Andrew Lam, Head of Detections, SecureData

Andrew Lam

Head of Detections, SecureData

Andrew Lam is the Head of Detections at SecureData (An independent cybersecurity managed security services provider) since the beginning of 2017. His previous experience includes working for the UK Government as a technical specialist, designing and implementing security solutions, MDR, EDR and advanced analytics solutions. Prior to this he was a law enforcement officer and digital forensic examiner working within the UK's National Crime Agency and Metropolitan Police Central E-Crime unit working on high profile cybercrime cases.

Andrew Lam will be speaking on the following topic:

Threat Hunting: seek and you "might" find?

Threat hunting has become an item on many CISO's or CTO's wish list as part of their cybersecurity armoury alongside managed detections and response. Threat hunting, however, is relatively immature, with a heavy reliance on the skills of individuals and the very nature of the activity makes it difficult to quantify the success and productivity of these individuals. This makes it hard for businesses to justify the spend on the resource, or even asking existing members of their MDR, SOC or Security Analysts to pursue threat hunting.
Starting small with concentrated hunts and strong hypotheses will form a basis for any threat hunting activity. The metrics and outcomes may not always be apparent, but you will discover things about your network which could become issues in the future. We have taken the approach of looking at hunting activities which are straight forward, such as evaluating IP addresses scanning your network perimeter, anomalous user login activity and DNS requests analysis which provides great insights into an environment. These are clear and directed routine hunts which are achievable in a timely manner. We have now expanded to specific features mapping detections to kill chain phases and hunting in the gaps where we do not have current capability. This in turn builds better detections which are easier to quantify. We have also progressed into use of automation and "I'll say it once only, machine learning". The main point is that there are different levels, time requirements and skills which can be used to start threat hunting and this activity can be quantified and measured to convince the powers to be that this is a worthwhile activity.
This talk seeks to provide some practical steps into how one can start conducting threat hunting and to quantify tangible outcomes for threat hunting teams. We will take the example of how this was implemented within an MSSP and how threat hunting can be mapped to established frameworks to provide useful security insights in any IT environment.

Event Sponsor

Diamond Sponsor

Platinum Sponsors

Security Survey & Executive Roundtable Sponsor

Gold Sponsors

Silver Sponsors

Bronze Sponsors

Display Sponsors

Showcase Sponsor


Endorsed by