Redefining a Threat Intelligence Platform to Address the Challenges of Security OperationsPOSTED BY MARC SOLOMON
We’ve said this many times before: ThreatQuotient was founded with the belief that a threat intelligence platform must do more than just aggregate and share data. With each new release of our ThreatQ platform we push the boundaries of what a threat intelligence platform can do.
Now with ThreatQ Investigations we’ve gone even further. We’re taking our threat intelligence platform (TIP) into uncharted territory, enabling you to use threat intelligence to address some of the biggest security operations challenges that exist. Challenges like alert overload, knowledge transfer and chaotic environments that are preventing us from detecting and responding to threats faster. This requires much more than aggregating and sharing threat intelligence. We’re talking about capabilities to support shared understanding, collaborative investigation and coordinated response across multiple systems and teams.
Let’s take a closer look at just a few of the security operations challenges you can now address with a reimagined threat intelligence platform:
There are really three types of alerts: 1) Noise that you get rid of, 2) High-priority events that you must respond to, and 3) those that are in the middle that require more understanding. Our ThreatQ customers are already using the ability to enrich threat data with context and prioritize alerts based on parameters they set to 1) reduce noise and 2) identify threats that matter most to their organization.
However, to understand those alerts that are neither noise nor obviously high priority, or to deal with the “CNN Factor” I wrote about recently, teams need to work collaboratively to analyze and understand a threat, incident or situation. Quickly developing this shared understanding has been a considerable challenge due to fragmented teams and tools. But with ThreatQ Investigations, all parties involved have a single visual representation of the complete situation at hand, including what actions were taken, by whom and when.
Within this single environment that ThreatQ Investigations provides, multiple people and teams can share the same pool of threat data and evidence. Rather than working in parallel and easily overlooking key commonalities that might exist across investigations, threat intelligence analysts, security operations centers (SOCs) and incident handlers can now operate in a virtual cybersecurity situation room. They can see how the work of others can impact and further benefit their work, and they can even test theories prior to sharing with the group to ensure accuracy and relevance. Embedding collaboration into the investigation process accelerates security operations with all parties working together efficiently to determine the right action to take faster.
Security operations or investigations typically happen in chaotic environments where teams act independently and inefficiently. In a virtual cybersecurity situation room, team leaders can see the analysis unfolding, assign and coordinate tasks between teams and monitor timelines and results. With security staff dispersed around the world, handovers are streamlined and response activities can continue 24×7, allowing faster response.
Anything you currently know about a threat intelligence platform or that has been written about a threat intelligence platform is now outdated. It’s time to change how you look at a threat intelligence platform and, more importantly, what you can expect from one. If you’re trying to solve security operations challenges, take a closer look at what’s possible.