I Thought I Saw a |-|4><0.- presented at Bsidesamsterdam 2017

by Thomas Fischer,

Summary : Threat Hunting refers to proactively and iteratively searching through networks or datasets to detect and respond to advanced threats that evade traditional rule- or signature-based security solutions. But what does that really mean? And what real impact does it have on the security team? Threat hunting looks at a mountain of security data already being produced daily the traditional monitoring solutions such as netflow data, firewall events and logs. Now include end point data and the events to review explode exponentially. The claim, from various vendors, is that the additional data provides greater visibility but for whom. Traditional incident detection doesn't necessarily take into consideration the endpoint events. Building a threat hunting activity scoped to start with end point data can significantly change the game. This talk is a journey of my experience diving into threat hunting and will cover the principals of threat hunting as a foundation, examine the challenges of working with large datasets that can be generated end point data and analyse some of the tools claiming to ease this burden.