT to improve
Where does your company stand today?
3%
11%
32%
40%
14%
Level 0 - Initial
Level 1 - Minimal
Level 2 - Procedural
Level 3 - Innovative
Level 4 - Leading
Would like to be in 3 years’ time?
1%
4%
16%
34%
45%
Level 0 - Initial
Level 1 - Minimal
Level 2 - Procedural
Level 3 - Innovative
Level 4 - Leading
7Date, specific business group
Key findings: advanced SOCs get measurably better results
71% of the most advanced SOCs closed incident investigations in less than a week and 37% closed threat investigations in less than 24 hours
Threat hunters in more advanced organizations verify root cause 4.5X (90% over 20%) more than threat hunters at the lower levels of the maturity curve
Advanced SOCs get as much as 45% more value across the board when using sandboxes, saving costs and time, improving workflows, and revealing information otherwise not available
Improve speed and depth of investigations
71% closed in under one week
4.5X as many root causes found
45% more value from advanced sandbox use
8Date, specific business group
So how do advanced SOCs get these results?
68% say they will improve through better automation and threat hunting procedures
More mature SOCs are 2X more likely to automate
Maturity leads to a better, but still mixed, balance of ad hoc and organized processes – the right weapon for the job
Figure out what works, and automate it: human-machine teaming
0%10%20%30%40%50%60%70%80%
What percentage of the process isautomated?
What percentage of the processwould you consider to be optimal for
automation?
Level 0/1 Level 2 Level 3 Level 4
9Date, specific business group
Tool Proliferation!
They use sandboxes to dig deeper
42
63
35
45
55
65
75
Level 0/1 Level 2 Level 3 Level 4
Avg # of investigations w/sandbox
50% increase
Environment Complexity!
Unpack the code, man!
“The best is when you can do vulnerability testing and foreclose the threat before it happens. Sandboxing is useful here.”
interviewed threat hunter, qualitative sessions, McAfee threat hunter survey, May 2017
Reasons for using multiple sandboxes changes over maturity
from being a by-product of a messy environment to a sophisticated analysis of
advanced threats
10Date, specific business group
They curate threat intelligence feeds for purpose and buy to fill gaps
SOCs at levels 0/1 rely on public threat intelligence
feeds 50% more than any other type of threat feed
In comparison, SOCs at
level 4 are 2x more likely to pay for specialist threat intelligence and nearly
50% more likely to use custom feeds.
0 20 40 60 80
Pay 4 TI Feeds
Internal
Custom
Public TI Feeds
Level 0/1
0 20 40 60 80 100
Public TI Feeds
Internal
Custom
Pay 4 TI Feeds
Level 4
11Date, specific business group
They do more customization
Mature SOCs spend 70% more time on customization, using scripts and open source more heavily
-
5.00
10.00
15.00
20.00
0%
20%
40%
60%
Level 1 Level 2 Level 3 Level 4
Hou
rs
Perc
ent o
f res
pond
ents
How much time do you spend researching and customizing tools for threat hunting?
Less than 5 hours per month 5-10 hours per month
10-20 hours per month More than 20 hours per month
Avg Hours
12Date, specific business group
Mature threat hunting organizations sustain the good habits of:
Identifying which processes can be automated
Use the tools at hand to dig deeper
Curate intelligence for purpose
Customize and tinker for richer insights
Good hunting is hard work that pays real results