Threat Hunting, Spaf, Sun Tzu, and You

May 27, 2021 10:29:32 AM / by Corey Thuen posted in Threat Hunting

I often quote Spaf who says "A system is good if it does what it's supposed to do, and secure if it doesn't do anything else." Making our systems secure requires a few things. We first have to know what the system is supposed to do, but that's usually not where things start with cybersecurity, probably because that's hard and it requires a bit of Know Thyself, at which we are terrible. Instead we start at "well, what do we know it's not supposed to do FOR SURE". Obviously, systems shouldn't be executing malware. Detecting malware via hash, or signature, or known behavior is looking for that "known bad". This is not threat hunting. This is detection. This is putting up a most wanted list to catch criminals.

Read More

Add Threat Hunting to your SIEM with Gravwell

May 6, 2021 2:50:51 PM / by Corey Thuen posted in Security, SIEM, Threat Hunting

Enhance Security by Removing Limits

SIEMs have historically done well in helping organizations detect threats. Modern threat activity has shown, however, that tracking pre-selected data and relying on IOCs (indicators of compromise) isn't enough to protect business from attackers. Threat hunting and going off the rails of "pre-fabbed search" are absolutely critical to defending organizations. You don't have to read very much Sun Tzu to learn the importance of "Know Thyself" and defenders advantage. SIEMs have let us down in this area. Gravwell provides a solution that removes limits and puts you in control of what data you can collect, and what questions you can ask.

Read More