sb-au logo
Story image

Interview: ThreatQuotient champions threat intelligence through virtual 'situation rooms'

23 Jul 2020

Threat intelligence is often associated with the data that powers standard security technologies such as firewalls, antivirus, and filtering, the provision of dedicated threat intelligence offers much more.

To understand what dedicated threat intelligence involves, as well as some of the collaboration challenges that come with distributing threat intelligence amongst specialised security teams, we spoke to ThreatQuotient APJC regional director Anthony Stitt. ThreatQuotient is a security firm that specialises in threat intelligence services for organisations worldwide. 

Threat intelligence: A growing market

“Threat intelligence is coming from everywhere, and it is very democratised. There are specialist vendors who produce it, and the Australian Government has even been doing some things in this space, particularly on the state and federal government initiatives collect and share intelligence,” notes Stitt.

He believes there’s a shift in thinking about threat intelligence, how it gets used and how it gets managed, particularly as security teams seek a sharper relevance to their own organisations and sectors.

Stitt says that actionability is a key problem for threat programs because it takes time for analysts to sift through masses of information to find relevance. But there’s a temporal problem: Do organisations focus on comprehensive, delayed intelligence and risk attacks, or immediate intelligence without context?

“In the background, analysts are investigating adversaries and their behaviour. A lot of intelligence has been researched prior to being published, which means there is often a delay, sometimes of up to a month or more, while it is being prepared and validated.”

“The longer the preparation time, the more context and information is likely to come with the intelligence, but any given organisation might be at risk during this gap period.

“At the other end of the spectrum, some intelligence services release threat intelligence incredibly quickly - almost in real-time - yet it often lacks context. The context is generally what analysts use to determine the priority and what to do with it.”

Stitt says there are two equally important aspects about actioning priority intelligence: The first is to block future attacks; the second is to detect previously successful attacks that you didn't detect at the time they happened. 

“This second aspect is extremely difficult without a threat intelligence platform to store and score intelligence over a long timescale, and correlate it with historical event data from the environment.”

He adds that most intelligence comes with different tags, identifiers, attributes, ratings and priorities, yet every source refers to these in different ways. This is where a Threat Intelligence Platform (TIP) can help by normalising threat intelligence. 

Stitt explains, “A TIP can filter and rank threat data using parameters like your organisation’s geography, industry, the type of intelligence, where it came from, and a range of other contextual relationships."

“This prioritises all incoming intelligence so analysts know where to start first, and typically gets rid of noise by more than 99%, which allows organisations to focus on taking action where required.”

The evidence board: Threat intelligence collaboration in remote environments

Security teams must protect their corporate networks and employees’ remote networks from all different kinds of threats. How difficult is this task given that everyone, including the security team, now working from home?

While security teams and those in security operations centres (SOCs) may have experience working remotely, some tools sit in inherently protected environments that cannot be accessed remotely. 

“There has also been a challenge in terms of how security staff work and collaborate. Normally in an office, someone would be able to lean over and talk to the person at the next desk for immediate feedback. If you’re not doing that in a physical environment, you end up relying on tools that don’t always foster collaboration.”

That challenge is one of many that led ThreatQuotient to design a ‘virtual cybersecurity situation room’, which essentially houses threat intelligence data.

“Security teams are getting larger and more specialised over time, leading to segmentation into different groups, different teams, and more siloing. For example, there may be separate groups for security monitoring and threat intelligence, vulnerability assessments and risk – they’ll all be using their own tools and platforms.”

Stitt says that siloed teams have the common goal of defending their organisation but siloes inevitably come with communication and information gaps.

To explain the difference between whole-of-group collaboration and siloed teams, Stitt uses the analogy of ‘evidence boards’ in crime TV shows, where investigators gather around the evidence to work out the details of a crime.

“The question we asked was, ‘how does that happen in a cyber threat environment’? We wanted an evidence board so that different teams can virtually come together and visually work on the same goal, like working out the pieces of a breach or crime.”

Such a platform is well suited to a distributed workforce, because everybody collaborates in the same space, solving the issue of siloed and remote teams.

A single, virtual collaborative environment can also offer the ability for security teams to actively share learnings or directly communicate with each other; divvy up tasks to focus on response and understand the required actions to be taken by others; and manage security teams effectively by assign tasks to individuals, coordinate tasks between teams, and monitor results.

“The key thing that businesses need to think about as they grow and get more specialised is how they use methods and tools to coordinate teams. Even small communication gaps are potential avenues that attackers can use because there will likely be lapses in security coverage,” Stitt says.

With threat intelligence and dedicated virtual cybersecurity situation rooms to bring security teams together, communication gaps and any resulting cyber attacks have one less opportunity to create chaos.

Story image
Fortinet reports total revenue of $615.5 million
Strong demand for secure SD-WAN and work-from-home capabilities helped power 18% second quarter revenue growth. More
Story image
BT launches first in series of managed security services for Microsoft cloud
“BT’s collaboration with Microsoft is expanding further to recognise the combined strength of our security offerings and deliver industry leading solutions for our customers.”More
Story image
Why greater network visibility is needed to reduce the threat posed by IoT in the enterprise
At home and abroad, organisations have joined the rush to embrace Internet of Things (IoT) technology, but a new survey shows they’re only just beginning to wake up to the enormous risk those devices pose, writes ExtraHop A/NZ Regional Sales Manager Glen Maloney.More
Story image
Forescout and ServiceNow advance tech partnership to protect critical infrastructure
Forescout and ServiceNow have announced they are advancing their partnership for enhanced operational technology (OT) and industrial IoT capabilities, with an aim of helping organisations to protect critical infrastructure from cyber threats.More
Story image
Fortinet: Security as agile as your network
Jon McGettigan, Fortinet A/NZ Regional Director, explains why your network requires agile security services to fully protect your expanding ‘core and edge’ topology.More
Story image
Almost 10,000 unsecured databases with more than 10 billion credentials exposed
Research has identified a total of 9,517 unsecured databases containing 10,463,315,645 entries with such data as emails, passwords, and phone numbers.More