Why Managed Threat Hunting Should Top Every CISO’s Holiday Wish List

With the end of the year fast approaching, many of us are looking forward to a well-deserved break. However, security practitioners and security leaders worldwide are bracing themselves for what has become a peak period for novel and disruptive threats. 

In 2020, the holiday season was marked by the SUNBURST incident, and in 2021 the world grappled with Log4Shell. While we don’t know what this holiday season has in store, it has never been more important for organizations to take a proactive approach to security protections. 

What the aforementioned threats have in common is the ability to evade automated detection capabilities. This holiday season, the price of peace of mind is an investment in the capability to quickly and accurately detect novel threats that attempt to circumvent technology-based defenses. 

Searching for unknown threats is a highly specialized field that requires expert practitioners, finely tuned tooling and both continuous and granular visibility into the events occurring across an environment. In combination, these elements enable threat hunters to derive patterns of known adversary behavior from otherwise unique and novel circumstances. Whether threat hunting happens in house, is outsourced or is performed via a hybrid model, when done well, it provides a crucial safeguard against constantly evolving adversary tradecraft. 

This blog examines the value an organization can derive from effective threat hunting operations. Using customer-reported impacts, it also looks at some of the expected and unexpected value a managed threat hunting service can deliver. CrowdStrike has collaborated with customers to validate the business value realized from outsourcing their threat hunting to the 24/7 CrowdStrike® Falcon OverWatch managed threat hunting service. These figures are based on their real-world experience with the service. 

This holiday season, every organization needs to ask themselves:

  • Does my threat hunting capability deliver peace of mind in the face of constantly evolving threats?
  • How do we know if we’re receiving necessary protection and value from our threat hunting? 

Assess the Value of Your Organization’s Threat Hunting

Is your threat hunting team adequately resourced to provide comprehensive coverage?

Effective threat hunting isn’t dark magic — it is an activity that requires 24/7 coverage and culminates from dedicating time, resources and expertise to baselining, investigating and building hypotheses. It requires around-the-clock vigilance because adversaries routinely operate outside of core business hours and can move quickly once they gain access.

Organizations need to maintain sufficient staffing to ensure continuous coverage to stay ahead of the accelerating tempo of today’s adversarial activity. On average, enterprise customers found that deploying the Falcon OverWatch service in their environment augmented their security teams by offsetting five full-time equivalent (FTE) threat hunters, or roughly $735,000 USD a year. Over three years, this equates to $2.2 million USD in offset FTE hours from partnering with in-house security teams to provide continuous threat hunting coverage and enabling them to focus on high-priority issues. For organizations with a complex patchwork of technology assets, systems and software solutions, more threat hunters may be required to build out particular specializations and provide comprehensive coverage. Customers reported that Falcon OverWatch managed hunting offset as many as 14 FTE threat hunters. 

Customers recognize the value of the Falcon OverWatch team’s around-the-clock coverage. Shannon Lawson, Chief Information Security Officer for the City of Phoenix, explained, “CrowdStrike is there for us 24/7 and gives more flexibility for my team to take time off as the company really has our back.”

Partnering with a managed threat hunting service also addresses the challenge of recruiting and maintaining a suitably skilled and experienced workforce in an industry facing significant staffing shortages that can put organizations at increased risk of cyberattack. Falcon OverWatch managed threat hunting provides immediate access to the skills organizations need to secure their environments with flexibility to scale, and also immediate value with comprehensive visibility upon rollout — in fact, Falcon OverWatch often detects pre-existing intrusions during deployment to a new customer environment.

Watch this short video to see how Falcon OverWatch proactively hunts for threats in your environment. 

Is your threat hunting team efficient and effective?

True threat hunting must be human-driven, because human ingenuity is needed to accurately discern the patterns of malicious hands-on intrusions from otherwise legitimate user activity. However, for a human-driven solution to be able to scale effectively, it needs to work synergistically with technology and process so threat hunters can focus their attention on the data that matters — and ignore the data that doesn’t.

Over years of service, Falcon OverWatch has built a library of unique behavioral indicators, each curated and continuously fine-tuned to surface the faintest signals of potentially malicious activity. These behavioral indicators, called hunting leads, have no fidelity on their own. However, when viewed through the lens of Falcon OverWatch’s proprietary tooling and contextualized by expert threat hunters, they enable the visualization of “bursts” of activity indicative of potentially malicious activity. 

Every year, Falcon OverWatch sees approximately 2.8 million hunting leads in the average customer environment. Only a small proportion of these will be found to be linked to malicious activity, but all of them must be assessed, contextualized and prioritized to ensure even the faintest signal of malicious activity isn’t missed. To conduct these reviews quickly and at scale, Falcon OverWatch leverages a suite of proprietary tooling, including seven patented tools, to distill this vast sea of data and return just a fraction of that data — classified, grouped and graphically represented for hunters to sift through. 

By contrast, an in-house threat hunting function would need to sift through thousands, if not millions, of hunting leads before being able to investigate or analyze any potentially malicious activity. What’s more, customers reported that investigating potentially malicious findings takes an average of 45 minutes. 

The speed and efficiency of Falcon OverWatch’s finely tuned technology ensures human-led investigations begin rapidly and can provide near real-time insight into the threats in a customer’s environment. This is crucial in hands-on intrusions, where minutes matter. Falcon OverWatch saves significant time in both analysis of leads and investigation of potential threats, affording customers more time to remediate identified threats before an adversary can embed too deeply or carry out their intrusion objectives. 

Falcon OverWatch technology also helps free up threat hunters to undertake proactive and experimental approaches to uncovering novel adversary activity, building knowledge of the latest adversary tradecraft, and contributing to hundreds of new behavioral-based preventions for the CrowdStrike Falcon® platform every year. 

Just as too much data can challenge in-house threat hunting, so too can too little data. A large dataset provides a real-time global baseline of expected activity and unparalleled visibility of anomalous activity. Being part of an expansive ecosystem, Falcon OverWatch customers benefit from community immunity. Threat hunting findings at one organization are immediately fed back into hunting workflows and used to fine-tune detections. This scale of visibility and insight is impossible to replicate at the organizational level.

Does your threat hunting team position your organization as having strong cybersecurity?

Consumers and businesses are increasingly sensitive to the risk they accept every time they interact with a new organization. Effective cybersecurity is now part of the equation when assessing the suitability of an organization as a vendor or partner.

A 2021 survey of global IT leaders found that 84% of those surveyed believed that software supply chain attacks have the potential to become one of the biggest cyber threats to organizations like theirs within the next three years. Meanwhile, the Thales 2022 Consumer Digital Trust Index survey found that 1 in 5 consumers stopped using a company after it suffered a data breach.

Having a strong security posture, including effective threat hunting against novel threats, is crucial to building goodwill with discerning consumers and partners. Working with an independently recognized leader in threat hunting helps show that your organization prioritizes the security of your data and the data of your customers and constituents. 

Stefano Libriani, CIO at Europe Energy, has seen firsthand the value of partnering with a recognized security leader: 

“One of the biggest advantages of the partnership has been using the CrowdStrike brand to reinforce ours. We can now demonstrate to our customers and other stakeholders that by deploying CrowdStrike — one of the best and well-known security solutions on the market — we are protecting them and their data even more effectively and robustly than ever before.”

To maintain this credibility and reputation, CrowdStrike routinely submits its products and services to independent evaluations. CrowdStrike recently achieved the highest detection coverage in the first-ever closed-book MITRE ATT&CK® Evaluations for Security Service Providers. The Falcon platform’s integration of industry-leading technology and human expertise enabled us to deliver complete coverage, detecting 75 of 76 adversary techniques.

Why Your Organization Should Prioritize Threat Hunting

The only certainty in cybersecurity is that new threats are always imminent. Organizations can no longer be excused for being caught off guard from failing to proactively address the risk of novel or sophisticated attacks.

Partnering with a reputable managed threat hunting service will drive more value from your security investments, immediately allowing your organization to:

  • Benefit from a highly skilled and instantly deployable workforce. 
  • Remove the overhead of recruiting and training new staff in a tight labor market. 
  • Gain herd immunity derived from being part of a global security ecosystem to sooner protect your organization from novel threats. 
  • Protect its reputation and ensure it remains trusted by customers and partners alike.

If you have any hesitation about investing in threat hunting, consider this: A failure to detect a threat might come at an even higher price. 

Additional Resources

Related Content