Enterprise Detection & Response: A Simple Hunting Maturity Model Logo

Enterprise Detection & Response: A Simple Hunting Maturity Model

0
Free
Visit Website

A Simple Hunting Maturity Model UPDATE 2015-10-15: I received some questions about the roles of automation in HMM0 and HMM4, which I addressed in a new section. Also, I named the levels to make them easier to reference. It's been conference season for me lately. I've attended several in the last few months, and most of them have had at least a few sessions on "hunting". Since that's a research interest of mine, of course I attended all of them that I could possibly fit into my schedule. I've gotten some great ideas from these presentations, and have begun to notice some patterns in what's being presented. I've also spoken with a number of people at the conferences who have made some variation of the remark, "Sure, we'd like to hunt, but how do we figure out where to start?" Recently, I had the opportunity to discuss with my colleagues the common types of activities that a security team does, and how they relate to hunting. I drew from the presentations I've seen and the conversations I've had to make some generalizations about the different levels of capability within hunting organizations I've encountered. These were literally just some bullet points on a whiteboard, but one of my colleagues said something along the lines of "That's kind of like a maturity model" and that got me to thinking. I realized that I had never actually seen anything like that, but I thought it was an interesting idea.

FEATURES

ALTERNATIVES

Stronghold is the easiest way to securely configure your Mac.

Dispatch helps manage security incidents by integrating with existing tools and automating incident response tasks.

A modular incident response framework in Powershell that uses Powershell Remoting to collect data for incident response and breach hunts.

Fabric Platform is a cybersecurity reporting solution that automates and standardizes report generation, offering a private-cloud platform, open-source tools, and community-supported templates.

Companion repository for deploying osquery in a production environment with tailored query packs.

Dropzone AI is an autonomous AI agent for SOCs that performs end-to-end investigations of security alerts, integrating with existing cybersecurity tools and data sources.

A System for Abuse- and Incident Handling with log file analysis capabilities.

Tool to disable vulnerable features in Windows and popular applications for enhanced security.