Ahoy There!POSTED BY MARTY WEBER
I guess it’s because I am an avid sailor that one of the concepts in the latest major release of the ThreatQ threat intelligence platform product really appealed to me. I have all the requisite electronic bells and whistles on my boat, Chien Deux, and I use this instrumentation and automation to help me navigate and monitor activity. But there is nothing like taking a look in the old binoculars to see what is really out there. Ahoy there! I see another vessel coming. I have just made a sighting.
The concept in the ThreatQ threat intelligence platform that really amazed me is this concept of sightings. Sightings occur when the system learns that an indicator has been seen by the SIEM, log repository, ticketing, case management or in the case of ThreatQ, any other application that is automatically tied into the ThreatQ server. Just like on my boat, the system can be checking for sightings in the background, but a user in the process of an investigation can also use an OPP (an operation that allows a user to perform a ‘canned’ function) to ask the SIEM (or any other application) if it has seen what they are investigating. If there is a hit they can shout, Ahoy there! I have a sighting.
But it doesn’t end here. What impressed me as much is that these sightings are used by the analytics scoring engine of ThreatQ to dynamically adjust the relevance rankings of the indicators in the system so that all users of the system are now aware of the new potential relevance of these sightings. This intertwining of automation and investigation can be very impactful. The intelligence spans the multiple stakeholder roles so everyone is now informed about the relevance of these sightings. In addition, automated processes can be set up to export these now known critical indicators to the security network, endpoint and other infrastructure protection tools to alert and block these relevant threats.
I was recently reading a STIX 2.0 overview and this concept of sightings is now being embraced for the sharing community which is a great addition to the new STIX standard version. But seeing how sightings could be used by the internal teams from an operations perspective with automation and cross-team support brought a smile to this sailor’s face.
About the Author
Senior Vice President, Customer Success
As the SVP of Customer Success of ThreatQuotient, Martin Weber is responsible for leading new initiatives and programs aimed at helping customers extract the full value of the company’s threat intelligence platform offering. Marty brings over 25 years of experience to the organization. He has over ten years of security experience and was most recently at Cisco where he led the Americas as Vice President of Sales of the Global Security Sales Organization. He joined Cisco from the Sourcefire acquisition and was the Vice President for Sales for the eastern half of the U.S. and Public Sector. Marty previously held a number of leadership roles in various software and technology companies, including BMC Software, Sybase and Unisys, and has consistently shown the ability to significantly increase sales year after year.