Connect with us

Hi, what are you looking for?


Incident Response

From Chasing Alerts to Hunting Threats: What Makes an Effective SOC is Evolving

Whether you call it a SOC, a CSOC, a Cyber Defense Center, or something else, security operation centers have the same fundamental mission – to help organizations detect, analyze, respond to, report on, and prevent cyber security incidents. But what it takes to do that effectively has changed in this ever-evolving threat landscape, putting an even greater burden on analysts and the technologies they rely upon.

Whether you call it a SOC, a CSOC, a Cyber Defense Center, or something else, security operation centers have the same fundamental mission – to help organizations detect, analyze, respond to, report on, and prevent cyber security incidents. But what it takes to do that effectively has changed in this ever-evolving threat landscape, putting an even greater burden on analysts and the technologies they rely upon.

Many SOCs take a reactive approach and provide a set of standard services that include log management, real-time monitoring, and incident response and investigation. They use traditional SIEMs that gather log data from internal sources, conduct correlations, and run simple, real-time, rules-based analytics to detect known threats. When an alert is triggered, they investigate. For a while this level of service was sufficient. But as attacks have become more sophisticated it is evident that a lot of malicious activity occurs below the radar without generating obvious log data – think zero-days and targeted malware. This means that traditional attack detection has become less successful.

As the number of successful breaches continues to rise and attackers remain active and undetected for weeks, months, or even longer, it’s no longer enough to investigate alerts. Knowing it is impossible to detect and block every attack, SOC analysts now must also take a proactive approach to protect company assets, seeking out active threats and breached systems. Threat hunting focuses on proactively finding threats that get inside the network. It requires deep inspection of potentially breached systems and looking across wide ranges of historical data to find malicious activity not identified by traditional alerting mechanisms.

Engaging in threat hunting

Threat hunting campaigns involve a wide range of tools and skills. If you find evidence of a possible breach, you can investigate that system to determine what happened, how it happened, and other systems that also may have been affected so that you can contain and remediate the attack. Unfortunately, manual hunting campaigns can require a huge amount of effort with a limited chance of finding anything. While it can be very satisfying to find something that had been missed, without the proper technology to do something about it, it can be time and money wasted.

Thankfully, advances in security analytics technology and threat intelligence are helping to make the best use of limited analyst resources for more effective campaigns. There are two ways these technologies can help: by focusing hunts on assets that are more likely to have been breached, and by reevaluating past events in light of the latest threat intelligence. 

Hunting for breached systems

As most SOC analysts know, in many cases you will hear about attacks by word-of-mouth from a normal user reporting ‘something looks weird,’ rather than through a SIEM alert. Advanced attacks frequently avoid setting off the obvious alarms, but they will likely still leave evidence that something is amiss. Breached systems just don’t behave like they used to. But relying on people to identify unusual activity isn’t adequate and doesn’t scale in today’s threat landscape.

Advertisement. Scroll to continue reading.

That’s where advanced analytics come in. Proactively finding and thoroughly investigating a potentially breached system takes time, effort, and skill – all at a premium in most organizations. Advanced analytics can help identify where to hunt, based on finding anomalies that may indicate a breach. Systems that suddenly deviate from their normal baselines may be running new unknown processes, sending out large amounts of information to untrusted networks, or communicating with geographies that outside of typical business practices. Each of these anomalies may be innocent or may point to a potentially compromised system. To find such anomalies, most successful hunting campaigns start with a combination of analytics working together:  statistical analytics to identify outliers and machine learning algorithms to evaluate those outliers to see if they resemble something that is known to be bad. Based on this analysis, systems that indicate a higher probability of being breached can then be thoroughly investigated.

Reevaluating the past

Threat hunting also includes looking for threats you might have missed by examining your historical data. To overcome the limitations of traditional SIEMs, threat hunting uses newer platforms based on big data to collect, manage, and analyze massive volumes of data from a variety of internal and external sources over long periods of time. Where real-time analytics may have missed something the first time around, big data systems can be used to examine the potential huge backlog of logs and other data sources available to you. This has the advantage of hindsight, providing you with the ability to reevaluate data by reapplying analytics using the latest threat intelligence. For example, potentially malicious connections to a command-and-control infrastructure may have gone unnoticed given the information available at the time. With updated threat intelligence run against historical metadata about its network communications, an analyst may be able to retrospectively identify an attack.

Whether you’re proactively looking for breached systems or reevaluating past events, the goal is to increase your odds for a successful hunting campaign. Big data platforms; real-time global threat intelligence; and a complement of rules-based, statistical, and machine-learning analytics all help lighten the burden on analysts. These technologies must work together and incorporate analysts’ insight and knowledge of their environment for a much more fruitful hunting expedition. With the ability to shift from chasing alerts to hunting threats, SOCs can evolve to be more proactive – and effective – in the face of advanced attacks.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...


Cloud company Rackspace has completed its investigation into the recent ransomware attack and found that the hackers did access some customer resources.