Our threat hunt deployments are driven by data to achieve success. This division follows a directive described as a collection management framework (CMF). The CMF directive states that assets most critical to the business must first be identified. This is done through Crown Jewel Analysis.
From this point, data related to performance, metrics connected to security triggers, log data from Security Information and Event Management (SIEM), and other historical data from other assets that have been compromised in the past should be pipelined into a central location for immediate retrieval.
The last part of this process requires the selection of data sources from one or more threat intelligence providers at which point the data is cleansed and normalized so that the threat hunter can
correlate threat intelligence with business risk and recognized vulnerabilities and security gaps, and map these to a possible threat profile or threat group.
This division is responsible for selecting the data sources, tools that will correlate threat intelligence with the realized security gaps within the enterprise networks and architect the appropriate big
data solution (data lake, data warehouse or data mart) to facilitate the threat hunting deployment.
This is an iterative and rigorous process to ensure that we have a complete picture of the threats that are currently present in the enterprise and have evaded rule detection, in addition to threats that we determine pose a clear and present danger to our clients in
the near future (3 months at the very least)