I had a good question in my talk last night "What works better, having dedicated threat hunters or splitting that responsibility with existing analysts?"

Here are some thoughts I shared... 1/

I'll start by saying that I've seen it work well both ways, and it often depends mostly on the individuals and management. Anyone who tells you there is only one good way to structure that function probably hasn't been exposed to enough of it.

That said... 2/

If I'm running the SOC, all analysts have at least one more task beyond just reviewing alerts -- malware reversing, sig dev, intel, threat hunting, etc. That's critical for cognitive task diversity and also does amazing things for retention. 3/

The ability to switch tasks is SO important for maximizing cognitive MPG during the day. It keeps folks engaged and doesn't wear them out as much. They go home energized and not exhausted. It also builds more diverse skillsets and ways of looking at data. 4/

There is FAR too much gatekeeping that happens with threat hunting. Folks want to treat it like its magic and reserved for the elite. It's not. Good investigators often make good hunters. Those skills can be built simultaneously. 5/

Some folks have analysts devote a little time each day to hunting. Some pull analysts off shift for a couple weeks at a time to focus on it and rotate that motion. There are pros and cons to each way, but I've seen both be very effective. 6/

Humans are naturally curious - we all have that in us. Curiosity wins the day when hunting. If you can understand evidence, learn how to transform it with tools, and spend time researching common attacks then your curiosity will drive that knowledge to meaningful action. 7/7