The term “threat hunting” means searching through an IT system for malicious activities. These activities might be happening at the moment or they might have already occurred
Threat hunting systems are rarely sold as standalone packages. Instead, this is a technique that is used as part of a cybersecurity service.
Here is our list of the nine best threat hunting tools:
- SolarWinds Security Event Manager EDITOR’S CHOICE One of the most competitive SIEM tools on the market with a wide range of log management features. Get a 30-day free trial.
- ManageEngine Vulnerability Manager Plus (FREE TRIAL) Use this system to check your endpoints and network devices for weaknesses that represent security threats. Runs on Windows Server. Start 30-day free trial.
- ManageEngine Log360 (FREE TRIAL) This on-premises package includes a SIEM for threat hunting with a threat intelligence feed and activity analysis to hone the accuracy of attack detection. Runs on Windows Server. Start a 30-day free trial.
- VMWare Carbon Black Endpoint An EDR that is based in the cloud but includes data collectors installed on monitored devices.
- CrowdStrike Falcon Overwatch A full security operations center provided on a subscription basis that includes a SaaS EDR system, called Falcon Insight, plus technicians to run the software and security analysis for manual threat hunting.
- Trend Micro Managed XDR A subscription service that offers both software-based and human threat hunting that will implement responses automatically to shut down attacks.
- Cynet 360 An innovative cloud-based cyber defense system that diverts intruders away from valuable assets through a Deception module that also exposes malicious activity to scrutiny and analysis.
- Exabeam Fusion Offered in SIEM and XDR formats, both options use the same threat hunting routines. This is a cloud platform.
- Rapid7 InsightIDR A SIEM and XDR service that can be added to other services from the same cloud platform, such as a threat intelligence feed.
The threat hunter is the search tool that scours through activity data, looking for signs of unwanted behavior.
The types of systems that have threat hunting built into them are:
- Anti-virus (AV)
- Endpoint detection and response (EDR)
- Extended detection and response (XDR)
- Security information and event management (SIEM)
- Intrusion detection systems (IDSs)
- Intrusion prevention systems (IPSs)
- Cyber threat intelligence (CTI)
You will notice that firewalls are not included in the list. Although firewalls scan traffic, their activities are not generally classified as threat hunting. A firewall filters traffic.
Threat hunting strategies
Threat hunting systems look through system data for indicators of attack or unusual behavior. The source of that data is usually captured performance data and log messages. Threat hunting can be performed on a device but it is more effective if all activity data from all of the devices on a network are pooled in one central location. This enables the threat hunter to look for malicious activities that travel between devices so the cybersecurity system can spot and block a spreading attack.
Threats might be implemented in the form of software or manual activity by an individual. In almost all events, the malicious activity will be carried out within an authorized user account.
If an outsider is using a valid account, it will be due to an account takeover. This can occur because of weak security in the form of crackable passwords. Hackers can also get account credentials by tricking users into a disclosure.
If the malicious actor is a staff member, the user concerned might have been tricked or threatened into acting on behalf of an outsider. A disgruntled employee might want to damage the business by stealing or disclosing sensitive data or selling data for financial gain.
Although the software is usually involved in a malicious event, this is not always malware or unauthorized systems installed by a hacker. The authorized applications that you have installed for use by company workers can process and move data and they can serve malicious insiders and intruders as well.
Automated and manual threat hunting
Threat hunting processes are built into cybersecurity software. However, threat hunting can be a human activity as well. A data viewer with search and sorting facilities enables a cybersecurity specialist to analyze data and make inquiries into possible misuse of data.
Although a system manager might notice something odd about user account activity and want to investigate further, threat hunting is more usually an activity carried out by dedicated professionals. Not many businesses are large enough to be able to afford to keep a qualified cybersecurity specialist on staff, so these experts are more likely to be encountered working for consultancies and get involved in a client company’s data when called in to sort out an emergency.
Businesses can create an ongoing contract for consultancy services by signing up for a managed security package, which includes both the protection software and the services of cybersecurity experts to analyze data in the event of anomalies that the software cannot categorize.
The best threat hunting tools
The field of threat hunting offers a range of configurations and they encompass on-premises software packages, SaaS platforms, and managed services. When seeking out good examples of threat hunting systems to recommend, we need to be aware that different sizes and types of businesses will have different needs. Therefore, it is impossible to recommend a single package that can be easily identified as the best option available.
What should you look for in a threat hunting tool?
We examined the market for cybersecurity systems that incorporate threat-hunting processes and analyzed the available options based on the following criteria:
- A data collection service to feed event information into the threat hunter
- Data aggregation to standardize the format of event records
- Options for manual analysis
- Automated response settings
- Threat detection government by a security policy
- A free trial or a demo system to assess the system before paying
- Value for money, provided by comprehensive security protection at an appropriate price
With these criteria in mind, we identified reliable cybersecurity tools that include excellent threat hunting procedures. We made sure to include on-premises, SaaS, and managed service options.
1. SolarWinds Security Event Manager (FREE TRIAL)
SolarWinds Security Event Manager is the best option for those system managers that want to keep everything in-house. The package runs on your server and explores all other endpoints across the network. This system operates on live network performance data, drawn from sources, such as the Simple Network Management Protocol (SNMP) as well as log messages.
- Log file collectors
- Sensitive data manager
- Compliance auditing
- Signature-based threat hunting
The package includes connectors that interface to applications and extract event data. The system also includes a file integrity monitor that records access to files and changes made to their contents. This is a sensitive data manager that supervises nominated files and folders.
The performance readouts and log messages then get converted into a common format, which is called “consolidation”. The tool presents these records to the threat hunting module for analysis.
The malicious activities that the threat hunter detects can be stopped immediately. This threat hunter is a signature-based service that looks for indicators of attack. The system includes a list of responses, which are called correlation rules. These specify an action to take if a threat is detected. Those actions can be blocking traffic from and to a specific IP address, suspending a user account, shutting down a process, and deleting a file.
- Acts as a SIEM
- Manages log files
- Implements automated responses
- Alerts for suspicious activity
- Uses live network data as well as logs
- No cloud version
SolarWinds Security Event Manager installs on Windows Server and it is available for a 30-day free trial.
SolarWinds Security Event Manager is our top pick for a threat hunting package because it allows you to keep full control of your IT services. Many IT system managers are still not comfortable with the prevalence of cloud-based systems because that strategy reduces control, provides extra avenues for intruders to enter, and requires some details about the business to be held on an external server.
Download: Get a 30-day free trial
Official Site: https://www.solarwinds.com/security-event-manager/registration
OS: Windows Server
2. ManageEngine Vulnerability Manager Plus (FREE TRIAL)
Vulnerability Manager Plus provides a strategy to prevent threats from succeeding rather than waiting and looking for threats that are in progress. This is a system hardening package that scans endpoints and network devices, such as firewalls and gateways.
- Scans for security weaknesses
- Patch manager
- Protects Windows, macOS, and Linux
- Configuration hardening
This ManageEngine package scans endpoints and internet-facing devices. It spots configuration errors that provide opportunities for intruders and it identifies out-of-date operating systems and software packages. In some cases, those old software systems need to be completely replaced. However, where updates are available, the Vulnerability Manager Plus system will find those patches and schedule them for rollout.
The patch manager that forms part of the Vulnerability Manager Plus package will order patches according to known dependencies and it also gives you a chance to test the patches before they are applied.
Vulnerability Manager Plus addresses the system weakness that poorly planned elevated accounts and abandoned user accounts present. It identifies where credentials need to be tightened and where access rights management can be improved.
- Access rights assessments
- Webserver and firewall hardening
- Software version checks
- Automated scans and software updates
- Not a SaaS package
ManageEngine Vulnerability Manager Plus installs on Windows Server. There is a Free edition that covers up to 25 endpoints. The two paid versions are the Professional edition to manage a LAN of more than 25 devices and the Enterprise edition, which is designed to protect endpoints on multiple sites. You can get either of the paid versions on a 30-day free trial.
3. ManageEngine Log360 (FREE TRIAL)
ManageEngine Log360 provides a SIEM system for threat hunting. This detection service is enhanced by a threat intelligence feed, which provides a list of known attacker addresses and methods. The system is also informed by a user and entity behavior analytics (UEBA) service that cuts out false positive alerting by establishing a baseline of normal activity.
- Scans through logs
- Collects data from endpoints and cloud platforms
- Gathers network activity data
- Threat intelligence feed
There are many other modules in this on-premises package that enable the system to automatically block malicious activity by malware, intruders, or insiders. These include cloud access security broker (CASB) to enforce security on cloud platforms, behavior analysis to spot insider threats and account takeovers, access logging and file integrity monitoring to block data theft, and security orchestration, automation, and response (SOAR) to coordinate the automated responses to threats between all the tools in the package and third-party systems.
The SIEM requires log messages as its source data and so the Log360 system includes a log manager that collects, consolidates, and then stores messages. This service is also useful for compliance auditing and reporting. This system can be used to report for PCI DSS, GDPR, FISMA, HIPAA, SOX, and GLBA. This system also provides protection for Active Directory implementations, which is also a requirement of many data protection standards.
- Data loss prevention and activity logging
- Auditing and reporting for data standards compliance
- Anomaly-based detection
- Automated responses that can include third-party tools
- This is a very large package and it requires a team to manage it.
ManageEngine Log360 is an on-premises package that runs on Windows Server. It is able to collect data from all your other operating systems, network devices, and cloud services. This system is available for a 30-day free trial.
4. VMWare Carbon Black Endpoint
VMware Carbon Black Endpoint protects multiple endpoints. Each enrolled endpoint has an agent installed on it and that unit communicates with the cloud-based Carbon Black data processor.
- Threat intelligence feed
- Anomaly detection
- Fast threat hunting
A network agent also communicates with third-party security tools as part of a technique that is called security orchestration, automation, and response (SOAR). The SOAR system gathers information from third-party security tools, such as firewalls, and adds this to the pool of information that is collected in the cloud.
The threat hunting module in the Carbon Black package is called Predictive Cloud Security, which is notable for its ability to search through large collections of data very quickly. The detection of a threat triggers response instructions that are sent to the device agents and also to the third-party tools that are enrolled in the SOAR system.
- Mutual threat exchange between clients
- System hardening advice
- Automated responses
- Protect multiple sites
- Doesn’t include a log manager
The SaaS package implements threat hunting per client and then pools all discovered data for a central search for all clients. This central threat hunting provides threat intelligence about hacker campaigns and warns clients ahead of the attack. You can request a demo of the VMWare Carbon Black Endpoint system.
5. CrowdStrike Falcon Overwatch
CrowdStrike Falcon is a cloud platform of security tools that include an EDR, called Insight, and an XDR. The EDR coordinates with CrowdStrike on-device systems and the XDR adds on SOAR.
- Local threat hunting
- Consolidated cloud-based threat hunting
The one product of CrowdStrike that runs on endpoints is a next-generation anti-virus package, called Falcon Prevent. This performs its own threat hunting and implements defense responses. If the buyer of Falcon Prevent has also subscribed to one of the cloud-based systems, the AV acts as an agent to it.
Both Falcon Insight and Falcon XDR perform threat hunting in the cloud on the pool of data uploaded from all endpoints enrolled in the plan. This threat hunting process can be enhanced with a threat intelligence feed, called Falcon Intelligence.
A business that doesn’t want to keep a security expert on staff would be missing out on the benefit of manual threat hunting and expert security analysis. CrowdStrike caters to this need with the Overwatch package. This is a full security operations center that provides system-wide threat detection and response management for subscribing clients. This is the Falcon XDR SaaS package with security analysts added on.
- Option for a managed service
- Threat intelligence feed
- Many options can take time to assess
The Overwatch plan includes an installation of Falcon Prevent on every endpoint. You can get a 15-day free trial of CrowdStrike Falcon Prevent.
6. Trend Micro Managed XDR
Trend Micro Managed XDR is a SOC-for-hire plan that adds the services of security specialists to the Trend Micro Vision One system security package. Vision One is a SaaS XDR with on-device agents and SOAR, reaching out to third-party security tools.
- Multi-level threat hunting
- Security analysts
The Vision One service is a cloud coordinator of on-device Trend Micro endpoint-resident AVs that perform their own threat hunting locally. These units upload activity data to the Trend Micro server for enterprise-wide threat hunting. The Trend Micro threat detection system is called Zero Trust Risk Insight. It looks for anomalous access to applications, identifying insider threats and intrusion.
The managed service includes automated systems and expert analysts. Manual threat hunting reduces the inconveniences of infrequent legitimate tasks being blocked by automated EDR processes. Analysis can also produce recommendations for system hardening.
- Suitable for businesses that have no security experts on the payroll
- Can manage security for multiple sites
- Compliance reporting
- More expensive than self-managed options
You can get access to a demo system, which is called the Vision One Test Drive.
7. Cynet 360 AutoXDR Platform
Cynet 360 AutoXDR Platform includes a threat hunting layer that gathers information on malicious activity from third-party on-site tools. This platform is resident in the cloud and it provides several utilities to help the on-site automated systems detect threats.
- Local data collectors
- Deception techniques
The threat identification services of Cynet 360 include sandboxing and a honeypot system that provides a fake teaser to hackers, drawing them to an analysis unit.
As well as its own research lab structure, the Autonomous Breach Protection system in Cynet 360 gathers local information through agents in a network called Sensor Fusion. The threat hunting process deploys user and entity behavior analytics (UEBA) to assess the intent of regular business traffic around the network and blocks malicious activity through SOAR.
- Anomaly-based threat hunting with UEBA for baselining
- Memory forensics
- No log manager
Cynet offers a 14-day free trial of The AutoXDR platform.
8. Exabeam Fusion
Exabeam Fusion is a cloud platform with on-site agents that implements threat detection, investigation, and response (TDIR). The package can operate as an XDR or a SIEM. The tool draws in source data from its on-site agents to feed into the threat detection module that operates in the cloud.
- Anomaly-based threat hunting
- Compliance reporting
The Exabeam Fusion threat hunting service uses anomaly detection, which is built on UEBA for activity baselining. The service can be tailored to specific data protection standards requirements and then it will also automatically generate compliance reporting.
The system relies on log information for source data and it can interface directly with a list of software packages through a library of connectors. The service will also consolidate and store logs for manual threat hunting analysis and compliance auditing.
- Gathers activity data from applications
- Examines log files from operating systems
- Log management
- Endpoints are not protected if disconnected from the network
You can assess Exabeam Fusion with a demo.
9. Rapid7 InsightIDR
Rapid7 is a cloud platform of cybersecurity modules. You select which services you want from the menu of options and those packages slot together. The cloud system is called Rapid7 Insight and the XDR package on that platform is called InsightIDR – IDR stands for “incident detection and response” and it can also be used as a next-gen SIEM.
- Threat intelligence
- Both anomaly and signature-based
The InsightIDR service requires agents to be installed on protected endpoints. The uploaded logs that are gathered by those agents provide the source material for SIEM searching and they will also be stored in log files for manual threat hunting and compliance auditing.
Rapid7 provides a threat intelligence feed into the threat hunting service, which is called the Attack Behavior Analytics (ABA) module. That ABA system is signature-based but it interacts with anomaly-based UEBA searches to provide a blended threat hunting strategy.
- Fast threat hunting, thanks to triage informed by threat intelligence
- Uses UEBA
- Automated responses
- SOAR costs extra
Another package available on the Insight platform is Insight Connect, which extends the capabilities of InsightIDR by adding SOAR connectors.
You can assess Rapid7 InsightIDR with a 30-day free trial.