, 7 tweets, 2 min read
My Authors
Read all threads
I had a good question in my talk last night "What works better, having dedicated threat hunters or splitting that responsibility with existing analysts?"

Here are some thoughts I shared... 1/
I'll start by saying that I've seen it work well both ways, and it often depends mostly on the individuals and management. Anyone who tells you there is only one good way to structure that function probably hasn't been exposed to enough of it.

That said... 2/
If I'm running the SOC, all analysts have at least one more task beyond just reviewing alerts -- malware reversing, sig dev, intel, threat hunting, etc. That's critical for cognitive task diversity and also does amazing things for retention. 3/
The ability to switch tasks is SO important for maximizing cognitive MPG during the day. It keeps folks engaged and doesn't wear them out as much. They go home energized and not exhausted. It also builds more diverse skillsets and ways of looking at data. 4/
There is FAR too much gatekeeping that happens with threat hunting. Folks want to treat it like its magic and reserved for the elite. It's not. Good investigators often make good hunters. Those skills can be built simultaneously. 5/
Some folks have analysts devote a little time each day to hunting. Some pull analysts off shift for a couple weeks at a time to focus on it and rotate that motion. There are pros and cons to each way, but I've seen both be very effective. 6/
Humans are naturally curious - we all have that in us. Curiosity wins the day when hunting. If you can understand evidence, learn how to transform it with tools, and spend time researching common attacks then your curiosity will drive that knowledge to meaningful action. 7/7
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Chris Sanders

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!