What Does Sun Tzu Have to Do with XDR? More Than You Might Think!


Military general and philosopher Sun Tzu once led the largest armies in the world and authored The Art of War, still considered a masterpiece of tactical warfare and very relevant as we wage our battles against evolving cyberattacks. That’s because even though threat intelligence is a relatively new discipline in our cyber defense processes, it has actually been around for more than 2,500 years. Threat intelligence was central to Sun Tzu’s winning strategies and it is foundational to our success today as our security approaches continue to evolve, most recently with Extended Detection and Response (XDR) solutions.

ThreatQuotient’s Anthony Perridge, VP – International, and Syed Kaptan, Director of Threat Intelligence Engineering for North America, explored this topic in a recent webinar, “From Sun Tzu to XDR, 2,500 years of Threat Intelligence.”

To frame the discussion, Anthony reminded us of one of Sun Tzu’s most widely referenced quotes: “If you know others and know yourself, you will not be beaten in one hundred battles. If you do not know others but know yourself, you will win one and lose one. If you do not know others and do not know yourself, you will be beaten in every single battle.”

According to Sun Tzu, the first step in awareness is information gathering. This includes information about yourself – your assets, priorities, strengths and vulnerabilities. You must also know your enemy – who and where they are, their size, the types of weapons they use, their motivation, and their tactics and techniques. This information drives basic decisions – is this a threat or not, should we fight or flee, and what actions should we take? Then comes the most important step – calculations. As Sun Tzu said, “The general who wins a battle makes many calculations before and during the battle. The general who loses makes hardly any calculations. This is why many calculations lead to victory and few calculations lead to defeat.” We should not act on the basis of raw data, but rather on information gained by examining the data for relevance, priority and other situational information, which on the battlefield may be terrain and weather conditions. The goal is to apply context to data, so you have the right information at the right place and time. 

Parallels with The Art of War and the XDR process
Relating this process to XDR, we see close parallels. Gathering information from different disparate internal and external sources and domains is the “extended” part. The distribution or dissemination of information across your security infrastructure is the “detection and response” part. Finally, calculations involve converting raw data into relevant intelligence and this is the basis for responding efficiently and effectively to a given situation. 

Mapping ThreatQ to this Data Flow 
Mapping the ThreatQ platform to these three steps, shows how ThreatQ’s data-driven approach to security operations enables XDR. First, the platform allows you to extend capacity to consume and manage data, be it internal or external, structured or unstructured. A lot of valuable data you get from third parties is trapped within their technologies, so ThreatQ has nearly 300 technology integrations available on the ThreatQ Marketplace to help you unlock that valuable resource as well. Having aggregated and normalized all that data, the platform correlates and applies context so you can prioritize data and filter out noise. 

Ultimately, you want to be able to operationalize the data and take the right action. So, the platform translates that curated, prioritized data for export, allowing you to quickly activate defense technologies and teams. Closing the loop, the platform also captures and stores data from the response for learning and improvement. And remember, all of this happens at speed and scale, so automation is key.

Demonstration of How ThreatQ Enables XDR
Syed brings this data flow to life in a 30-minute demo, diving deep into the ThreatQ dashboard to show how the ThreatQ platform enables XDR, including:

  • How the ThreatQ platform ingests and displays data in a unified view, including the total number of observables from internal and external sources, how they are trending over time, related reports, critical assets that must be protected, and each observable categorized by source. 
  • Integration with third-party tools and ease of configuration and management.
  • One-click access to relationship information including associations with adversaries, attack patterns, events, other indicators, investigations, malware, and more – all in a single record for analysis. 
  • How to setup scoring policies and prioritize data to filter out noise (false positives and information that is irrelevant) so you only deal with indicators that matter to your organization. 
  • Bi-directional integration to send the prioritized data to your security infrastructure tools to defend the organization, as well as receive sightings from these tools. 
  • Bringing in remediation recommendations from different sources, like MITRE ATT&CK and Microsoft, or creating remediation tasks within ThreatQ and assigning and managing those tasks across teams.
  • How to launch an investigation using ThreatQ Investigations, to gain an even deeper understanding of the attack in order to execute a comprehensive response.

XDR is gaining a lot of traction. But in order for it to deliver as promised, we need to heed Sun Tzu and start with a data-driven approach. Threat intelligence was critical to success on the battlefield then, and it is critical to success on the cyber battlefield today. To see the demo and hear from our experts, watch the webinar now.


Blog Archive

About ThreatQuotient™

ThreatQuotient™ understands that the foundation of intelligence-driven security is people. The company’s open and extensible threat intelligence platform, ThreatQ™, empowers security teams with the context, customization and prioritization needed to make better decisions, accelerate detection and response and advance team collaboration.
Share This