2020-06-22T10:43:00Z
Rony_Sklar - PeerSpot reviewer
Community Manager at PeerSpot (formerly IT Central Station)
  • 6
  • 511

Compromise Assessment vs Threat Hunting

Hi peers,

What is the difference between a compromise assessment and threat hunting? 

How do each contribute to Endpoint Protection?

5
PeerSpot user
5 Answers
SG
Owner at a security firm with 1-10 employees
Reseller
Top 10
2021-12-07T19:07:02Z
Dec 7, 2021

Compromise Assessment is reactive while Threat Hunting is proactive.

Search for a product comparison in EPP (Endpoint Protection for Business)
SimonClark - PeerSpot reviewer
Cyber Security Advisor - Director at Fort Net UK
MSP/MSSP
Top 5Leaderboard
2021-12-06T14:48:35Z
Dec 6, 2021

@Geoffrey Poer ​covers it well with his answer and the Cisco blog does too. 


Compromise Assessments should be performed frequently, weekly or at least monthly. Rather than a pen test, or at least in addition to pen tests, we recommend regular analysis of your entire environment to give you visibility of everything which includes where vulnerabilities lie. 


Endpoint protection (EPP or EDR) is one more layer to your antivirus security and is operational 24/7. EDR - endpoint detection and response, is typically finding and reporting on newer attacks that do yet have a signature in the AV as well as looking for unusual behaviour on the network and endpoint continuously. 


Threat hunting is expensive and complex too and goes a step further than EDR. Unless you are a large organisation with a specialist team it can be difficult to interpret the results of CA, EDR and TH effectively.  


Often outsourcing this whole capability is more effective and less expensive than doing it in-house and continues to work during weekends and public holidays and provides a properly structured (NIST or MITRE) approach to visibility, vulnerability scanning and remediation advice.

GP
Chief Information Security Officer at Dfnd
User
2020-06-23T04:36:46Z
Jun 23, 2020

A Compromise Assessment (CA) is an active and generally scheduled engagement that is looking for malicious activity, undiscovered breaches, and threats. It generally is performed with a DIFFERENT set of security tools/services than what is being used by the team day today. Often they encompass active scanning and/or vulnerability assessments in addition to network and system analysis. The goal is to identify bad actors and initiate incident response and forensic plans. A common mistake happens when teams try to use this process to be the main component of the identification, containment, and forensics processes. In my experience, they should be considered separate to be effective.


Threat Hunting (TH) is an ongoing process that leverages current datasets and tools to look at the data in a different way. TH comes in many forms, from manual searches looking for suspicious data to leveraging outlier and anomaly detection or other machine learning/advanced analytics. Really good threat hunting teams are able to take new Tactics, Techniques, and Procedures (TTPs) or Indicators of Compromise (IOCs) and specifically look for events, files, and/or behavior that would depict potential malicious activity specific to those TTPs or IOCs. 


Generally, TH is a jump-off point to dig deeper into a dataset or system based on a good hypothesis with supporting data. If EPP was installed then it missed it. Both of these activities are looking for failures in a security process or tool. If EPP wasn't installed then the question is why and how do we get something deployed in the future (probably as part of the remediation phase of the incident response process) that would have identified or stopped the compromise/malicious activity.

Nikki Webb - PeerSpot reviewer
Global Channel Manager at Custodian360
Real User
2020-06-23T09:44:44Z
Jun 23, 2020

Threat hunting typically comes before a compromise assessment.


Threat Hunting is looking for IOC’s or TTP’s being used within an environment to identify a compromise or potential compromise. Once identified you can then move to assessing the compromise.

JB
User at a computer retailer with 1-10 employees
User
2020-06-22T22:47:19Z
Jun 22, 2020

This is an excelent article dealing with it.



https://blogs.cisco.com/securi...

Learn what your peers think about Microsoft Defender for Endpoint. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
657,849 professionals have used our research since 2012.
Related Questions
Sep 19, 2022
Hi community professionals, I am looking for your advice on whether it makes sense to use both an endpoint antivirus and an EDR solution simultaneously? What are the pros and cons of using each one or both simultaneously? *In terms of products, I've been looking at CrowdStrike Falcon, Microsoft Defender for Endpoint, and ESET Endpoint Security. Thanks for the help!
2 out of 9 answers
CP
Partner Account Manager 🔆 at SEC DataCom A/S
Apr 26, 2022
If you look at a product like SentinelOne, it is both EPP and EDR (and much more...). In that case you only need this single product.You could take a look at this short explanaition on YouTube: EDR? EPP? Both?!? See how to explain SentinelOne in just 2 minutes
AS
Principal Consultant at 1net
Apr 27, 2022
The “Antivirus” protection technology is replaced by EDR which does include a modern version of “antivirus” along with other ways of device protection.  Multiple vendors provide EDR: Trend Micro, Cisco, etc. The more current technology is XDR.
PJ
CIO & Information manager at a leisure / travel company with 501-1,000 employees
Apr 26, 2022
Hi peers,   I work as the CIO & Information Manager in the gaming and gambling industry. The company has 650 employees and >30.000 customers. I'm not able to find a study where Darktrace is compared against Crowdstrike Falcon (or other solutions for endpoint security, e.g. Sentinel One).  Can anyone help and share their insights?  Thanks, Regards from the Netherlands
See 2 answers
HF
Consultant at a computer software company with 51-200 employees
Mar 31, 2022
Hi @reviewer1799568, Most of these comparisons are opinions and some tests are done in specific conditions that might not suit or reflect your organization's needs and roadmap. Ultimately, the cost of a mistake is a data breach and not just an audit finding or operational discomfort. I mention this because there are no viable shortcuts. I suggest you test the solutions thoroughly in your own environment to see what works for you. The gaming floor is hopefully "air-gapped" and the solution should respect that segregation and still provide great security and visibility. One of the challenges is security updates. For such an environment you would need comprehensive AI and machine learning. I suggest you look at the difference between IOC and IOA. IOA vs IOC: Defining & Understanding The Differences | CrowdStrike. (Please also check other sources). Good luck and stay safe!  
CP
Partner Account Manager 🔆 at SEC DataCom A/S
Apr 26, 2022
Hi. I am told that Darktrace is a complimentary product that doesn't do any endpoint protection.
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote! If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too! ...
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Aug 9, 2022
If you’re weighing your options for endpoint security solutions, there are many options out there. However, solutions vary greatly in terms of how effectively they can protect your network. I want to help you make the best decision possible, so here are some questions to ask before buying an endpoint security solution, and why they are important. 1) Does the solution employ Foundational Tech...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Feb 4, 2022
Hi dear community members, This is our latest community digest. It helps you catch up on recent contributions by community members. Comment below with your feedback and suggestions! Trending What are the Top 5 cybersecurity trends in 2022? What are the main benefits of modern IT Asset Discovery tools? Tip Post an educational article from your Home feed and receive 20 point...
See 1 comment
reviewer1577907 - PeerSpot reviewer
Manager at PeerSpot
Feb 4, 2022
Thank you, these community Spotlights are very handy!
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Nov 19, 2021
Hi community members, Spotlight #2 is our fresh bi-weekly community digest for you. It covers cybersecurity, IT and DevOps topics. Check it out and comment below with your feedback! Trending What are the pros and cons of internal SOC vs SOC-as-a-Service? Join The Moderator Team at IT Central Station (soon to be PeerSpot)! Questions Share your experience with other peers by ans...
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
PeerSpot User's Choice Award 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technol...
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
Aug 9, 2022
8 Questions to Ask While Selecting an Endpoint Security Solution for Your Business
If you’re weighing your options for endpoint security solutions, there are many options out there...
Download Free Report
Download our free Microsoft Defender for Endpoint Report and get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
DOWNLOAD NOW
657,849 professionals have used our research since 2012.