Chris Jacob, ThreatQuotient: organizations must automate their security systems to mitigate escalating cyber threats

Even though protecting against malicious threat actors is equally important for both regular users and businesses, corporations are even more vulnerable to attacks – cybercriminals are more actively choosing high-profit targets.

Not only does it take more than a single security tool to ensure effective protection against sophisticated threats but adding multiple layers of advanced technologies also creates new coordination-related challenges for business owners and IT staff.

So today, we had a chat with Chris Jacob, the Vice President of Threat Intelligence Engineering at ThreatQuotient, about how corporations can automate threat detection and achieve better communication within their cybersecurity architecture.

Please, introduce us to ThreatQuotient. What has the journey been like so far?

ThreatQuotient was founded in 2013 to build a tool to make security more manageable and proactive. At that time, there were very few solutions for defenders to aggregate, organize, and maintain their cyber threat intelligence. For example, for analysts working in SOCs like ThreatQuotient’s founders. Security appliances didn’t have flexible or well-documented APIs, and analysts were forced to copy and paste indicators from websites, blogs, email exchanges, and other documents into spreadsheets for storing.

Since 2013, ThreatQuotient has expanded operations internationally, raised over $60 million in financing, and we have evolved and expanded our technology offerings to meet the demands of security teams. Today, we are a leading provider of security operations solutions, improving workflows, delivering immediate and significant value across multiple security initiatives including XDR, SOAR, and TIP.

Can you tell us more about your ThreatQ platform? What issues does it help solve?

At ThreatQuotient, we believe that threat data and intelligence are the most valuable tools to detect, prevent, and respond to threats. Organizations need an approach to security operations that relies on a single, systemic security architecture that supports all teams and use cases while continuously improving.

ThreatQ is an open and extensible threat intelligence platform that helps to automate the identification of threats versus so-called noise to reduce the number of items that need investigation. Thus, providing greater focus for the limited resources on the team. ThreatQ is also the first platform for data-driven security operations, enabling a shared understanding across teams and tools within an organization’s defense infrastructure.

Security operations teams use ThreatQ to apply customer-defined scoring of threat intelligence, quickly deploy threat data to existing sensor grids, and focus workflows on time to detect (TTD) and time to respond (TTR). The ThreatQ platform supports multiple use cases, including incident response, threat hunting, spear phishing, alert triage, vulnerability management. It also serves as a threat intelligence platform and supports future use cases by adapting to changing business needs.

You describe your products and solutions as data-driven. Can you tell us more about this approach?

We recently announced the fifth version (v5) of the ThreatQ platform, launching capabilities needed today to support the security operations center (SOC) of the future, where data is the foundation. Our team feels that the SOC of the future uses a data-driven approach to improve efficiency. It also has an open architecture to ingest any data sources free of limitations and enables balanced automation for teams to translate data-driven context to drive response – either natively using machine automation or with tooling for human analysts.

There are several barriers preventing organizations from maximizing the benefit of automation in security, such as budget, prioritization issues, talent gaps, technology, trust concerns, and more. ThreatQuotient provides data-driven automation to enable security operations teams to reliably trust the data and be confident in their decisions.

Within ThreatQ v5, our DataLinq Engine connects the dots across data from all systems and sources, both internal and external, to enable extended detection and response (XDR) within an organization. This includes SIEM/SOAR, identity, feeds, cloud, ticketing, etc. So, it can be analyzed and understood before taking a manual or automated response. The ThreatQ Data Exchange provides improved flexibility and control over data shared between our systems. Teams with separate instances of ThreatQ can collaborate by sharing IOCs, adversaries, and TTPs with one another. This increased data exchange provides more context for teams to do their jobs.

Do you think the pandemic revealed any new flaws and gaps in your field?

I would argue there was a positive outcome for security operations as a result of the pandemic. As the world shifted and embraced a distributed workforce, we also had to rethink how to collaborate effectively. When everyone was forced to work from home at a moment’s notice, Security Operations Center (SOC) analysts and Incident Response (IR) team members couldn’t lean across their desk to compare data and analysis or walk down the hall to check in with a threat intel analyst. Knowledge sharing and coordination have always presented challenges in the chaotic environment of security operations and investigations, but now more than ever, collaboration is a measurement of success.

Overnight, every team needed a way to enable remote collaboration – a virtual cybersecurity situation room that fused together threat data, evidence, and users. This collaboration helps ensure that security teams are bringing in the right external data from sources they may not have considered before because they did not know they were relevant. It also signals that the industry is maturing, probably accelerated during the pandemic by a surge in threats, increased awareness, and interest among company leaders to gain a better understanding of risk and how to mitigate it.

There are multiple security operations workflows and initiatives that ThreatQuotient addresses, including XDR, SOAR, and TIPs. How do you identify yourselves within these overlapping markets?

Our main focus at ThreatQuotient is on data-driven security operations. ThreatQ was purpose-built for prioritizing, automating, and collaborating, as well as detection and response. The platform goes beyond the typical threat intelligence platform (TIP) since it offers a data-driven approach to SOAR and also helps organizations achieve XDR outcomes.

With the shortage of security personnel, automation has become a key strategy to offload repetitive tasks and empower humans to conduct advanced security operations more efficiently. However, how do you automate across disparate systems and sources that each talk in their own language and format? Extended Detection and Response (XDR) is one way.

Gartner has defined XDR as solutions that “automatically collect and correlate data from multiple security products to improve threat detection and provide an incident response capability.” ThreatQuotient has automated security data management in a way that reduces complexity for security teams to help organizations achieve XDR.

Legacy SOAR platforms have taken a process-driven approach to connect products within a workflow. However, for optimal detection and response, a data-driven approach is needed to prioritize data and connect systems with that data. Automating and orchestrating noisy data just amplifies the noise.

Data-driven SOAR, like what we offer with the ThreatQ platform, is simpler to set up, easier to maintain and uses fewer resources. ThreatQ also serves as an open and extensible threat intelligence platform that allows teams to automate the intelligence lifecycle, quickly understand threats, make better decisions, and accelerate detection and response.

In 2021, ThreatQuotient published a report about the state of cybersecurity automation. What was your goal for conducting this research and what were some of the key takeaways?

As distributed workforces expand the threat surface, organizations must find ways to automate their security systems to proactively mitigate escalating cyber threats while supporting a growing hybrid work environment. We wanted to get a clearer picture of the state of IT security automation and adoption and understand what is either accelerating or holding businesses back in this regard. Our mission when conducting this research was to understand how far down the road senior cybersecurity professionals are with their IT security automation initiatives.

The research examines which IT security use cases or processes organizations have already automated and which ones they are planning to automate. It also takes into account budgets, skills, resources, issues around trust, and assesses the overall outlook for IT security automation.

Some of our major takeaways included finding that 98% of respondents intend to automate more processes in the next 12 months, but 41% have a lack of trust in the outcomes. According to a third (34%) of survey respondents, the top reason for IT security automation is the need to improve or maintain security standards, followed by the need to improve efficiency and productivity (31%). Surprisingly, 31% of organizations that have automation capabilities built into technologies such as SIEMs, Endpoint Detection & Response, and Security Automation & Orchestration solutions do not trust these to automate much beyond basic tasks, such as sending out notifications or running a threat intelligence query.

In your opinion, what cybersecurity solutions are essential for businesses nowadays?

Going forward, more pressure is going to be put on Cyber Threat Intelligence (CTI) teams to prove a return on investment. Leaders within these teams need to learn how to market their work and celebrate success up to the C-Suite. Additionally, I hope to see XDR emerge as a reality. I'm not talking about XDR as a product but more as an overall concept. The more we can have the integration of disparate systems and the injection of cross-team intelligence, the more effective a company’s security posture is going to be.

When talking about individual users, what bad cybersecurity habits do you notice most often? What best practices should be adopted instead?

Most often users do not follow what’s been asked of them by their company's security team. While more people have raised their concerns about their online privacy, it has become a hurdle for implementing security measures. Setting up the proper policies and training for users is the best way to counteract these obstacles.

Also, human error tends to be one of the biggest causes of breaches. Whether it is using simple passwords, clicking on malicious links, or not updating software, these are only a few examples of things that could be avoided.

A few ways to stay diligent include using multi-factor authentication (MFA), storing sensitive data that is also protected by MFA (if not stored offline), consistently updating your software, and always educating yourself and others about current cybersecurity trends.

What’s next for ThreatQuotient?

From the beginning, ThreatQuotient went out to build a tool to make security more manageable and proactive, enabling customers to have more efficient and effective security operations. We continue to focus on innovation to drive companies towards the SOC of the future – prioritizing data management and data analytics, leveraging our open integration architecture to enable data to flow across all systems, and providing the right balance between automation of workflows and the ability to investigate and take action faster.