Data-Driven Orchestration,
Automation & Response
What a SOAR platform should be.
SOAR connects disparate systems to orchestrate and automate response. Existing SOAR platforms have taken a process-driven approach to connect products within a workflow; however, for optimal detection and response a data-driven approach is needed to prioritize data and connect systems with that data. Automating and orchestrating noisy data just amplifies the noise.
DATA-DRIVEN SOAR:
- Simpler to set up
- Easier to maintain
- Uses fewer resources
Key benefits:
- Reduce playbook runs by 80%
- Ensure output is relevant and high priority
- Learn from the actions taken, and improve over time
- Easy to configure and run with existing tools
A DIFFERENT APPROACH
The current approach to security automation and orchestration does not care what data is being processed. This is inefficient for detection and response needs for two key reasons:
1) Playbooks are run on irrelevant and low priority data, wasting time and resources
2) if you put noisy data in, the result will be amplified noise out
When applied to detection and response, process-focused playbooks require complexity which grows exponentially as you increase the number of playbooks being used.
COMPARISON BETWEEN PROCESS-DRIVEN AND DATA-DRIVEN
DATA-DRIVEN
- All data is contextualized, Playbook run, if needed, is based on context
- Output is relevant and high priority, and far fewer for analysts to review
- Data captured for further analysis and improvement
PROCESS-DRIVEN
- Takes ALL data inputs and runs ALL through playbooks
- Report/dossier for EVERY input, requiring analyst to review each one
- Output NOT captured or used programmatically
IT STARTS WITH THE RIGHT DATA
Confidence starts with
the Right Data
The right idea leads to
Confident Decision
Making
Confident decision
making can lead
to Automation
HOW IT WORKS
DataLinq Engine™
Combine data from any source, internal and external.
Threat Library
Single source of truth for threat detection and response data and related context.
Dynamic Scoring
Automatically prioritize internal and external threat intelligence based on your parameters.
Smart Collections
Define groups of data for specific action(s) based on variables and characteristics.
THREATQ INVESTIGATIONS ACCELERATES RESPONSE
Visualize and analyze results from automated actions. Collaborate and coordinate response when manual actions are needed to resolve investigations and incidents.
THREATQ MARKETPLACE
Leverage bi-directional integrations across your existing security solutions for automation, orchestration and response. ThreatQ supports an ecosystem of over 275 integrations, and provides an open API and easy-to-use tools for custom integrations.
WHAT A SOAR PLATFORM SHOULD BE
With ThreatQ serving as a SOAR platform, a company can unify its cybersecurity infrastructure and components into a single defense ecosystem, allowing them to accelerate security investigations, improve the mean time to respond to cyberthreats and increase ROI.
THE POWER OF THREATQ
The ThreatQ platform supports orchestration and automation within the following use cases:
Threat Intelligence Management
Turn threat data into threat intelligence through context and automatically prioritize based on user-defined scoring and relevance. Learn More>
Threat Hunting
Empower teams to proactively search for malicious activity that has not yet been identified by the sensor grid. Learn More >
Incident Response
Gain global visibility to adversary tactics, techniques and procedures to improve remediation quality, coverage and speed.
Learn More >
Spear Phishing
Simplify the process of parsing and analyzing spear phish emails for prevention and response. Learn More >
Alert Triage
Send only threat intelligence that is relevant to reduce the amount of alerts that need to be investigated. Learn More >
Vulnerability Management
Focus resources where the risk is greatest and prioritize vulnerabilities with knowledge about how they are being exploited. Learn More >