Should we do a 3rd party threat hunting exercise other than SOC team?

This is being posted on behalf of Rejo Thomas, CISO, Exide Life Insurance.

Should we do a 3rd party threat hunting exercise other than SOC team?

Views: 94

Reply to This

Replies to This Discussion

Yes,can be done on sample basis or for critical setups.
Threat hunting is a continuous activity to be done by SOC team. And as a checker third party TH can also be done for select apps / setups to check the quality and effectiveness of the job done by SOC team.


Threat hunting and SOC should be seen as separate areas. In my mind, a SOC is mandatory for all but the smallest organization and even the smallest should look at using a 3rd party SOC provider as a lower cost option than hiring teams of people. 

A SOC should be monitoring and analyzing your organization's security posture on an ongoing basis, preferably 24*7. Whereas threat hunting is a sporadic activity, searching through networks to detect and isolate advanced threats, similar to vulnerability scanning, that feeds results into a GRC process for resolution.

A threat hunting team is often a function of a SOC team. So possibly when the analysts' arent looking into events they could be threat hunting however typically these are seen as separate teams with similar but different skills. 


Strengthening security is a continuous process. SOC team has to any way cover threat hunting as part of their routine activity. 3rd party threat exercise is always good, however it will attract additional cost so decision can be based on some of the factors given below:

a. how critical data/systems being processed

b. how susceptible is current security architecture/posture to external threats

c. types of incidents that has taken place in the past - whether they could have identified by the SOC team?

d. knowledge/competency level of the SOC team in the threat hunting area 

There's no one good way,. Depending on your company's risk profile, you may need a full team of specialists, or you could be just in a managed service mode, or then a combination of the two. One thing that I have repeatedly seen is that it is not the company or service provider, but an individual with the right motivation that will perceive and hunt down relevant threats pertinent to your organisation.

I agree with Benni. While the SOC team can do the Threat Hunting tasks, the best outcome will be when the person performing the Threat Hunting is motivated enough to identify and highlight the pertinent threats.

SOC can perform threat hunting but generally that will be reactive in nature as SOC will only initiate a hunt post detecting an alert. 

Performing threat hunting from third party will help organisation to be more proactive to hunt the threats in scenarios identified as area of concerns. Such scenarios can be identified by SOC by regular monitoring so making it a continuous threat detection process.


© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service