Integration of the ThreatQ platform into McAfee Enterprise infrastructureEUTIMIO FERNANDEZ
Proper management of threat data is critical in today’s security operations and modern SOCs. The knowledge of threats, their priority in our environment, their management, and the ability to analyze them, will give us anticipatory capabilities we wouldn’t have without this management.
The ThreatQ platform integrates into the enterprise cybersecurity architecture to improve, accelerate, and make operations more productive by ingesting, normalizing, prioritizing, and disseminating intelligence information across the infrastructure, as well as automating and intelligently executing all these processes.
For McAfee Enterprise users this is especially relevant as ThreatQ has bi-directional integration with all its solutions, so the entire McAfee Enterprise architecture takes full advantage of the ThreatQ platform to achieve a successful SOAR and XDR implementation based on data-driven intelligence.
Data Driven SOAR: ThreatQ provides advanced intelligent automation. The big difference with respect to other solutions is the intelligence applied to the data. ThreatQ allows playbooks to be run only on a very well-defined set of data that has been previously enriched, de-duplicated and prioritized so that the tasks to be automated really increase the productivity of operations by acting on the data that is really prioritized and relevant, reducing false positives and negatives.
XDR: This integration makes it possible to disseminate and analyze threat data not only on McAfee Enterprise infrastructure but also with third-party solutions. ThreatQ has integrations that allow this exchange of information with hundreds of security solutions as well as providing a language that allows creating connectors with solutions that are not contemplated now. Thus, threat information can flow bi-directionally between different platforms and the entire McAfee Enterprise architecture, making XDR possible and automated.
In a nutshell:
- ThreatQ enables McAfee Enterprise architecture to take cyber intelligence information from any source and make it actionable.
- ThreatQ and McAfee Enterprise have a true XDR, allowing customers to acquire information from any other product and vice versa.
- ThreatQ has over 250 integrations in the Marketplace that can now talk to McAfee Enterprise.
- Data-driven automation of tasks and processes multiplies operations productivity and reduces false positives and negatives.
Advantages of ThreatQ with each of the McAfee Enterprise architecture solutions:
MVision EDR and ThreatQ
- Integration with ThreatQ enables MVision EDR to consume prioritized, unduplicated threat intelligence from more than 130 different sources
- IR teams can reduce mean response time by querying endpoints for hash values and network flow data
- Integrated teams can quickly create collaborative investigations
MVision Cloud and ThreatQ
- Integration with ThreatQ enables MVision Cloud to enrich domains through cloud logging, query anomalies and user activity
- MVision Cloud has a more complete view of the threat landscape by adding external sources
- Customer benefit of being able to blacklist IP addresses by accessing cloud tools such as Office365 and AWS
MVision ATD and ThreatQ
- Bi-directional integration allows ThreatQ to send files to McAfee ATD and get results to send to other products in the environment
- Allows direct access to ATD from IR and Threat Hunting teams to enrich enterprise intelligence
- Can be used as a feed by SECOPS to prioritize any internal triggers
McAfee Enterprise Security Manager (ESM) and ThreatQ
- The bi-directional integration allows ThreatQ to send relevant, prioritized threat intelligence through ESM and receive insight into what is happening in the network
- The value of ESM is noise reduction and increased accuracy by sending only relevant threat information
- The benefit to the customer is to enable analysts to make better and more informed decisions by providing context and understanding of the threat situation
McAfee Network Security Manager (NSM) and ThreatQ
- ThreatQ exports relevant threat intelligence to NSM in real time to quarantine hosts, update NSM rules and Blacklist Hashes
- The value to NSM is being able to obtain and protect relevant threat intelligence from over 130 sources
- The value to the customer is attack prevention based on relevant threat intelligence
McAfee Threat Intelligence Exchange (TIE) and ThreatQ
- Bi-directional integration that makes prioritized third-party threat intelligence available to McAfee agents in DXL
- Value to TIE is relevant, prioritized threat intelligence from more than 130 commercial and open-source feeds
- The value to the customer is the prevention of third-party intelligence attacks.
McAfee Private Global Threat Intelligence (PGTI) and ThreatQ
- Bi-directional integration enabling prioritized third-party threat intelligence available within PGTI
- Value to PGTI is relevant, prioritized threat intelligence from over 130 commercial and open-source sources
- The value to the customer is prevention of new and unknown attacks.
Ultimately, the integration of ThreatQ with McAfee Enterprise’s architecture enables enterprises using McAfee Enterprise solutions to enhance and accelerate their operations by taking SOAR and XDR to the next level through cyber intelligence management.
Detailed information can be found at the following link: https://www.threatq.com/integrations/mcafee/