In a world of constantly evolving cyber threats, honing both reactive and proactive strategies is essential to prepare for unexpected security compromises.
In the recent webinar, Inside Our Command Center: A Live Look at Cyber Threat Hunting, Difenda highlighted how it utilizes a proactive threat-hunting plan that leverages the best tools to fight cyber threats through a combination of team member expertise, data planning, and AI assistance.
Difenda’s approach provides an ideal framework that prioritizes 24/7 threat detection, real-time monitoring, and reactive response services. These elements work together with a proactive threat-hunting maturity model to eliminate the tedium of security alerts and successfully combat cybersecurity compromises.
During the webinar, Kyle Link, Architect of Cyber Research & Response at Difenda, addressed pre-submitted questions about how Difenda’s new automation integration and successful threat-hunting planning intersect.
What are some use cases for Copilot for Security, and can it detect any ransomware infections?
In his answer, Kyle highlighted how impressive Microsoft’s built-in protections are but also emphasized how often things can be missed. This is why Difenda has been working hard to develop its own security features for its customers.
“We’ve developed quite a collection of custom detection rules to add an additional layer of protection to your existing security solutions,” Kyle said. “So Microsoft’s built-in protections are amazing, but there are things that are missed, right? Common legitimate tool abuse, things like that.”
What are the requirements regarding infrastructure? Can it work locally on a SecOps Analyst’s desktop, or does it require Microsoft Sentinel Azure?
“Threat hunting can be performed in tons of different forms. Our customers rely on tooling from the Microsoft Security Suite, as do we, as part of our threat-hunting program. But it’s basically built to scale against SIEM data or endpoint data. So this could include, cloud data, CASB, email.”
Turning to Copilot, Kyle mentioned that Microsoft already has tons of different plugins to customize the experience for customers.
“As for if this question was about Copilot for Security, there are tons of different plugins that Microsoft’s already published. We love the external attack surface reduction or management, as well as Defender for Threat Intel, Defender XDR, and Microsoft Sentinel. And there’s one called natural language to KQL, where you can basically ask the AI, like, ‘Hey, I want to hunt for Telegram API usage,’ and it will spit out a query.”
Kyle also spotlighted non-Microsoft plugins that people can use to leverage processes locally.
“There are also tons of plugins published by non-Microsoft providers. There’s one that we’ve played with quite a bit, Copilot for Security for ServiceNow.”
Another notable mention in Kyle’s answer was Azure AI, which has similarities to what Difenda is using now.
“Most of the solutions are built in the cloud. It is possible to use a tool like Azure AI to build custom chat flows or something that you can consume at an endpoint. We use a similar proof of concept right now, where you’re basically asking an Azure AI chatbot questions about threat intelligence via PowerShell,” said Kyle.
Can threat hunting help deal with false positives in Sentinel or Defender? How do you reduce false positives?
“So as part of just daily operations and good cyber hygiene, as alerts are generated, your team should be reviewing them, deciding whether they are false positives,” said Kyle. “If they’re true positives, handle it, but then suggest refinements.”
On the topic of reducing false positives, Kyle brought up built-in tools that Microsoft has that allow users to tweak and adjust to account for them.
“Detections from Microsoft or any security solution provider, they’re built in a way that is supposed to be covering all environments. Yours is specific, so you need to tweak and tune as you see fit. Threat hunting can help you predict and eliminate some of these false positives proactively.”
How does Copilot change threat hunting? How does it work, and how does it differ from regular threat hunting?
Kyle relayed that the innovation with Copilot isn’t necessarily in how it changes threat hunting but in how it enables better hunts by being a good assistant.
“I think that’s where the strengths lie for Copilot for Security. Before it was, I read a report. I take what’s actionable, I establish if I can hunt it, I write a hunting query, I execute it, I evaluate, I refine, I report, I do it again. Rather than having to take each individual report, we can aggregate it and it will tell me why I should care.”
In Kyle’s opinion, Copilot is not meant to purely replace the security operations center but to act as a threat helper and a hunter in its own right with a unique skill set.
“Copilot is your Copilot, it’s not your SOC.”
How do you collaborate with internal security teams with your customers?
Fielding this question from the live chat, Kyle answered by first emphasizing the importance of a centralized knowledge base, which allows collaboration with customers.
“I think it’s a great question. I think building a centralized knowledge base is important,” said Kyle. “Something that you can collaboratively work on with your customers, that could be specific to alerts.”
The next way Kyle asserted that collaboration can happen with internal teams is through established escalation channels.
“Having established escalation channels is super important to work through these security incidents with our customers,” said Kyle. “Different needs, different teams. Some of our customers have sub-teams within their teams where we need to route alerts, but I think having that centralized point of truth is important.”
Lastly, Kyle brought these ideas together in the context of how automation can make coordinating these processes much smoother.
“That’s something that can be implemented with the help of automation,” Kyle said. “We coordinate with our customer’s security team, and we have a technical account manager who would ensure we’re hunting all the relevant data. We take into consideration different technology and processes that are there at our customer’s end as well.”