ThreatQuotient, a manageable and proactive approach to cybersecurity

When it comes to computer security, we must consider the incredible progress the sector has made in recent years. In less than a decade, technologies such as artificial intelligence and machine learning have made it possible to speed up the defence of computer networks, embracing issues such as proactivity, which are increasingly necessary in a scenario where criminals act to catch their victims by surprise. In such a context, ThreatQuotient stands out.

ThreatQuotient was founded in 2013 to build a tool to make security more manageable and proactive. At that time, there were very few solutions for defenders to aggregate, organize, and maintain their cyber threat intelligence. For example, for analysts working in SOCs like ThreatQuotient’s founders. Security appliances didn’t have flexible or well-documented APIs, and analysts were forced to copy and paste indicators from websites, blogs, email exchanges, etc. into spreadsheets for storing.

“At ThreatQuotient, we believe that threat data and intelligence are the most valuable tools to detect, prevent, and respond to threats” tell us Chris Jacob, Vice President of Threat Intelligence Engineering, ThreatQuotient. “To make use of this, however, organizations need an approach to security operations that relies on a single, systemic security architecture that supports all teams and use cases while continuously improving. Our mission is to support this need”.

How has the pandemic placed new interest in corporate security solutions?

“I would argue there was a positive outcome for security operations because of the pandemic. As the world shifted and embraced a distributed workforce, we also had to rethink how to collaborate effectively. When everyone was forced to work from home at a moment’s notice, Security Operations Center (SOC) analysts and Incident Response (IR) team members couldn’t lean across their desk to compare data and analysis or walk down the hall to check in with a threat intel analyst. Knowledge sharing and coordination have always presented challenges amidst the chaotic environment of security operations and investigations, but now more than ever, collaboration is a measurement of success”.

“Overnight, every team needed a way to enable remote collaboration – a virtual cybersecurity situation room, if you will, that fused together threat data, evidence and users. This collaboration helps ensure that security teams are bringing in the right external data from sources they may not have considered before because they did not know they were relevant. It also signals that the industry is maturing, probably accelerated during the pandemic by a surge in threats and increased awareness and interest among company leaders to gain a better understanding of risk and how to mitigate it”.

Why has the health emergency enabled cybercriminals to achieve new targets?

“While this is certainly industry specific, I think the largest challenge security teams have faced in attempting to maintain the same level of protection against cybercriminals is the dispersion of company assets. Many organizations continue to rely on an approach of defence in depth, which while still completely sound, but becomes challenging in a distributed workforce. What needs to be done in response is heightened communication and collaboration across teams. This collaboration needs to happen much faster than email, messaging, or even face to face communication between teams. It needs to happen at the speed of an organizations security tools”.

ThreatQuotient has assembled an all-star team of well-known and innovative executives who have previously built successful companies and software. They are John Czupak, Lenn Kurtzman, Leon Ward, Tom Ashoff, Matt McCormick, Gigi Schumm and Marc Solomon from companies like Sourcefire, Cisco, iSight, Symantec, etc.

“Our mission is to empower security teams to respond to cyber threats through innovation, precision and expertise by providing products and services with outstanding value that exceeds the expectations of our customers and business partners. The ThreatQuotient team excels at upholding this mission with both technical and relationship building skills”.

The main products

ThreatQ is an open and extensible threat intelligence platform that helps to automate the identification of what are threats and what is noise to reduce the number of items that need investigation and provide greater focus for the limited resources on the team. ThreatQ is also the first platform for data-driven security operations, enabling a shared understanding across teams and tools within an organization’s defence infrastructure.

Security Organizations use ThreatQ to apply customer-defined scoring of threat intelligence, quickly deploy threat data to existing sensor grids, and focus workflows on time to detect (TTD) and time to respond (TTR). The ThreatQ platform supports multiple use cases including incident response, threat hunting, spear phishing, alert triage, vulnerability management and serving as a threat intelligence platform, and supports future use cases by adapting to changing business needs.

ThreatQuotient also offers ThreatQ Investigations, the industry’s first cybersecurity situation room designed for collaborative threat analysis, shared, and accelerated understanding, and coordinated response. Built on top of the ThreatQ platform, ThreatQ Investigations allows for the capturing, learning, and sharing of knowledge. Use cases for ThreatQ Investigations include anticipation situations that accelerate understanding of emerging threats to update defence posture proactively; response situations that enable the right responses to be determined and acted upon faster than previously possible; and retrospective analysis to learn what can be improved in the future.

Over the years of working with Threat Intelligence teams, a common theme began to emerge. Intel teams are providing a product to the rest of the security organization. That product of course is contextualized threat intelligence. Sometimes that product needs to be delivered in the form of finished intel reports, as is the case with the C-Suite, but often it needs to be in a machine consumable format to feed the various tools those security teams are using. This integration of tools across the entire security stack has been a focus of the TQ platform. “Our approach to integrations lines up perfectly with the emerging definition of Extended Detection and Response or XDR”.

What are your next developments in the IT security offering?

“We recently announced v5 of the ThreatQ platform, launching capabilities needed today to support the security operations center (SOC) of the future, where data is the foundation. Our team feels that the SOC of the future uses a data-driven approach to improve efficiency, has an open architecture to ingest any data sources free of limitations, and enables balanced automation for teams to translate data-driven context to drive response, either natively using machine automation or with tooling for human analysts”.

“Within ThreatQ v5, our DataLinq Engine “connects the dots” across data from all systems and sources, both internal and external, to enable extended detection and response (XDR) within an organization.  This includes SIEM/SOAR, identity, feeds, cloud, ticketing, etc. so it can be analysed and understood prior to taking a manual or automated response. The ThreatQ Data Exchange provides improved flexibility and control over data shared between ThreatQ systems. Teams with separate instances of ThreatQ can collaborate by sharing IOCs, adversary, TTPs, etc. with one another. This increased data exchange provides more context for teams to do their jobs”.

“From the beginning, ThreatQuotient went out to build a tool to make security more manageable and proactive, enabling customers to have more efficient and effective security operations. We continue to focus on innovation to drive companies towards the SOC of the future, focusing on data management and data analytics; leveraging our open integration architecture to enable data to flow across all systems; and providing the right balance between automation of workflows with empowering security analysts to be able to investigate, make better decisions and take action faster”.

What will the cybersecurity industry look like in the coming years?

“Threat actors are getting faster and more sophisticated in their tactics, techniques and procedures. The ease with which ransomware can be monetized puts companies of all sizes at risk, while the attack surface continues to grow because of cloud remote workers, an increasingly digital supply chain, and more”.

“We believe that the SOC of the future must be built on a data-driven approach. All data, not just threat data, is security data and this provides context to help security teams make the best decisions and take the right actions. Much of this data comes through integrations, so any solution to enable the SOC of the future must be built on an open integration architecture that can bring in third-party data, intelligence feeds and internal data, and send out relevant data to drive actions and response. Finally, balanced automation is essential, where automation and analysts have a symbiotic relationship where both are empowered by data”.

Antonino Caffo has been involved in journalism, particularly technology, for fifteen years. He is interested in topics related to the world of IT security but also consumer electronics. Antonino writes for the most important Italian generalist and trade publications. You can see him, sometimes, on television explaining how technology works, which is not as trivial for everyone as it seems.