Simple, affordable, log management and analysis.
Over the years, we have assisted countless organizations in handling compromises. Surprisingly, many of these breaches are discovered by what I would call "luck." Often, during routine investigations, something unusual catches attention elsewhere, and that's when realize they've been hacked. The famous: "while looking for A, I tripped into B, which should not be there, and found C on the floor, showing we have been hacked". In other cases, it's not even an internal detection at all, but external parties, such as law enforcement or even the attackers themselves demanding ransom, that inform the organization of the breach. This can happen even in companies with significant infosec budgets and "cutting-edge" (aka expensive) security tools. To stay ahead of such scenarios, we recommend adopting a practice known as "exploratory or unstructured threat hunting." This involves dedicating time each day or week for your or your analysts to start with a clean slate and actively search for anomalies, suspicious behaviors, or subtle indicators of compromise. While threat hunting can be initiated following an alert from a security product like an IDS/IPS or WAF, we will focus on the exploratory hunt in this article, where you start from zero.
Before you can do any threat hunting, you need to have the basics done right. What are the basics? First, you need to have your systems properly updated, all your devices accounted for (aka systems inventory) and all your logs being sent to a centralized place for analysis. If you don't have those, your threat hunting will be incomplete and you will be missing data that could be relevant. These are some of the items you need to have before you start your threat hunting:
