The subject of threat intelligence divides people in my experience – some think it is great while others are more sceptical. Of the many vendors in this industry, some choose to embrace the term threat while the likes of Anomali have changed their name altogether.
A new name to me is ThreatQuotient, and I recently had the chance to meet co-founder and CTO Ryan Trost. A former cyber intelligence solutions architect bringing over 15 years of security experience focusing on intrusion detection and cyber intelligence and leading SOC teams, Trost explained that the venture into the vendor space began in 2013 with his co-founder Wayne Chiang aiming to solve a challenge they had encountered as users.
“I had been the SOC manager at General Dynamics and had analysts getting threat intelligence from all over the place, but we didn’t have a good repository to put it in so each analyst had their own spreadsheet where they collected data. What we found was that was the most inefficient thing we had seen,” he said.
“So Wayne and I took a step back and decided that the industry has the same issue, and with threat intelligence growing exponentially with the kill chain and crowd sourcing of information, companies were just dying to have a way to structure and use it beyond Excel and Google spreadsheets.”
Trost described the solution as being dedicated to threat intelligence and with it working in his day job, it came to the point where analysts were finding so many IP addresses and domains that there was an hourly feed of priorities.
“So it started to annoy people and with the threat intelligence platform we could ingest data automatically and parse out the indicators,” he said. “With the tools having relatively open APIs we could easily push it into the center and the analysts loved it as we allowed them to regain the control over copying and pasting. Also the network engineers liked it as they are not having to do it. Also the SOC manager and CFO and CISO liked it as now they are getting that threat intelligence and defending much faster.”
Trost’s idea was different from putting threat intelligence into a SIEM, which he said isn’t a really good way to do it as a lot of the SIEMs do not have enough processing power to rewrite and correlate that amount of information, so ThreatQuotient’s idea was to send information to a sensor grid, and also to a SIEM so the alerts are correlated.
He said: “It is not just an IP address, you get more of the story so that you are not having to work through domain tools and Virus Total and web browsers. You have all of that information in one spot, so they can make that decision a lot faster.”
So I had to get to the point of what it was they did? Trost said that it is about ingesting data, and being vendor agnostic and not providing a feed means the company can partner with everybody and does not infringe on their business models.
“We made an early decision to be on-premise and allow an analyst to run down the hall and pull the plug if they need to,” he said. “Companies will not want to put incident and threat data into the cloud and not be able to manage that data, we can determine what has been seen and overlay with indicators and we tell you which is the best source for threat intelligence of the 200+ feeds out there.”
So with his SOC background, how obvious was this solution? Trost said that the early issues were always “whack a mole” and they did workstation management and re-imaging fast, and then put an emphasis on getting a snapshot to determine who was patient zero, and do true incident response that opened the door to know the enemy.
He said: “As we did sales calls, it was ‘we’ve got a product, let me tell you about it’, and when I explained it you saw the lightbulbs go on and people are very passionate about it. They knew it and had the same pains with the tools and workflows to justify to management, and we built deep relationships with the early customers and I’ve run federal and defense contractor SOCs, and now I am seeing exposure to the financial sector and how they run the teams, as their adversaries are very different to the ones that I am used to facing.”
He explained that with processing of ingested data, the more you learn about the adversary and their tactics, techniques and procedures, and you can start to determine their indicators and make business decisions based on capex and opex and what works and not, and allow control of information rather than it being provided. “The API reaches out and pulls in information every couple of minutes to determine what is new.”
Trost said that with more than 35 integrations confirmed, data is ingested and normalized to determine what format it is in, and make a start on handling the information. Launched in January 2014, the ThreatQ product is on-premise, and Trost said that this is the best way for this to work, although he admitted that cloud is the best way to consume everything.
“But for all tools and security on a 443 connection, it adds a lot more bandwidth, but on premise it connects a lot better and the feedback loop is more critical and you put more and better information in it,” he said.
“A lot of the time, tools like SIEM can ingest information but it can only ingest a certain indicator type, so for MD5 hashes or SHA-256 in the SIEM, it will make 6-10 API calls so it is more overhead and more traffic.”
We concluded with a throwback to threat intelligence, and I asked Trost if the driving point of threat intelligence is to be better protected? He said that the industry had open source intelligence, but that was not true intelligence but a bunch of blacklists, but that is deemed to be white noise so users are forced to look at providers, but users don’t have skills and time to process it properly.
“It is easy to buy it as it is Big Data and we need to compare with your own intelligence, and hire hunting teams and find more pivot points to build relations with other teams and ultimately create and generate your own feeds. What is beautiful for us is you still need a platform to manage it.”