See how to Enhance Orchestration using Threat IntelligencePOSTED BY LIZ BUSH
The global shortage of cybersecurity professionals has now surpassed 4 million according to ISC2, yet the volume and velocity of increasingly sophisticated threats security teams face is on the rise. To fill the gap, organizations need to make better use of security professionals they have – enabling them to focus and collaborate on high-priority threats that require their skills and expertise, while automating certain time-intensive, manual tasks. Using the ThreatQ platform in combination with an orchestration platform helps them do this.
The ThreatQ platform gathers external and internal threat and event data, normalizes it for analysis, automatically scores and prioritizes it based on organization-specific parameters, and filters out the noise. It serves as a single source of truth or organizational memory for threats, allowing teams and tools to access the organization’s history of investigations, observations and learnings about adversaries and their tactics, techniques and procedures (TTPs). It also disseminates the prioritized, relevant threat intelligence to various tools and teams across departments within the organization. If an analyst or tool learns something about a high priority threat, all other analysts and tools have access to this information to make the right decisions and perform their tasks. Among those tools are Security Orchestration, Automation and Response (SOAR) tools, also referred to as orchestration platforms. This is the focus of a recent webinar, “Enhancing Orchestration using Threat Intelligence” hosted by ThreatQuotient’s Jana Lind and Sean Drowsky.
Orchestration tools, specifically playbooks, automate processes that we know we always perform the same way. The system responds reflexively, thus reducing the need for humans in this capacity, and only alerts an analyst when human judgement is required. Orchestration platforms aim at driving security efficiency and effectiveness, improving response times and service quality to the rest of the organization.
The ThreatQ platform works with an orchestration platform to deliver the best of both worlds – long term storage and relevant, contextual threat intelligence and the ability to make decisions automatically at machine time without an analyst necessarily being involved.
The integration of ThreatQ with an orchestration platform of your choice – for example, Demisto, IBM Resilient, Splunk Phantom or Swimlane – is bi-directional. ThreatQ infuses context, such as indicator, scoring or prioritization information, into the orchestration workflow to enrich playbooks. The orchestration platform sends feedback about the events in the network to the ThreatQ platform. Additional data and learnings enrich ThreatQ’s contextual knowledge as it continually reevaluates and reprioritizes intelligence to further improve detection, investigation and response.
Watch the webinar on demand for a demo of the integration at work. See how ThreatQ and, in this case, Demisto work together to help an organization address an infection of Trickbot malware more efficiently and effectively.