Recently I discussed a potential vCISO engagement with a mid-size restaurant chain (500+ locations). They asked about our experience with, and our thoughts on, “threat hunting.” Threat hunting is loosely defined as “proactive incident response”—actively looking for new threats before traditional intrusion detection methods can find them.
Maybe it was because it was late on a Friday afternoon… or it might’ve been my recent trip to Napa Valley, but my answer was a bit flippant:
“Threat hunting is a lot like Pinot Noir—you can’t afford what you really want to have.”
Fortunately for me the CIO was a serious wine guy. He started to laugh and then built on my response (I’ll paraphrase):
“I know exactly what you mean. I love a good Pinot, but the ones that I can afford to drink on a regular basis are not the ones that I want to drink, and every time I try to “cheat down” in cost I end up disappointed.”
We ended up agreeing that threat hunting is the latest in a long line of technologies that promise to make us all secure, but ultimately cost too much in dollars and resources to provide the value we are all looking for; e.g., public key infrastructure (PKI), intrusion detection/intrusion protection systems (IDS/IPS), security information and event management (SIEM), etc.
We likewise agreed that a more fundamentally sound policy- and process-based approach to building their cybersecurity program would yield a better result.
When I was young my grandmother used to say to me: “Your problem is that you have caviar taste on a tuna fish budget!” I guess she was right…