ThreatQuotient launches automation capability for detection and response
ThreatQuotient has launched a data-driven approach to SOAR and XDR to help accelerate detection and response.
The company has announced its new ThreatQ TDR Orchestrator, a data-driven automation capability that enables users to control what actions are to be taken, when, and why through the use of data.
With the shortage of security personnel, automation has become a key strategy to offload repetitive tasks and empower humans to conduct advanced security operations tasks more efficiently, the company states.
To date, automation has been looked at as defining a process and the steps needed to complete that process.
This approach ignores the fact that automation is much more than just running the process, according to the company. In reality, there are three important stages of automation to define and address.
These are initiate, run and learn. Initiate, define what should have actions taken upon it and when those actions should occur; run, perform the course of action or defined process through to completion; and learn, record what is learned for analytics and to improve future response.
ThreatQ TDR Orchestrator puts the smarts in the platform and not the individual playbooks by using Smart Collections and data-driven playbooks, ThreatQuotient states.
The application of Smart Collections and data-driven playbooks provides for simpler configuration and maintenance, and provides a more efficient automation outcome.
This approach further addresses all three stages of automation by enabling users to curate and prioritise data upfront, automate only when relevant, and simplify actions taken.
It can be used to complement other playbook capabilities through ThreatQuotients ecosystem partners or users can define data-driven playbooks within the ThreatQ platform, the company states.
To improve the platform smarts, it will also capture what has been learned to improve data analytics, which in turn improves the initiation stage of automation.
Use cases for ThreatQ TDR Orchestrator include but are not limited to automating the following: hunting key threats as new intelligence is learned and recording the results; deploying blocking and detection content to EDR and network devices; enriching threat intelligence that meets complex criteria including relationships; tasking a user to patch a high priority vulnerability that is being used in relevant campaigns.
ThreatQuotient VP of product management Leon Ward says, “The security industry's approach to automation has overlooked the vastly different needs of detection and response use cases.
"The focus of ThreatQ TDR Orchestrator is data, not process. In detection and response, what is learned when performing an action is far more important than the action itself.
"ThreatQuotient has seized an opportunity to define and provide automation in a way that reduces complexity for security teams.”