This presentation is designed as a personal journey through threat hunting to inspire others to adopt specific methods, tips, and lessons learned. When John Stoner joined this Splunk team in 2017, the team began working on the second version of what they called "Boss of the SOC" (BOTS). John will share his team's journey in threat hunting as they tried to figure out where to start, sometimes got tangled up in the data, and overcame distractions that arose during the hunting process. He will discuss how the team was able to conduct hunts, and he will share some thoughts on gap analysis and operationalizing those lessons. The presentation will also include some cautionary tales to help the threat hunting community help security operations operationalize hunt data and not oversimplify all the great work that is out there to the point that it loses its impact. Participants will develop a better understanding of how to create a hunting hypothesis, build “guardrails” into the hunt to stay focused, and take hunting results and operationalize them. We will also explore the importance of conducting gap analysis as part of the hunting activity to support operations efforts. Participants will receive a dataset and teaching application to take home and play with!

John Stoner @stonerpsu, senior security strategist, Splunk

Please take the opportunity to connect with your friends and family and share this video with them if you find it useful.