In this podcast recorded at RSA Conference 2017, Ryan Trost, CTO at ThreatQuotient, discusses the relevance of threat intelligence, as well as the ThreatQ platform, designed to enable threat operations and management.
Here’s a transcript of the podcast for your convenience.
Today I’m here with Ryan Trost, CTO and co-founder of ThreatQuotient. Ryan, do you want to give us a quick intro and background on what ThreatQuotient does?
Sure. I’m Ryan Trost, CTO and co-founder. We provide ThreatQ which is a threat intelligence, management and operations platform.
That’s great. And I know you just launched ThreatQ 3.0. Is there anything you want to quickly share about that big launch you just did?
ThreatQ 3.0 really focuses on teams and helping them prioritize and where do we start, what do we do, what’s the next step? So it gets them past that initial hurdle of the consumption and using of the threat intelligence, to allow them to focus and prioritize what’s pertinent and relevant to their organization.
If we want to backpaddle a little bit, what was it about your background that led you and co-founder Wayne to develop ThreatQ back in 2013?
Wayne and I basically know each other for almost a decade now and we jumped a couple of employers together. I basically lived in a security operation center all of my life, from security analyst up to incident response, then to leading several larger SOCs, including DEA, TSA, General Dynamics, so a lot of those lessons learned and bumps and bruises along the way. We ultimately put together kind of the what is needed, what’s missing out of the industry and then almost 4 years ago, we created ThreatQ, ThreatQuotient to really answer some of those missing gaps.
So, more specifically, what would be the biggest challenge people are facing working with threat intelligence or adapting threat intel and other certain things that you think a threat intelligence platform needs to do pretty clearly?
A lot of it is getting down to the relevance of threat intelligence. A lot of security analysts and intelligence analysts are pack rats by nature, so they want to boil the ocean, which is extremely dangerous because there’s just too much threat intelligence out there. There’s too much sharing out there. So the key focus is helping companies really prioritize what is relevant to them, what is relevant to their industry and ultimately just trying to kind of carve out the noise and getting rid of that, and allow them to hone in on the important stuff, the stuff that bubbles to the top.
Specifically, who can benefit from the ThreatQ platform? And are there new innovations and capabilities that customers didn’t have before related back to the new launch of the ThreatQ 3.0?
The biggest companies that benefit from ThreatQ or threat intelligence platforms in general are typically companies that have relatively formal security operations whether it’s a team of one, a team of two, or a team of a hundred and twenty global analysts that are all trying to really do the same thing as far as defending their territory, their organizations.
A lot of the benefit of ThreatQ is jumpstarting the investigation. So historically, as a security analyst living in a SIEM you would get an alert with an IP address and then you would jump off to 8 different browsers, 4 different windows, trying to gather as much information as possible about that information. And ultimately, what we want to do is provide that initial jump start and triage so that when the alert does pop in a SIEM, it’s provided with as much context as possible. Whether it’s the attribution to the indicator, is there a kill chain or attack phase or role? The more information the analyst has at their fingertips, the better decisions, the faster decisions they are going to make on how to handle and react to that alert. And that’s ultimately kind of a force multiplier for the analyst, cause jumping around to different windows and browsers, it’s mundane, unfortunately work and now we’re regaining that wasted time and allowing them to really dive into the analysis significantly faster.
It seems like recent updates to the platform are focused a lot on analyst workflows. You want to talk a little bit more about that new framework?
As we work with a lot of our customers, a lot of the analysts kind of hone in on where do we start, what does this information mean to me and how can I leverage it? And a lot of the capabilities that we included into the platform help drive the analyst or help them focus in on what’s relevant from the scoring and exploration and the aging of intelligence is a key within intelligence. Cause intelligence is all different and the relevancy is completely different. So aging that information out of the platform and out of the infrastructure is extremely important. And ultimately allow them to again just focus on what’s important to their business.
I know that ThreatQ isn’t the only threat intelligence platform. What sets ThreatQ apart from the other platforms out there, and what does ThreatQuotient focus on that your competitors do not?
A lot of the big capabilities of ThreatQ focus it around the open exchange, the open API, the analyst workbench and the threat library gathering that information and making it consumable and distributing it out to the organization’s existing infrastructure. But it all wraps around how to make the analyst faster? How to increase their workflows, whether it’s automatically doing certain things, so information comes in and we bounce it off of VirusTotal automatically, or Domain Tools, and we gather in that information which then helps the product define the relevancy of it, and then the product can actually make the decisions whether it wants to export it to the firewall. Whether it wants to export it to the IPS or IDS. Whether it wants to export it to the web proxies.
Based on the relevancy or based on the criteria that the customer gives the system, the system can automatically start to position and point that information to the right tools and technologies rather than relying on the analyst to actually sit there and look at it, and then determine – cause a lot of the analysts will want a blanket to put it into everything. But as a SOC manager, I used to have analysts take IP addresses and domains and pump them into packet capture, and that was the worst thing in the world because packet capture is mean to be more of the break glass emergency versus the ‘go-to, let’s pump 8 million indicators into it and then just watch it keel over’.
It’s ultimately allowing managers to really balance their resources, balance their budgets in what intelligence sources kind of rise to the top, as well as my detection tools. Cause I’ve got a budget, I’ve got a finite budget for that matter so I’ve got to be very cognizant of where I’m pumping in all this information.
So to wrap things up, if you had to boil down the primary function and goal of ThreatQ, what would that be?
The threat library, analysts’ workbench and open exchange are the key components of any type of platform, whether you’re talking about SIEMs, whether you’re talking about ticketing systems. They’ve got to be able to consume as much information as possible to some degree, so that ultimately checks off the threat library, as well as the analyst workbench. The analysts have to be comfortable pivoting around it, they’ve got to be comfortable using it, it’s go to work into their flow.
The tools should not force analysts to work in a certain manner. The tools should kind of mold around the analysts, around their workflows, around how their thought process and logic, and that’s where we put a lot of emphasis into allowing the teams to build up criteria based on their organization. A lot of the tools are based on the evolutionary roadmap of the team, so each capability is not an on or off switch – it’s an on switch that allows the team to mature through the full capability of the product cause every team is slightly different, it’s got different resources, it’s got different budgets, it’s got different skillsets. But the product needs to allow the teams to really mature into it, and allow them to kind of dictate that.
And lastly, the open exchange: with the open API the tools need to all communicate with each other. Historically, you could really rely just on the unidirectional information. Alerts from your infrastructure would all go into your SIEM and it would be kind of aggregated and correlated. We’re in a place these days where now all the tools need to talk to each other. Now it’s not only that unidirectional thing, it’s the bidirectional whereas the alerts go into the SIEM. But then the SIEM tells you how many false-positives the team is actually investigating and tracking, or maybe you get that from the ticketing system.
All that information goes to better your threat intelligence cause now you know which sources of intelligence have a higher fidelity than your others. So you’re going to try to focus in on that, again cause you’ve got limited resources and so forth. We have made the product more efficient and more effective so that teams of any size, whether small, medium or large, even from a skillset small/medium and large, can really leverage it in their best interest or in their company’s best interest.