The “Left of Boom”

Boom, and just like that you are compromised. The “Left of Boom” is the timeframe beforehand, the preventative approach. While much of the industry attention has been on the ability to react quickly and contain intrusions, or “Right of Boom,” it is the prioritization of detecting and responding to a threat before it compromises a system where a truly comprehensive and effective approach lies. Detecting attacks early can make a difference between facing an attempt versus dealing with a complete incident response and recovery effort that might stretch over weeks, months and even years to recover, resulting in potential losses of millions of dollars for an organization.

Threat hunting, an undoubtedly necessary but often overlooked security tactic for an effective defense strategy. Today’s threats are only growing in their sophistication and in turn, their undetectability. Through the power of a SOAR or SIEM platform such as AlienVault Unified Security Management (USM) Anywhere, combined with Vertek’s Managed Cybersecurity and Threat Intelligence services, you can significantly enhance the effectiveness of the practice. Through a single pane of glass, it is possible to conduct a thorough analysis and ready a strategic decision-making process.

It begins with the ability to aggregate data from a vast array of sources and a wide range of environmental complexities. Detailed event logs lead the way to structured contextual data, giving an analyst the opportunity to delve deeper into potential threats before they can cause considerable damage. Automated solutions are a valuable and much needed approach but often they can only get you as far as they are instructed and even then, the dangers that remain can be sophisticated and dangerous, capable of causing considerable damage.

Identifying previously unknown, or ongoing non-remediated threats involves proactively searching for indicators of compromise (IOC’s) and analyzing. This practice includes searching for malicious domains and IP’s. Identifying suspicious processes or unexplained changes to system files. Analyst seek irregular data access or high transfer volume. These are just a few artifacts or activities that act as indicators of a potential system compromise or attack. In addition, AlienVault USM Anywhere can directly connect to the AlienVault Open Threat Exchange , evaluating every single log against thousands of ‘pulses’ that are constantly updated and created.

A holistic view of an environment remains. Custom queries can be drafted from these IOCs that can work with log sources. Analysts then determine significance and investigate the findings. This informs custom detection rules, alerts, and reports. The flexibility in filtering breadth and granularity, like focusing on specific sources, enhances hunting. The amount of ingestible data makes a substantial difference. Threat hunting requires ongoing refinement as threats evolve. Continuous improvement ensures emerging threats are addressed proactively.

Ultimately, threat hunting has no set process – it demands innovation, agility, and proactive security mindsets. Teams must evolve strategies continuously to effectively detect, investigate and mitigate evolving cyber threats “Left of the Boom.”