SANS 2019 Threat Hunting Survey Shows SOCs Relying Too Much on SIEM Alerts

SANS 2019 Threat Hunting Survey Shows SOCs Relying Too Much on SIEM Alerts

SOCS relying too much on SIEM alerts

Lastline is a sponsor of the SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters.  This year’s survey gathered data from 575 respondents mostly from  small/medium and medium/large organizations that work in threat hunting or alongside threat hunters.  The goal of this SANS report is to help organizations better understand what threat hunting is, why it is essential to protect their organizations and how threat hunters can improve their processes.

SANS cites obtaining tools and system data as a key area needing improvement for successful threat hunting. According to the SANS survey, “Organizations are still placing a strong reliance on SIEM alerts as their current go-to tool for threat hunting, as they did in 2018, largely due to the ease with which information can be acquired.  While a SIEM may be the easier source or tool for organizations to obtain, it generally provides low value from a hunting perspective.”

SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters

The Shortcomings of SIEM Alerts

Lastline is seeing a large number of SOCs that have deployed SIEMS to perform event correlation between separate security controls to improve threat detection.  However, this approach can miss threats and produce too many false positives for a variety of reasons.

First, SIEMs require significant customization before they can accurately correlate events from across the network. Plus, correlation directives need to be frequently updated to match the changing network environment and the SOCs often lack the staff to make these necessary changes.

Secondly, correlations rules are not likely to keep up with the sheer volume of malware and to find unknown threats.  This presents a huge gap, considering that AV-TEST, an independent research institute for IT security, reports that it registers over 350,000 new malicious programs every day.

Certainly, as the SANS chart above shows, organizations need additional data and tools, including ones focused on endpoint and network threat detection, to conduct a successful hunt.  Lastline’s Network Detection and Response (NDR) can be a valuable source with its analysis of packets, NetFlow, metadata and files using a variety of technologies such as Network Traffic Analysis (NTA), Intrusion Detection and Prevention Systems (IDPS) and Artifact Analysis.

Click here to download your free copy of the SANS 2019 Threat Hunting Survey: The Differing Needs of New and Experienced Hunters.  You’ll get actionable advice to improve your threat hunting abilities, including:

  • Methodologies of performing threat hunting
  • Spending priorities and training needs
  • Tools and system data needed for a successful hunt
  • Effectiveness of hunting practices.