Over the past 6 months we have continued to improve our product for our customers with one main focus: to offer everything that a legacy SIEM does for security teams, and make it better, faster, and more efficient. We want to equip security teams everywhere with the tools to empower them to replace their frustrating and archaic SIEM products, so they can reduce risk, cost and complexity for their SOC and their companies.
We entered 2023 with a focused strategy to address several “big rocks” within the data, detection and investigation experience within Hunters. We are proud of the immense progress we’ve made, and we want to recap some of our biggest releases.
Data: Ingestion and integrations
Hunters is fully committed to helping ease the cost, availability and engineering problems that come with dealing with traditional security data. Separating data and analytics puts Hunters SOC Platform years ahead of SIEMs’ outdated data strategies, and Hunters continues to lean into this philosophy with new features and capabilities.
We added over 50 newly supported data sources. That means that over 50 additional security products, IT tools and other sources (see here) can be added to your Hunters environment with only a few clicks. The more data, the better.
Data health monitoring: we have greatly improved the way that we monitor and maintain the health of data ingestion into Hunters. With 24/7 monitoring and maintenance, our customers can now rest assured that even if there are any slight interruptions, they will be informed and a ticket will be immediately raised.
Hunters is now available on Databricks! Databricks customers can now attain an end-to-end security operations platform with their security data stored in their own Databricks Lakehouse. This was a massive accomplishment for our team and one that gives Hunters customers the freedom to bring whichever data lake they want. And as a bonus, we were also named Databricks Security Partner of the Year.
Detection: Reduce reliance on detection engineering, focus on your unique use cases
Many security teams spend tons of valuable working hours building out detection rules and analytics on their own. Our goal at Hunters is to take as much of that burden off your team as possible with our continuously updated, built-in detectors and security content. Here’s a quick rundown of some of the major detector pack releases from the past 6 months:
Ransomware Detection Pack
The ransomware threat hunting pack compiled a list of the most commonly used techniques by ransomware APT groups and their affiliates in recent months. This research was used to develop threat hunting campaigns, hygiene dashboards and notebooks to help customers detect threats as well as identify and address gaps associated with ransomware groups across their enterprise and cloud systems.
Two examples of this are the Plain Text Password Discovery (which looks for access to multiple plain text password files by a single user over a short period of time) and Suspected Data Exfiltration Using Rclone (a versatile open-source command-line tool that has been associated with Ransomware-as-a-Service operations, where threat actors use it to facilitate the exfiltration of sensitive data from compromised networks). See this detection pack in action in the Hunters platform with this walkthrough tour.
We recently released a cross data source impossible travel detector. This impossible travel detector is unique in that it not only correlates login data across all of your telemetry that is ingested into Hunters, but it is also expertly engineered to reduce excessive noise and false positives. Read all the details about how it works on our blog.
Multi-Context UEBA (Time Series)
Our in-house research team developed an infrastructure that employs advanced multi-context UEBA functionality and can be applied to existing and future detectors. This means that our built-in detectors can now leverage dynamic baselines and thresholds that automatically tune using machine learning, creating not only more complete detection capabilities, but also addresses common gaps in traditional UEBA solutions.
Azure AD Pack
Threat actors that are able to take over Azure AD get an (almost) absolute control over the entire organizational Azure tenant. To provide improved coverage of possible threats on Azure, Hunters’ Security Research team created new detection opportunities in order to cover credentials access, and privilege escalation, discovery and exfiltration. The detectors combine UEBA and cross platform correlations, and include the following:
- Soft Match Sync to gain Access to Azure
- Suspicious Sign-Ins by Azure AD Connect Sync Account
- Addition of new credentials to a service principal on Azure Active Directory
- Azure Activity authentication and action IP mismatch
- Modified Domain Federation Trust Settings (coverage improvements)
Investigation: Leveling up the analyst experience
It's important to note that UEBA detectors are just one component of a comprehensive cybersecurity strategy and are typically employed alongside other security measures. Adding this additional analytic capability to Hunters’ already expansive library of hundreds of pre-built detectors, means that your security team is continually improving their effectiveness by spending more time on the alerts that truly matter.
Security products should make the daily job of security analysts simpler and more efficient. We are constantly designing features that bring value to the organizations we serve, but also to the analysts themselves who have their “boots on the ground” day in and day out. Just this year we’ve made things even faster and easier before:
This was an upgrade to our already hearty automatic investigation capabilities. Rapid automatic investigation separates the automated process into phases, so the platform can analyze initial data points about a possible threat within minutes. It allows analysts to perform an initial inquiry into the threat while the system continues to enrich this entity with data from across the attack surface and from various data sources giving an expedited early look into entities that could potentially be threats.
A game-changing search tool that can be used to determine if a known IOC has been in your organization’s environment - without ever having to write a SQL query. Simply type the IOC in the Google-like search bar and understand whether the IOC has been found in your environment or not, without needing to understand the thousands of different event types and related fields in your log data.
The future is here with our GPT-assisted investigations as they allow anyone to click one button within the Hunters platform to instantly ask GPT what a specific command-line is and get an explanation of what it does.
You asked. We delivered.
When you are always pushing out massive features, it can be easy to forget about customer feature requests. But when our customers come to us with pain points, we see them as our opportunities to solve problems.
Here’s just a few examples from the past 6 months:
Improved activity auditing: customers can now audit rule changes within their own instance of Hunters to make sure the relevant stakeholders have visibility over the environment.
Date picker: customers can now navigate to specific time frames to view alerts, leads and data ingestion information. Using a simple drop down calendar in the platform, you can “travel” back in time to view data from the chosen dates.
Additional operators for custom detectors: With additional logical operators, customers can now fine tune their custom detectors with much more precision allowing them to create more accurate and case specific alerts.
This is just scratching the surface of the progress we’ve made this year and we are extremely proud of the features we’ve shipped and the world-class team that built them. When you are tackling the pain points that come from deeply entrenched legacy SIEMs, there is always more progress to be made. We have very exciting plans for the rest of the year, and can’t wait to bring our customers the next wave of features that truly level up their security capabilities.
We are currently hiring for both the Product and R&D teams, so if you're interested in becoming part of a stellar team that is building world-class products, check out our Careers page. Yalla!