Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

N-Able: Why Local Knowledge Matters in Threat Hunting

N-able
07/14/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


One of them might be controversial, but we'll see, but looking for your expert opinion and very objective opinion, if you will, it says my EDR vendor is offering threat hunting and they run queries based on their own discretion. So they have any of this. So this MSP of ours or a customer of ours has an EDR vendor and they run their own queries. How helpful would you think that is given we are an MSP and we, and, uh, our analysts truly know our clients and their industries while our EDR vendors much just sees it as a bunch of generic logs. So what if I could get you? Yeah, that's a really good question because like on the surface you can do it right. But it does require that really special understanding of a network a lot of times. So if you're just looking for is a specific windows process anomalous, like, yeah, you might be able to figure it out based on just how windows works. But a lot of times what I found, especially like, you know, being at a Lumen or enable where we, you serve like, you know, thousands of customers that serve thousands of customers. You'll see that there's tons of stuff that falls within the normal baseline, right? So I think that, um, I'm sorry, I don't remember where I was going with that. So this has to do with a very nice, yeah. So I think if they can do it well, it's great. But I have the problem that like they would be reaching out to you a lot to provide context. So a lot of this is going to require like context specific awareness to be able to solve and resolve, right? Like, cause you don't know, Jane should be accessing, you know, the share in the legal department or the HR department. Like only somebody at the organization would know that. So for it to be super effective, I would say, yeah. The benefit is like, if they have pre-canned, like we do this as well and I do this, right? I have specific queries that aren't detections because they're so noisy and they're so loud and they are common and can happen. But like they're canned queries that I can go into at Lumen, right? And copy and paste and see if I get any hits, which I always do, but I can quickly using my eyes, go through those 73 hits and like, see if something looks pinky, right? And then investigate it further. So I think if they can do that, that's, that's good. But a lot of times I feel like they'll have questions because I have questions. A lot of times I'm reaching out to the customers, that's why I don't sell it. Yeah. I think in general, I'd make a statement is the more eyes on your environment or your customer's environments, the better. Just as if there are services that are sort of generically doing it for all, then the what you're going to get are the things that it's going to impact everyone. And quite often, if your environment is being breached and you really do need a hunter cause you're worried about being breached, then someone who really knows your environment, the better off it's going to be, whether it's your environment, as in the type of threat actors that are going after your types of environments or knowing your environment specifically, what is anomalous or not anomalous in your behavior. So I think there, there is a, some common good for someone that does a generic service or generic queries. Cause I watch with our teams, like with Kevin, we'll have playbooks or certain things they always look for. And then there are things that are specific to an environment that they have to uniquely look for. So there's a combination of both. Yeah. Like I always, like one of the first things I always look for is have there been any processes that launched with the like the windows UAC prompt disabled? That's something that like a lot of environments are configured to not even use UAC, right? It's something that like users can legitimately do. Like if we enable that as a detection, we'd see like, you know, millions and millions of alerts a day across the environments. But if I'm looking at like a specific network or a specific host, that's maybe like high priority that I'm really trying to hunt on to make sure my database isn't compromised. You know, you can more targetively look for those things.

TL;DR

  • Generic EDR vendor threat hunting lacks the contextual knowledge needed to distinguish normal from anomalous behavior in specific client environments, often requiring MSP input to resolve findings effectively.
  • Pre-configured threat hunting queries are valuable for detecting common threats across all environments, but environment-specific knowledge is essential for investigating high-priority assets and understanding user access patterns.
  • The most effective security approach combines standardized playbooks with customized hunting that leverages deep understanding of each client's unique configurations, industry threats, and operational baselines.

Summary

This discussion explores the critical role of environment-specific knowledge in effective threat hunting. Security experts Kevin and Dave examine whether generic EDR vendor threat hunting services can match the value provided by MSPs who deeply understand their clients' networks. The conversation reveals that while EDR vendors can run pre-configured queries across customer environments, truly effective threat hunting requires contextual awareness that only comes from intimate knowledge of an organization's normal operations, user behaviors, and specific configurations. The experts emphasize that generic queries often generate noisy results that require local expertise to interpret, and that the most effective security posture combines both standardized detection approaches with environment-specific hunting tailored to each client's unique risk profile and operational patterns.

Chapters

0:00 - The Question: Generic vs. Contextual Hunting
0:41 - Understanding Network Baselines
1:47 - Pre-Configured Queries and Their Limitations
2:25 - The Value of Multiple Perspectives

Key Quotes

1:35 "You don't know, Jane should be accessing, you know, the share in the legal department or the HR department. Like only somebody at the organization would know that."
2:25 "I think in general, I'd make a statement is the more eyes on your environment or your customer's environments, the better."
3:23 "That's something that like a lot of environments are configured to not even use UAC, right? It's something that like users can legitimately do. Like if we enable that as a detection, we'd see like, you know, millions and millions of alerts a day across the environments."

FAQ

Can EDR vendors effectively provide threat hunting services without knowing my specific environment?

EDR vendors can run valuable pre-configured queries to detect common threats, but they'll frequently need to reach out for context-specific information to resolve findings. They can't know organizational details like which users should access which resources or what constitutes normal behavior in your environment, which limits their effectiveness compared to analysts who deeply understand your network.

What's the advantage of having more than one party hunting for threats in my environment?

More eyes on your environment is generally better. Generic EDR vendor services catch threats that impact everyone, while MSPs or internal teams with environment-specific knowledge can identify anomalies unique to your organization and conduct targeted hunting on high-priority assets based on your specific risk profile and threat landscape.


Categories:
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Security Operations
  • Threat Intelligence
  • Technical Deep Dive
  • Best Practices
  • Threat Hunting
  • EDR Services
  • MSP Value Proposition
  • Security Context
  • Behavioral Analysis
  • Network Baselines
  • Detection Engineering
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: N-Able: Why Local Knowledge Matters in Threat Hunting

              XStreaminars (watch here)

              • Jul
                28

                Illumio + Netskope: Zero Trust in the Age of AI Autonomy

                07/28/202601:00 PM ET
                • Jul
                  29

                  Ask Your Cloud Anything: Unlocking Governance Silos in your Environments

                  07/29/202601:00 PM ET
                  More events

                  Industry Events (watch there)

                  • Jul
                    14

                    Crafting a Championship-Caliber Security Team for Lasting Defense

                    07/14/202601:00 PM ET
                    • Jul
                      14

                      Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data

                      07/14/202602:00 PM ET
                      • Jul
                        22

                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                        07/22/202601:00 PM ET
                        More events

                        Upcoming Webinar Calendar

                        • 07/14/2026
                          01:00 PM
                          07/14/2026
                          Crafting a Championship-Caliber Security Team for Lasting Defense
                          https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-caliber-security-team-for-lasting-defense/
                        • 07/14/2026
                          02:00 PM
                          07/14/2026
                          Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data
                          https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-safeguarding-ai-accessible-data/
                        • 07/21/2026
                          04:00 AM
                          07/21/2026
                          Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                          https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
                        • 07/22/2026
                          06:30 AM
                          07/22/2026
                          Insights and Strategies in Data Protection and Privacy Management
                          https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-in-data-protection-and-privacy-management/
                        • 07/22/2026
                          01:00 PM
                          07/22/2026
                          Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                          https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
                        • 07/28/2026
                          01:00 PM
                          07/28/2026
                          Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                          https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
                        • 07/29/2026
                          04:00 AM
                          07/29/2026
                          Real-Time Strategies for Safeguarding Against Prompt Injections
                          https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
                        • 07/29/2026
                          01:00 PM
                          07/29/2026
                          Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                          https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
                        • 08/19/2026
                          12:00 PM
                          08/19/2026
                          Becoming Agent Ready: Insights from Cyera's Expertise
                          https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
                        • 09/02/2026
                          12:00 PM
                          09/02/2026
                          Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                          https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
                        • 09/30/2026
                          04:00 AM
                          09/30/2026
                          AI Command Center: Optimizing Visibility and Control in Your Operations
                          https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version