Security people are often viewed as gatherers. We gather security event data, collect logs for review, build documentation based on information about our environment, and group informational assets in like-valued groups to focus our defenses. I think we’ve got the gathering part down. It’s similar to our propensity to react. We may not be great at reacting (or more likely, we’re great at reacting at only a few things), but we get plenty of exposure to it.

Warning!!!...Tiger in training...:O)), by Keven Law

You cannot be a successful security professional by only being a gatherer, and your team won’t be successful if you only hire and employ gatherers. Just like most societal norms that evolved over thousands of years, you need hunters to fill a need that your gatherers simply cannot.

Information security hunters aren’t reacting to incidents, amassing event data, or collecting things, they are taking all that has been gathered, augmenting it with other intelligence sources, and actively looking for threats against informational assets. These guys use complex analytics to find the bad guys when they hide in plain sight.

In this game of cat and mouse you can either sit back and wait—hoping you catch something early enough in the kill chain to save your job and company—or you can take your future into your hands and discover compromises before exfiltration.  Collecting the massive amounts of data we need to do our job allows us to not only be gatherers of information events, but hunters with added analytics.

Think back to the kill chain. We must assume that the first two or three steps will happen (recon, weaponization, and delivery), and are probably largely out of our control. Hunters back up their efforts to focus on exploitation and command and control, looking for and fixing these such that exfiltration doesn’t happen. Passive gathering is great, but without active analytics you are more likely to get the phone call informing you of your breach instead of you finding and stopping it on your own.

This post originally appeared on

Possibly Related Posts: