Splunk's Security Strategist on Building Effective Threat Hunting Programs
In my recent conversation with David Bianco, Staff Security Strategist at Splunk, on The Future of Threat Intelligence Podcast, we dug into something that's become increasingly critical in cybersecurity: the distinction between threat hunting and red teaming. His insights, drawn from over 15 years of hands-on experience working with Fortune 500 companies, offer practical value for security teams looking to strengthen their detection capabilities.
What stood out in our discussion was David's clear breakdown of how threat hunting and red teaming, while both proactive security measures, serve different but complementary purposes in an organization's security strategy.
Let me share three key points from our conversation that security teams can put into practice:
1. Understanding the Distinct Roles of Red Teams and Threat Hunters
David explained it well: red teams and threat hunters both work to improve security, but they approach it from opposite directions. Red teams actively probe for vulnerabilities in your systems, while threat hunters look for signs that someone else has already exploited them.
What makes this powerful is how they can work together. Your red team can create specific security incidents that help validate your threat hunting approach. As David puts it: "The real purpose of threat hunting is not actually to find new security incidents... it's to increase your ability to find new security incidents via automated detections later."
2. Building an Effective Threat Hunting Team
One point David emphasized that resonates with my experience is moving past the "unicorn hunter" mindset. You don't need a team of rare specialists who can do everything. Instead, focus on building a collaborative team with complementary skills.
Here's what this looks like in practice: You need people who understand threat actors and their tactics. You need professionals who know your technology stack - not necessarily every detail, but enough to navigate it effectively. And increasingly, you need data analytics expertise. In fact,David noted that many organizations are now bringing in data scientists to enhance their threat hunting capabilities.
This last point connects directly to how we're seeing the industry evolve. SOC analysts and incident responders typically cover about 80-90% of what you need, but the addition of data science skills, even on a temporary basis, can significantly improve your hunting effectiveness.
3. Implementing a Framework That Works
One of the most practical takeaways from our conversation wasDavid's advice on getting started with threat hunting. His message was clear:don't overcomplicate it. You don't need to implement everything at once. Start small, build on your successes, and grow your program methodically.
The PEAK framework, which David helps develop, provides a structured approach to this. But as he points out, the key isn't which framework you choose - it's having one that gives you clear guidelines and helps prioritize your efforts.
This aligns with what we're seeing in the field. Organizations often struggle not from lack of tools but from trying to do too much at once.David's approach of starting small and measuring progress systematically makes threat hunting more accessible and, ultimately, more effective.
Strengthening Security Through Integration
The integration of threat hunting into broader security operations continues to evolve. As we see with recent developments like the Team Cymru Scout App for Splunk, the ability to enrich threat data and automate detection is becoming increasingly vital. These tools help teams operationalize the kind of insights David discusses, turning threat hunting from a specialized activity into an integral part of security operations.
For security teams looking to enhance their threat hunting capabilities, David's insights offer a clear path forward: start with a framework, build a diverse team, and focus on continuous improvement rather than immediate perfection.
Take Your Threat Hunting to the Next Level
Want to put these insights into practice? Start by exploring how the Team Cymru Scout App for Splunk can enhance your threat hunting capabilities. Learn more here: https://www.team-cymru.com/post/how-the-new-splunk-app-for-scout-can-enrich-and-accelerate-your-investigations
And to hear more conversations like this one with David, tune in toThe Future of Threat Intelligence Podcast: