How ThreatQ and ThreatQ Investigations work with Endpoint Detection & Response (EDR) SystemsPOSTED BY LIZ BUSH
For decades, cyber technologies have been built for the common purpose of detecting and blocking threats. When a new type of threat appeared, companies would purchase and deploy another point solution to address the latest risk. But challenges arise when these technologies create their own intelligence and work within their own silo. Each of these tools plays an important role in security operations, but with limited coordination and integration, companies aren’t getting the full value of their investment. Endpoint Detection and Response (EDR) systems are just one example.
Threat and ThreatQ Investigations augment and integrate with modern security tools to address this challenge. We accomplish this with our Open Exchange which provides the largest and most adaptable set of integrations in the industry. Open Exchange includes a software development kit (SDK), easy-to-use application programming interfaces (APIs) and a comprehensive set of industry-standard interfaces to fully integrate with the equipment, tools, technologies, people, organizations and processes that protect your business.
In this blog we’ll look at how ThreatQ and ThreatQ Investigations work with EDR systems.
EDR systems provide defenders with the ability to observe endpoints, see what files exist on them, and how those files behave upon execution. Custom lists of file hashes and endpoint indicators can be searched for and, if found, can be reported to the SIEM and therefore consumed by ThreatQ as sightings. (Read our blog on how we integrate with SIEMs for more details.)
However, most EDR systems have limitations on the quantity of external threat data they can consume and search for. Therefore, it’s important that they are provided with the most relevant and important data for that organization.
How the systems benefit each other
ThreatQ enriches data with information about the motivation of the campaign, attackers and their intent. Understanding the details and context behind event-associated indicators, it prioritizes to ensure only lists of accurate, relevant threat data are sent to the EDR system to optimize capacity.
In turn, the EDR system acts as a data source for ThreatQ to further hone customer-specific scoring based on local sightings. ThreatQ Investigations can use this relevant, high-priority data to accelerate detection and response.
To learn more, download our EDR System Technology Partnership Brief. We encourage you to read our other blogs that discuss how ThreatQ and ThreatQ Investigations work with SIEMs, Ticketing Systems, Virtualization Tools and Orchestration Tools.