Download
Demo
Trial
Contact

Proactively Hunt for Threats
Using Sift Security

Many mature security organizations have people or teams focused on proactively hunting for threats. One of Sift Security’s co-founders, Ram Sripracha, spent a lot of time in his previous role on Amazon’s security team hunting for threats using a leading enterprise search tool. This experience inspired him to create Sift Security to fill-in the gaps he found in existing security tools.

Requirements for Threat Hunting

Based on our experience and the conversations we have had with dozens of incident responders and threat hunters, there are 5 key requirements for effective threat hunting.

How Sift Security Enables Threat Hunting

Sift Security was built from the ground up to be the best product available for threat hunting. This is how we address the requirements above.

Sift Security in Action: An illustrative Threat Hunt

Consider an employee, Amos, who is leaving the company under unusual circumstances. We have reason to suspect that Amos might be stealing confidential information. Here is how Sift Security could be used to determine whether Amos poses an insider threat.

In our deployment of Sift Security, we are monitoring email metadata, network activity, and host audit logs. Since one of the most common channels over which data are expropriated is email, we begin the investigation at Amos’s email account. We narrow our investigation to the past few days, and look at all of the files Amos attached in email messages. We find 32 such attachments and begin investigating the largest one. We identify the message to which it was attached and the recipients to which it was sent. We find a target email address that appears to be a personal account belonging to Amos.

Next, we focus on Amos’s personal email address. First, we identify what other files have been sent to this personal address. We find a few more files, among which is shadow. Because this might be a password file for a Unix system, we continue our investigation here. We identify the message to which it was attached and the host from which it was sent. We find that it was sent by Amos from our webserver.


At this point, we know that Amos has been expropriating data by sending files, including our web server password file, to his personal email address. At this stage, we revoke Amos’s access and continue the investigation. With Sift Security, we can investigate each of the files Amos sent to himself and determine what other systems and information he accessed ahead of his departure.

Sift Security facilitates this investigation in a number of ways. It seamlessly enables pivots between multiple log sources, like email and host audit logs. Its graph queries provide rapid results to common queries that would otherwise require multiple search queries and intimate knowledge of log formats. Its built-in machine learning and intelligence also automatically highlights abnormal behavior during an investigation, for example by showing the abnormal process execution and authentication events surrounding the user Amos. These features help threat hunters quickly find, investigate, and verify potential threats.



Why not just use Search for Threat Hunting?

Sift Security’s co-founder and many security analysts with whom we have spoken have shared many common challenges with regards to using Search to hunt for threats.



Key Sift Security Advantages

About Sift Security

Sift Security provides security operations teams an easier and faster way to discover, investigate and act on risks. Sift Security was built from the ground up to take advantage of a relational graph data structure, which forms the foundation for our intuitive visualization and cutting edge analytics.