ThreatQuotient announced ThreatQ TDR Orchestrator, a new data-driven automation capability for more efficient and effective threat detection and response. This capability enables users to control what actions are to be taken, when, and why through the use of data.
“The security industry’s approach to automation has overlooked the vastly different needs of detection and response use cases,” said Leon Ward, VP of Product Management, ThreatQuotient. “The focus of ThreatQ TDR Orchestrator is data, not process. In detection and response, what is learned when performing an action is far more important than the action itself. ThreatQuotient has seized an opportunity to define and provide automation in a way that reduces complexity for security teams.”
With the shortage of security personnel, automation has become a key strategy to offload repetitive tasks and empower humans to conduct advanced security operations tasks more efficiently. To date, automation has been looked at as defining a process and the steps needed to complete that process. This approach ignores the fact that automation is much more than just running the process. In reality, there are three important stages of automation to define and address:
- Initiate – Define what should have actions taken upon it and when those actions should occur
- Run – Perform the course of action or defined process through to completion
- Learn – Record what is learned for analytics and to improve future response
ThreatQ TDR Orchestrator puts the “smarts” in the platform and not the individual playbooks by using Smart Collections™ and data-driven playbooks. The application of Smart Collections and data-driven playbooks provides for simpler configuration and maintenance, and provides a more efficient automation outcome. This approach further addresses all three stages of automation – Initiate, Run and Learn – easily and efficiently by enabling users to curate and prioritise data upfront, automate only when relevant, and simplify actions taken. It can be used to complement other playbook capabilities through ThreatQuotient’s ecosystem partners or users can define data-driven playbooks within the ThreatQ platform. To improve the platform “smarts”, it will also capture what has been learned to improve data analytics, which in turn improves the initiation stage of automation.
Use cases for ThreatQ TDR Orchestrator include but are not limited to automating the following:
- Hunting key threats as new intelligence is learned and recording the results
- Deploying blocking and detection content to EDR and network devices
- Enriching threat intelligence that meets complex criteria including relationships
- Tasking a user to patch a high priority vulnerability that is being used in relevant campaigns
“Having high confidence in the data being used to trigger alerts is critical. ThreatQuotient’s approach to security operations ensures that teams remain focused on high-priority threats through automation and optimisation, achieving results such as freeing up multiple analysts for more important tasks,” Ed Amoroso, CEO and Founder, TAG Cyber. “ThreatQuotient’s data-driven approach to automation through ThreatQ TDR Orchestrator enables security teams to reduce the number of playbook runs and have confidence that the output is relevant and high priority.”