• SOC can perform threat hunting but generally that will be reactive in nature as SOC will only initiate a hunt post detecting an alert. 

    Performing threat hunting from third party will help organisation to be more proactive to hunt the threats in scenarios identified as area of concerns. Such scenarios can be identified by SOC by regular monitoring so making it a continuous threat detection process.

  • I agree with Benni. While the SOC team can do the Threat Hunting tasks, the best outcome will be when the person performing the Threat Hunting is motivated enough to identify and highlight the pertinent threats.
  • There's no one good way,. Depending on your company's risk profile, you may need a full team of specialists, or you could be just in a managed service mode, or then a combination of the two. One thing that I have repeatedly seen is that it is not the company or service provider, but an individual with the right motivation that will perceive and hunt down relevant threats pertinent to your organisation.

  • Strengthening security is a continuous process. SOC team has to any way cover threat hunting as part of their routine activity. 3rd party threat exercise is always good, however it will attract additional cost so decision can be based on some of the factors given below:

    a. how critical data/systems being processed

    b. how susceptible is current security architecture/posture to external threats

    c. types of incidents that has taken place in the past - whether they could have identified by the SOC team?

    d. knowledge/competency level of the SOC team in the threat hunting area 

  • Threat hunting is a continuous activity to be done by SOC team. And as a checker third party TH can also be done for select apps / setups to check the quality and effectiveness of the job done by SOC team.
  • Yes,can be done on sample basis or for critical setups.
This reply was deleted.