Bring order to the chaos of incident response and threat investigations

threatq threat investigations

In this podcast recorded at RSA Conference 2018, Leon Ward, VP of Product Management at ThreatQuotient, talks about bringing order to the chaos of security operations, as well as the ideas behind a new product called ThreatQ Investigations.

ThreatQ Investigations

Here’s a transcript of the podcast for your convenience.

We are here at the RSA Conference with Leon Ward, VP of Product Management at ThreatQuotient, to discuss bringing order to the chaos of security operations. For example, what can happen when teams within an organization work in silos, acting independently, or unable to share intelligence and tasks easily. Leon, before we jump into some questions would you please share a little bit of background with us – what ThreatQuotient does, how you came to join the company?

Sure, so I’ve spent about 15 years working with cyber security products almost exclusively from a defensive posture, for example intrusion detection systems and firewalls. And I started to notice a big shift and challenge with those products and as much as they are becoming blind from the things that are trying to inspect, and there was just too much data and too much noise to try and process from a security operations perspective. We were seeking to find alternative and new solutions to these problems, and that’s when I came across ThreatQuotient.

As we find ourselves moving into more of a globally dispersed world, and sometimes security teams can find themselves in different geographic locations, can you talk a little bit about how important collaboration is in those sorts of situations or those larger types of organizations?

Sure, collaboration is critical for being able to respond pervasively to any form of threat. So, let me try and explain a little bit what I mean from that. In any form of large response or anticipation scenario you’ve got lots of different people, and lots of different teams with different skill sets, all trying to work towards one common goal. However, that goal is frequently misunderstood, and the data they’re working on is frequently intertwined with each other. You get situations where the key pieces of threat information can fall between the cracks, and it’s not just the geographic dispersion of those teams, it’s frequently the silos they operate in, even when they are in the similar locations.

So, big theme around the industry right now, a lot of chatter around mean time to detection and mean time to respond. And it seems like that approach is taken mostly through automation. Is that effective? Does automation allow companies to act fast enough to get to an understanding quicker and remediation faster?

It helps. Automation helps for sure, but with phrases like MTTD (Mean Time To Detection) and MTTR (Mean Time To Response), the thing that I find the gets frequently overlooked it’s not about how fast you act, it’s about working out what the right action to take is. We’ve been focusing on creating new technologies to help the people who were responsible for making those decisions and taking the actions, to help them make the right decisions, to make the right action faster.

Okay, security operations and incident response sounds like it gets chaotic. When this is happening, who’s responsible for bringing all this together for coordinating that action? Is it more machine to machine, is it human base – you know what is the typical process for trying to coordinate a response to a large breach?

The industry is being focused on trying to solve this machine to machine communication and coordination. However, it’s missed out this big problem of human to human coordination. What’s the right thing to go after and where is a sweet spot? It’s solving both of those things enabling the people and the machines to all communicate and collaborate.

ThreatQuotient recently launched the brand-new cyber security situation room. Before this, ThreatQuotient exclusively focused on a threat intelligence platform. Can you tell us a little bit about the genesis of this new product, and what value it offers to customers?

Absolutely. Over the last couple of years, we’ve been watching how our customers use our products, what processes they go through, and where they struggle with the wider area of security operations and coordination. That observation and seeing what people were trying to achieve, has helped us come up with the ideas behind this new product called ThreatQ Investigations. It enables people to coordinate the response, understand who is doing what, and represent all this information visually, so it’s great for people to understand what actions are being taken and what the next step should be.

Can you talk a little bit about how the users would collaborate within the product itself?

We designed ThreatQ Investigations to enable collaboration from the ground up, so what does that really mean? It is a true multi-user environment where different people and different teams can open up the same investigation at the same time. You can see the actions that other people are taking, and you can coordinate not only what you would need them to do, but they can observe what you’re doing as part of your investigations. This prevents key observations and key pieces of threat data from falling in between the cracks. And by doing so, we enable organizations to get a better understanding of the actions they should take, and enabling them to take those actions when they’re faced with any form of security situation.

ThreatQ Investigations

ThreatQ Investigations action panel

How is their threat data operationalized or shared once an investigation is over?

ThreatQ Investigations is built on top of the ThreatQ threat intelligence platform, so what does that mean from from a product deployment perspective? All the threat data can be operationalized, can be published, and can be directed into the existing defenses that are inside the organization. That means you can push the right responses into the right tools at the right time that you’ve determined from your analysis in the investigation.

So Leon, where would an interested person be able to go to learn a little bit more about ThreatQ Investigations?

To learn more, and to see ThreatQ Investigations in action with some videos just go to

RSA Conference 2018

Don't miss