Cybersecurity & Networking

In continuing my chat with Marc Solomon, CMO of ThreatQuotient, Marc and I discuss:

1. SOC integration. At its heart, SOAPA is an integrated heterogenous technology architecture for security operations, so I ask Marc how integration plays into ThreatQ’s strategy. Marc mentions that the platform includes bi-directional integration where ThreatQ consumes and provides data. What type of data? External threat data, enriched data, event data, etc. ThreatQuotient can be used as a SOAPA data broker, acting as the single source of truth for security operations.
2. ThreatQuotient has some SOAR functionality so I ask Marc about process automation. Marc says that while SOAR has been out for a while, he still sees most companies automating basic tasks, so there’s a general state of immaturity. Marc is bullish about more process automation in the future however and everything starts with the data.
3. Are we moving toward SOC visualization consolidation? One of the biggest SOC bugaboos is the need to view security through multiple UIs. Personally, I believe that SOC visualization is the next frontier with new tools acting as a standard workbench for multiple activities. Marc agrees but reminds us not to forget about specialization. Yes, there will be more UI consolidation but there will always be specialized tools and SOC analysts using these tools will want to work with within their UIs. Once again, Marc points to the data. If the data is normalized, consistent, and available, it will be useful regardless of how you view it.
4. My colleague Dave Gruber and I have done a lot of research in this area while Marc has looked at XDR through the lens of ThreatQ. In Marc’s view, XDR is long overdue to combine the threat detection power of multiple different technologies into a single system. Marc still believes that these analytics will need tools like ThreatQuotient to act as a SOAPA data hub and broker, while XDR takes more control of the analytics layer.
5. The future of SOAPA. Marc believes SOAPA is the future of security operations as tools like ThreatQ bring in more data sources, opening the SOC to new use cases.

Thanks again to Marc Solomon and ThreatQuotient for participating in the SOAPA video series. Look for more videos in 2021.

Mark Solomon, CMO of ThreatQuotient. and I had a chance to get together and talk SOAPA recently. In part 1 of our video, Marc gives a brief description about what ThreatQ does and then we proceed to chat about:

1. What’s the deal with cyber threat intelligence (CTI)? For every SOC manager who tells me that threat intelligence is the foundation of security operations, another says that his or her organization struggles to operationalize threat intelligence. What’s going on here? Marc believes the term “threat intelligence” is somewhat poisoned and meaningless today. The real key is to collect, process, analyze, and act upon the CTI that aligns with your organization’s infrastructure, industry, location, etc., and then integrate it into every aspect of security ops.
2. Use cases for ThreatQuotient. ThreatQ is lumped into a bucket called threat intelligence platforms (TIPs) but I know the product can do more than just weed through threat feeds. Marc says that 70% of customers use ThreatQ for other use cases like alert triage, incident response, phishing investigations, etc. ThreatQuotient is kind of a swiss army knife for SOAPA.
3. Alert fatigue. I mention to Marc that ESG data points to an overwhelming volume of alerts and ask if this is consistent with what he is seeing. Marc agrees but reminds the audience that security is a big data problem. Therefore, it’s about normalizing and contextualizing the data to make it useful. By doing so, you can improve fidelity, accelerate processes, enhance collaboration, and see real ROI on security investments.
4. SOC modernization. This term has become yet another piece of industry hyperbole, so I asked Marc what he thinks. To Marc, it all starts with the data, but the data tends to be siloed and in different formats today. Thus, SOC modernization starts with data normalization, integrated defenses, and a focus on enabling the SOC staff. Marc also emphasized the need for more process automation, process maturity, and improved collaboration processes and tools.

Marc’s an old hand at security so it was great to kibbitz with him about SOAPA. More soon in part 2 of our video.

Anton Chuvakin knows his stuff, so I was excited to have him participate in Enterprise Strategy Group’s SOAPA video series. In part 2 of our video, Anton and I chat about:

1. Security data. I mention to Anton that many SOC teams are buried in large volumes of security telemetry and then ask if we are trying to collect, process, and analyze more data than we need. Anton responds that we have too much “dirty data” that really isn’t useful. Therefore, the challenge is understanding which telemetry is useful, how it’s useful, and which other data elements we need for data enrichment to improve the efficacy and efficiency of our analytics.
2. Common Chronicle use cases. Speaking of data, Google Chronicle is unique in that customers can keep security data on-line for long periods of time (without a hefty price tag). What do customers do with this data? Anton mentions the most common Chronicle use cases are incident response and threat detection. He also says that Chronicle is the first security platform to include threat hunting as a core function. No, these use cases aren’t unique, but Chronicle’s approach is.
3. The tradeoff between security efficacy and complexity. This will always be a balancing act because security analytics and operations are difficult by default. Anton doesn’t believe there will ever be a magic single solution. Rather, best-of-breed tools interoperability will improve through API integration. Kind of sounds like SOAPA.
4. SOC modernization. A nebulous term from the start, so I ask Anton for his definition. Anton describes SOC modernization across people, process, and technology, highlighting things like distributed/integrated tools, changing skill sets and specializations, and broader processes beyond alert triage – like threat hunting and data exploration.
5. The future of SOAPA. I always ask my guests to predict the future of the SOC and SOAPA, so it was somewhat surprising that Anton chose to focus on the human element. Despite technologies like machine learning and process automation, Anton insists that we will still need highly motivated and skilled SOC analysts who understand the threat landscape and use their experience and intuition to make sense of the data. I couldn’t agree more.

Many thanks to Anton and the Google Chronicle team for participating in the SOAPA video series. Look for more SOAPA videos soon.

I’ve long admired the work of Dr. Anton Chuvakin, head of solution strategy at Google Chronicle. Anton really knows security analytics and operations so now that he’s no longer a Gartner analyst, it was great to have him participate in the SOAPA video series. In part 1, Anton and I discuss:

• Detection as code. In a recent blog, Anton proposes, “detection as code.” The thought here is that you want to “devops” your detections to keep up with threats and strive for constant improvement. This is an intriguing concept that may be especially useful for large organizations in specific industries under attack. We have focused industry ISACs, why not focused industry detection code?
• SOC nuclear triad progression. Anton’s nuclear triad concept combines logs (SIEM), endpoint telemetry (EDR), and network traffic analysis (NTA/NDR) into a SOC architecture like ESG’s SOAPA. In this era where everything runs on software, Anton believes the triad may be supplemented with specific application visibility telemetry in the future.
• New data sources. Anton believes that deeper application visibility is the biggest missing link in security analytics today but perhaps we’ll add more logging sources as well. We both anticipate more use of deception technology as a new telemetry source in an auxiliary role.
• My colleague Dave Gruber and I are knee deep in research in this area, but I wanted to ask an old hand like Anton what he thinks about this new trend. In the past, Anton had a log-centric view of SOC technology, but he is now open to an endpoint-oriented architecture a la XDR. In the short-term, XDR must coexist with SIEM, but the two models are bound for a collision course.

Dr. Chuvakin and I have lived in the same neighborhood for years so it’s great to finally spend some time together. More from Anton on SOAPA and Google Chronicle in part 2 of our video soon.