Last December, ThreatQuotient announced it had achieved SOC 2 Type II compliance for the ThreatQ Platform. The milestone is significant because it demonstrates third-party validation that ThreatQuotient continues to meet and exceed industry security standards, previously verified by Type I. The favorable examination of ThreatQ gives customers the confidence that ThreatQuotient has the proper controls in place to protect their data and assurance of the availability and confidentiality of their hosted service. 

We know it is always interesting to get an inside look at how other companies approach security, particularly a security company. So, we sat down with Aaron Louks, Security Operations Engineer at ThreatQuotient to dig a little deeper into ThreatQuotient’s security initiatives and share more insights with you.

Q: What ethos and approach does ThreatQuotient take to its own data protection?

ThreatQuotient follows the Principle of Least Privilege in all aspects of our data handling. Through proper data classifications and role-based access controls, we make it standard procedure to limit access to restricted and confidential information, unless it is required and approved.

Q: What standards and frameworks does ThreatQuotient adhere to and what are the advantages and benefits of these?

We’ve constructed our policies and procedures to be compliant with the SOC 2 standard created by the AICPA. This standard ensures that ThreatQuotient is compliant through an annual verification by independent auditors that the Trust Services Criteria are applied in all facets of our operations. These criteria include: security, availability, processing integrity, confidentiality and privacy. Compliance with SOC 2 assures that an organization maintains strict information security procedures and can help ensure sensitive information is handled responsibly.

Additionally, our systems are configured with respect to the NIST 800-53 and CIS 3.0 frameworks which help to raise the bar of system configuration hardening and ultimately our customers’ data protection.

We use the MITRE ATT&CK framework for event classification and response prioritization. This helps to cut through the noise and focus on the most critical situations first. It’s also very useful to see a breakdown of events by attack techniques that reveal patterns for improvements to your security posture.

And finally, we comply with GDPR and participate in the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework to provide our customers with the peace of mind that we take the protection of their private data seriously and will honor their wishes for any data removal if requested (and verified). 

Q: Does ThreatQuotient undertake employee training regularly – any tips for organizations implementing employee training?

ThreatQuotient Security Operations performs regular internal phishing tests to keep employees sharp and aware of current tactics. However, even with regular testing and education, no organization can ever hope to achieve 100% phishing identification and reporting. Human beings are fallible and emotional, so there is always an attack vector. This is why a defense-in-depth approach is necessary to protect an organization. 

Proper investment in education and training for employees will typically help with reducing the number of incidents. However, the benefits are a bit obfuscated since you can only assume the training is working if incidents don’t occur. There just needs to be trust that fostering an environment of learning and communication will lead to positive outcomes. Employees are on the front line of a company’s security posture, so it only makes sense to improve everyone’s defensive skills. Security companies especially should recognize and consider the human element in their organizations, since we see the human impact on security in our customer environments every day.
 
Q: How does access to threat intelligence support a company’s data protection efforts? 

Back to the defense-in-depth approach, a security tool is only as good as the intelligence sources backing it. Staying up-to-date with the current threat landscape through multiple intelligence feeds is paramount for identifying intrusion events and providing data protection for your organization. I’d like to emphasize that it’s advisable to diversify your intelligence data because no single feed is going to have a complete picture of the threat landscape. In fact, recent research of two leading threat intelligence providers found almost no overlap between them, nor with four large open threat intelligence feeds. Even for 22 specific threat actors – which both vendors claim to track – there was only 2.5% to 4.0% overlap between the indicator feeds. It’s important to have a layered approach so the probability of identifying and blocking malicious activity is improved.

Thanks to Aaron for sharing his insights and expertise – we hope you found it useful. If you’d like to learn more or to hear how organizations are using the ThreatQ Platform to strengthen their security posture and how we can help you, we encourage you to schedule a demo.