Curate and Share Threat Intelligence to Accelerate Security OperationsMIKE SOLOMON AND ROSS HAMMER
Over the last several months we’ve seen a tremendous uptick in cyberattacks. Nearly every day, news of another ransomware, supply chain or zero-day attack makes headline news. So, what can organizations do to mitigate risk?
One major step forward to improve security operations is to effectively share curated threat intelligence. In fact, this capability is so important that sharing threat information is the first requirement outlined in the Executive Order issued by the White House on May 12, 2021.
To help organizations understand how to tackle this challenge, ThreatQuotient security experts Mike Solomon and Ross Hammer recently hosted a webinar, “Unifying Cyber Defense Teams with Shared Threat Data” to explain how the ThreatQ Platform enables threat sharing and provide a live demonstration. They also describe how the U.S. Department of Defense (DOD) is using the solution to consolidate, curate and share threat intelligence with security operations teams within and across DOD services.
Mike kicked off the discussion by explaining that today’s reality doesn’t set up security operations teams for success. Most teams suffer from threat intelligence data overload due to the overwhelming amount of internal threat and event data produced from sources like their SIEM, logs, ticketing and case management systems. Compounding the fatigue are the millions of external threat datapoint analysts are bombarded with every day from the multiple sources they subscribe to – commercial, open source, government, industry, existing security vendors – as well as frameworks like MITRE ATT&CK.
Security teams also have limited resources – people and tools – to tackle the overload, make sense of the data and understand where to focus their efforts. And because teams operate in silos, there is no seamless flow of information and limited ability to coordinate with other analysts and across teams.
Finally, because many organizations use dozens of security tools from different vendors, these tools are not integrated which makes it very challenging to share and exchange the information needed to accomplish a mission objective, task or deliverable.
ThreatQ Platform was designed to tackle these challenges with the following capabilities.
- Data management and prioritization. Fixing the security operations problem starts with fixing the data problem. ThreatQ platform starts foundationally by helping you make sense of all the data you have access to – internal and external, structured and unstructured. Once you understand it you can start to prioritize it so that your teams are focused on the actions and threat intelligence data that is most relevant to what they are trying to accomplish.
- Curated threat data sharing. ThreatQ Data Exchange makes it simple to set up bidirectional sharing of any and all curated intelligence data within the ThreatQ Platform and scale sharing across multiple teams and organizations of all sizes. In fact, The ThreatQ platform is actively being leveraged within the DOD to support the warfighter in tackling the vast amounts of data they have access to, understanding relevance and priority, and effectively and efficiently taking action. Not only has it started to be used by various Security Operations teams within separate DOD services, with ThreatQ Data Exchange, those services can share curated, vetted threat intelligence with their peers across the DOD.
- Data-driven SOAR. Data-driven orchestration and automation capabilities within the ThreatQ Platform allow you to make the most effective use of the resources you have. We eliminate the complexity and inefficiency of process-driven playbooks with a data-driven approach that automates manual processes, which can be mundane and time consuming, so workflows and executables become more streamlined.
- Investigations and collaboration. The ThreatQ Platform also provides a virtual cybersecurity situation room. Teams and individuals can collaborate in this shared environment as they investigate an event or incident, coordinate a response, or proactively hunt for threats.
- Integrated defense. Extended Detection and Response (XDR) is a hot topic right now and many systems integrators and vendors are starting to focus on these capabilities. The ThreatQ Platform allows you to bring all your security components together in an integrated manner, translate the right data into the format these different tools need, and then send that data to the right tools at the right time.
The webinar concludes with a live demonstration by Ross of each of these capabilities, specifically showing:
- The efficiency of automatically de-duplicating and prioritizing threat data to act as a filter before sending to a SIEM
- How to reduce the number of false positives analysts must investigate
- The value of a bi-directional integrations
- Investigating and enriching event matches from prioritized threat data
- The benefits to secure threat sharing using ThreatQ Data Exchange
Data-driven security operations, including the ability to share curated threat intelligence with security counterparts is truly a force multiplier – unifying cyber defense teams and enabling them to accomplish their missions more efficiently and effectively. With the new Executive Order outlining the requirements for threat information sharing, the urgency has never been greater to get started now. We encourage you to watch the webinar and see the demo to learn more from our experts.
ThreatQuotient will be at TechConnect October 18-20. Visit us at Booth 427!