T. Rowe Price’s Matthew Winters on Threat Hunting as the Scientific Method
Show Notes
In our latest episode of the Future of Threat Intelligence podcast, David speaks with Matthew Winters, Lead Threat Hunter at T. Rowe Price. Matthew shares his unconventional journey into cybersecurity, highlighting the importance of soft skills and creativity in threat hunting that he has picked up along the way.
He explains that threat hunting is akin to applying the scientific method to networks, starting with hypotheses rather than alerts. Matthew and David also explore the critical role of threat intelligence in shaping effective hunting strategies and the essential skills needed to build a successful threat hunting team. Tune in for valuable insights on enhancing your cybersecurity posture!
Topics discussed:
- Threat hunting as applying the scientific method, starting with hypotheses instead of relying solely on alerts.
- The importance of threat intelligence as a foundational element for effective threat hunting and proactive defense strategies.
- Key skills for threat hunters include technical knowledge, creativity, and the ability to reassess and redefine problem statements.
- A hybrid approach to data analysis is recommended, utilizing both network and endpoint data for comprehensive threat visibility.
- The challenges of measuring threat hunting effectiveness, and suggestions for metrics like defenses created and impact on adversaries.
Key Takeaways:
- Explore veteran programs to facilitate career transitions into cybersecurity, leveraging the unique skills and experiences of military personnel.
- Adopt the scientific method in threat hunting by formulating hypotheses before analyzing data, ensuring a structured approach to investigations.
- Utilize threat intelligence to inform your threat hunting strategies, focusing on real-world adversary behaviors and techniques relevant to your organization.
- Encourage creativity within your team by identifying individuals with a "MacGyver Drive" who can think outside the box to solve complex problems.
- Implement a hybrid data analysis approach by integrating both network and endpoint data to gain comprehensive visibility into potential threats.
- Define clear boundaries between threat hunting, incident response, and red teaming to maintain focus and effectiveness in each discipline.
- Measure the effectiveness of your threat hunting program by tracking metrics such as defenses created and the impact on adversaries.
- Foster a culture of continuous learning within your threat hunting team to enhance skills and adapt to evolving cybersecurity challenges.
- Leverage tools like graph databases to analyze relationships between threats and improve the precision of your hunting efforts.
- Challenge your team to reassess problem statements regularly, ensuring they are asking the right questions to drive effective threat hunting.
Quotes from Episode
#1.) If you're hunting based off of a technique, you're going to look at pretty much all the logs you can within reason going backwards. So you can answer the question, has it ever affected us? In order to understand whether or not you should even be doing it, you have to answer the question, how are we stationed against it and protected against it now? And then at the end of it, you have a good takeaway of this is what we need to do to better defend against it. So you can take that whole thing, package it up, and bring it to decision makers and say, ‘hey, the next time you read about this technique in the front paper, one, this is whether or not it's ever to impact us.’” 2:37-3:11