ThreatQ v5: An Even Smarter Single Source of TruthCeline Gajnik
We’ve come a long way since ThreatQ v4 and our own Jay Allmond, UK Threat Intelligence Engineer at ThreatQuotient, recently shared the details during a hands-on webinar that’s now available on-demand. In this 30-minute session that as Jay says, “is light on PowerPoint and heavy on nerdy stuff”, we review the basics of the ThreatQ Platform and dive deep into some of the newest capabilities.
The ThreatQ DataLinq Engine is the backbone of the platform and Jay takes us through the data journey from ingestion to normalization, correlation, prioritization and translation for action. Our marketplace includes hundreds of integrations which makes it easy for security teams to connect disparate data sources and systems and get the right intelligence to the right tools at the right time to accelerate detection and response.
The journey begins with deduplication and normalization for a clean data set that is stored in the Threat Library, a single source of truth for threat detection and response data and related context. Next, we check the intuitive dashboard which shows we have more than 1.6 million indicators to deal with, an unmanageable number for a team of any size. To start to narrow the data set ThreatQ has two algorithms, one for scoring indicators and another for indicator status. Users can set these algorithms based on their own parameters to reduce the number of indicators significantly. But there’s more we can do.
From there we take a close look at Smart Collections, a tool designed to simplify custom data searches and keep these searches up to date. ThreatQv5 includes more granular controls than ever. Users can apply additional filters – by target industries, countries, specific adversaries and attack patterns – to zero-in even further on what matters most to their organization. Within minutes users can winnow down to a handful of indicators that are much easier to analyze and send to their endpoint detection and response (EDR) tool, for example. Smart Collections can be saved, shared and are automatically updated. They can also be tied to ongoing investigations and reports, feeding them updates behind the scenes so they remain current.
Continuing through the journey, Jay shows how the ThreatQ Platform enables security operations automation in several additional ways. The capabilities of ThreatQ Orchestrator have been expanded in ThreatQv5 so users can easily submit data in multiple different ways to different tools and further enrich the data. Jay reviews numerous use cases including automatic, daily enrichment of indicators based on certain scores and automated update of Smart Collections that need to be enriched. Eliminating the need for manual intervention, analysts can spend their time doing the threat hunting they were hired to do, rather than enriching data.
Jay also shows the platform’s Advanced Contextualization Engine in action. This time-saving tool takes in reports and blog posts and pulls additional context from them in the form of tags, saving analysts from having to do this tedious work by hand. In a use case related to EDR threat hunting, Jay shows how the Advanced Contextualization Engine searches through security reports for context and then, through the use of Smart Collections, sends this information to the EDR. The EDR responds by looking for and elevating sightings through the dashboard for action.
Capping off the demo, Jay brings in ThreatQ Investigations which is not new in v5, but also benefits from data enrichment and Smart Collections. In this cybersecurity situation room, analysts can visualize a hunt in an easy-to-read format and collaborate, confident in the knowledge that they are working with the latest, most relevant intelligence.