ThreatQuotient ups the ante for dealing with security incidents
The hardware and software that constitutes the average organisation’s IT infrastructure records millions of events a day which are recorded in log files. This is known as machine data. Nearly all such events are benign and of little interest to IT operators. However, some represent anomalies that may indicate problems arising. Dealing this with such incidents was the subject of a 2017 Quocirca research report sponsored by Splunk – Damage Control: The Impact of Critical IT Incidents.
Recognising incidents is one thing, understanding what they mean and prioritising how they are dealt with is another. This requires enriching the machine data with information from other sources. Splunk’s operational intelligence platform does this for IT incidents in general but also specifically for security incidents, which Quocirca’s report identifies as the top concern for IT managers.
When it comes to dealing with security incidents the process is known as security information and event management (SIEM). Here Splunk has several competitors including Micro Focus’s ArcSight, LogRhythm, IBM’s QRadar and McAfee’s Enterprise Security Manager.
SIEM tools enrich machine data to provide context. However, any one tool may not provide all the insight needed to deal with and prioritise all security incidents. Some organisations use multiple operational intelligence and SIEM tools, furthermore, the range of sources for enriching and guiding the process of dealing with security incidents are myriad. These include:
- Threat intelligence feeds that indicate what a security incident might mean, for example, is a there known criminal activity that is leading to certain types of events. Providers of threat intelligence feeds include Digital Shadows, CrowdStrike, Recorded Future and FireEye’s iSIGHT.
- Databases of know malware and scams such as Virus Total, Spamhaus and Malware Domain List.
- Vulnerability management tools which know about current software bugs, the threats they represent and fixes available, such as Qualys and Tenable.
Bringing together all the information from these sources and applying them to the security incidents is daunting task. That is the challenge the ThreatQuotient has taken on with its ThreatQ platform. All the organisations listed above are among the 70 plus partners that integrate with ThreatQ.
ThreatQ was first released in 2013 and launched in Europe in 2016, where ThreatQuotient now has operations in the larger countries and a growing customer base. This week it is upping in the ante with the release of a new interface called ThreatQ Investigations.
ThreatQ Investigations supplements ThreatQ’s existing tabular interface with a graphical tool that shows core incidents with links to all the sources of information that may help deal with them. With a few clicks an operator may be guided from an anomalous event on a firewall to news of a recently detected surge in activity by a criminal gang seeking to exploit a newly found software vulnerability. ThreatQ Investigations aims not just to empower individual operators but to improve collaboration across the teams that come together, often war-room style, to deal with security incidents.
As cybercrime becomes ever more widespread and the actors involved diversify, targeted organisations must become more sophisticated and timely in their ability to detect and respond. ThreatQuotient and the tools its ThreatQ platform brings together can help achieve this.
Bob Tarzey is and freelance analyst and writer formerly of Quocirca: