ESG's Jon Oltsik discusses SOAPA with Marc Solomon of ThreatQuotient. This is Part 1 of 2.
Watch more of this series:
Read the related ESG Blog(s):
Jon: Hi, everyone. It's me, Jon Oltsik, senior principal analyst and fellow at Enterprise Strategy Group. Welcome to another installation of the SOAPA video series. And I'm joined by Marc Solomon, who's the CMO of ThreatQuotient. Welcome, Marc.
Marc: Thank you, Jon. Great to be here.
Jon: Marc, let's start with the basics. Tell me, what does ThreatQuotient do, for those who don't know, and how does it fit into SOAPA?
Marc: Sure, the principles behind ThreatQ are really the same principles behind SOAPA. You know, we integrate disparate tools by taking events, alerts, and data from all the different systems internally, contextualize it with external intelligence to make the security operations more effective and efficient. We do that in three areas.
First, data. We filter out the noise so people can accelerate detection and response. Second area is systems. We integrate all the disparate systems into a single architecture so you can get more out of your existing investments. And the third are the people. We help automate simple tasks and enable the advanced tasks to be done much more efficiently.
Jon: Now, Marc, initially, you were classified as a threat intelligence platform, so let me ask you about threat intelligence. On the one hand, I hear people say it's the lifeblood of the SOC. On the other hand, I hear, "We're struggling to operationalize threat intelligence." So, take me through that. How is there this dichotomy of feelings?
Marc: Threat intelligence has different meaning for different people. I actually, and it might be a little provocative, but I say that the term "threat intelligence" is poisoned. What do I mean by that? When people talk about threat intelligence, they're really thinking about external threat data. And yes, external threat data is part of the threat intelligence, but that's not the end-all, be-all.
You need to have your internal data from systems, telemetry, etc. All of that combined, with human intelligence as well, really makes up threat intelligence. So, what do we do, and what do we need to do from a threat intel standpoint to feed the SOC? Well, the first thing is to collect it from all the different sources. Then you need to be able to normalize it so you can correlate the information and all that, contextualize it to ensure relevance to the organization, prioritize it to remove the noise, and then you integrate it within the infrastructure for automation and action.
Jon: Okay, Marc. So, given that, think about one of your best customers, one of the people who's using your technology really aggressively, and tell me the use cases that they're doing. What are the common use cases, what are the surprising ones, and sort of how does that fit into SOAPA?
Marc: You know, it's amazing to watch the evolution of how people are utilizing the platform. Yes, threat intel management was our initial use case, but we actually did a survey earlier this year, because we built the platform doing much broader than threat intel management. We wanted to see how people utilize it. We found that over 70% of our customers were utilizing the platform beyond threat intel management, use cases like alert triage, incident response, threat hunting, spear phish analysis, vulnerability prioritization, and even fraud detection.
Jon: So tell me, how do I measure success in those areas using your platform? What am I doing now, or what am I getting that I wouldn't have gotten otherwise?
Marc: Let's just face it, security is a big data problem, right. You're getting a lot of data from internal sources, you're getting a lot of data from, you know, external sources, and that prioritization is key. Because if not, frankly, you end up chasing ghosts, right. So, you know, you have a lot of data, you need to be able to process it. The reality also is customers are unique. They have their own industry, they have their own infrastructures.
If you go into the SOC today, if you go into 200 different SOCs, you're going to have 198 different infrastructures. Customers, in addition, have different risk profiles. So, prioritization and scoring within a platform should marry what the customer needs. The reality today is that most, you know, vendors provide a score or prioritization on a global basis, not on, you know, a customer basis.
And so, the efficiency is much lower. If you can filter out the noise and focus on just the important items, the ROI is immense because you're actually focused on 2% of the items that have come in versus sifting through all these other things. The goal of the platform really is to have confidence in the data that you're working with.
Because if you have confidence in the data, then you have confidence in the decisions that you make based on that data. And once you have confidence in the decisions, then you have confidence to automate those decisions and the resulting actions.
Jon: So, there's a term out there, SOC modernization. What does that mean to you, real quick?
Marc: Yeah. So, you know, SOC modernization, you know, I'll go back to the three areas, right. Data today, it's decentralized, different tools have different intelligence, they talk in different languages. Modernization, the data is normalized and prioritized. The systems today, disparate point products. Going forward, it's a truly integrated defense.
And the people, instead of being siloed and frankly challenged, because there's not enough people to do everything that's needed, they're empowered to get the job done through automation and collaboration.
Jon: Great. Sounds like SOAPA to me. And, Marc, fun talking to you. Can you stick around for part 2?
Marc: Absolutely, Jon. Thanks.
Jon: Okay. We'll be back with part 2 of our video with Marc Solomon from ThreatQuotient soon.