ESG Blogs

In continuing my chat with Marc Solomon, CMO of ThreatQuotient, Marc and I discuss:

1. SOC integration. At its heart, SOAPA is an integrated heterogenous technology architecture for security operations, so I ask Marc how integration plays into ThreatQ’s strategy. Marc mentions that the platform includes bi-directional integration where ThreatQ consumes and provides data. What type of data? External threat data, enriched data, event data, etc. ThreatQuotient can be used as a SOAPA data broker, acting as the single source of truth for security operations.

Mark Solomon, CMO of ThreatQuotient. and I had a chance to get together and talk SOAPA recently. In part 1 of our video, Marc gives a brief description about what ThreatQ does and then we proceed to chat about:

1. What’s the deal with cyber threat intelligence (CTI)? For every SOC manager who tells me that threat intelligence is the foundation of security operations, another says that his or her organization struggles to operationalize threat intelligence. What’s going on here? Marc believes the term “threat intelligence” is somewhat poisoned and meaningless today. The real key is to collect, process, analyze, and act upon the CTI that aligns with your organization’s infrastructure, industry, location, etc., and then integrate it into every aspect of security ops.

Anton Chuvakin knows his stuff, so I was excited to have him participate in ESG’s SOAPA video series. In part 2 of our video, Anton and I chat about:

1. Security data. I mention to Anton that many SOC teams are buried in large volumes of security telemetry and then ask if we are trying to collect, process, and analyze more data than we need. Anton responds that we have too much “dirty data” that really isn’t useful. Therefore, the challenge is understanding which telemetry is useful, how it’s useful, and which other data elements we need for data enrichment to improve the efficacy and efficiency of our analytics.

Like so many industry and vendor events so far in 2020 (and no doubt like many more for a good while yet), VMworld was presented digitally this year. That significant change did not however affect its scale, whether measured by ambition, breadth of coverage or likely impact.

I’ve long admired the work of Dr. Anton Chuvakin, head of solution strategy at Google Chronicle. Anton really knows security analytics and operations so now that he’s no longer a Gartner analyst, it was great to have him participate in the SOAPA video series. In part 1, Anton and I discuss:

• Detection as code. In a recent blog, Anton proposes, "detection as code." The thought here is that you want to “devops” your detections to keep up with threats and strive for constant improvement. This is an intriguing concept that may be especially useful for large organizations in specific industries under attack. We have focused industry ISACs, why not focused industry detection code?

Operationalizing the IT requirements for a remote workforce for many businesses means accelerating digital transformation initiatives, which leverage a range of cloud services. As a result, an organization’s cloud footprint increasingly includes a mix of third-party SaaS applications as well as internally developed cloud-native apps to support critical back, middle, and front office operations. But different organizations are in different stages of cloud adoption from born-in-the-cloud companies fully indexed on the cloud to enterprises who operate in a hybrid, multi-cloud world.

The application security market is in a state of transition as legacy approaches to web application firewall, API protection, bot mitigation, and DDoS prevention have struggled to meet the needs of modern applications. The decentralization of application development and shift to agile methodologies, significant shortage of security skills with regards to applications, and evolution towards sophisticated, multi-vector attacks have forced organizations to rethink their approaches to application security. The evolution towards WAAP, or web application and API protection has been a direct result but remains a work in progress, with many providers just starting to loosely couple the required pieces.

The IT implications of the pandemic-induced surge in remote work are headlined by an increased reliance on cloud applications and services. Supporting and securing direct-to-cloud access has necessitated a focus on identity and access management (IAM) initiatives including:

Zero-trust has seen an explosion in interest over the last few years. As the perimeter has become increasingly porous due to cloud usage and distributed network architectures, a fresh look at some of the foundational cybersecurity concepts was sorely needed. This has only been exacerbated by the pandemic, with many organizations not only supporting a primarily remote workforce, but also trying to complete their digital transformation journey in a matter of months, rather than the years they originally planned.

Old friend and Cybereason CSO Sam Curry and I got together (virtually) to chat about all things SOAPA. In part 2 of our video, we focus on:

• This newish thing called XDR. My colleague Dave Gruber and I are all over XDR as analysts, so I asked Sam for his thoughts. Sam thinks of XDR as taking EDR to the next level. He even broke down the acronym stating that the X signified telemetry independence. The “D” in XDR is somewhat overstated, Sam is really focused on the importance of the R, response, as security is about blocking (not finding) the bad guys. In the end, XDR should be a force multiplier for the cybersecurity staff.