I THOUGHT I SAW A |-|4><0.- presented at bsideslisbon 2017

by Thomas Fischer,

Summary : Threat Hunting refers to proactively and iteratively searching through networks or datasets to detect and respond to advanced threats that evade traditional rule- or signature-based security solutions. But what does that really mean? And what real impact does it have on the security team?
Threat hunting looks at a mountain of security data already being produced daily by the traditional monitoring solutions such as netflow data, firewall events and logs. Now include end point data and the events to review explode exponentially. The claim, from various vendors, is that the additional data provides greater visibility but for whom. Traditional incident detection doesn't necessarily take into consideration the endpoint events. Building a threat hunting activity scoped to start with end point data can significantly change the game.
This talk is a journey of how to dive into threat hunting and will cover the principals of threat hunting as a foundation while examining the challenges of working with large datasets that can be generated by end point data and analyse some of the tools claiming to ease this burden including machine learning.