Social Network For Security Executives: Help Make Right Cyber Security Decisions
Threat hunting and SOC should be seen as separate areas. In my mind, a SOC is mandatory for all but the smallest organization and even the smallest should look at using a 3rd party SOC provider as a lower cost option than hiring teams of people.
A SOC should be monitoring and analyzing your organization's security posture on an ongoing basis, preferably 24*7. Whereas threat hunting is a sporadic activity, searching through networks to detect and isolate advanced threats, similar to vulnerability scanning, that feeds results into a GRC process for resolution.
A threat hunting team is often a function of a SOC team. So possibly when the analysts' arent looking into events they could be threat hunting however typically these are seen as separate teams with similar but different skills.
Strengthening security is a continuous process. SOC team has to any way cover threat hunting as part of their routine activity. 3rd party threat exercise is always good, however it will attract additional cost so decision can be based on some of the factors given below:
a. how critical data/systems being processed
b. how susceptible is current security architecture/posture to external threats
c. types of incidents that has taken place in the past - whether they could have identified by the SOC team?
d. knowledge/competency level of the SOC team in the threat hunting area
There's no one good way,. Depending on your company's risk profile, you may need a full team of specialists, or you could be just in a managed service mode, or then a combination of the two. One thing that I have repeatedly seen is that it is not the company or service provider, but an individual with the right motivation that will perceive and hunt down relevant threats pertinent to your organisation.
SOC can perform threat hunting but generally that will be reactive in nature as SOC will only initiate a hunt post detecting an alert.
Performing threat hunting from third party will help organisation to be more proactive to hunt the threats in scenarios identified as area of concerns. Such scenarios can be identified by SOC by regular monitoring so making it a continuous threat detection process.