ESG's Jon Oltsik discusses SOAPA with Marc Solomon of ThreatQuotient. This is Part 2 of 2.
Watch more of this series:
Read the related ESG Blog(s):
Jon: Hi, again. This is Jon Oltsik, senior principal analyst and fellow at the Enterprise Strategy Group. And I'm back for Part 2 of our SOAPA video with Marc Solomon who's the CMO of ThreatQuotient. Welcome back, Marc.
Marc: Thank you, Jon.
Jon: Let's start with SOAPA integrations. As you know, SOAPA is an integrated architecture. So, from a ThreatQuotient perspective, what tools, technologies are you being asked to integrate it with? Is there anything new there or surprising?
Marc: Integrations are critical for what we do and in SOAPA, in general, especially bidirectional. We classify integrations in two different areas. One are the internal tools, the SIEM, EDR systems, incident response or ticketing systems, sandboxes, network security devices, orchestration tools, amongst others, right. That's the internal systems.
The external systems are the threat feeds, right, commercial feeds, open-source feeds, ISAC or sharing feeds, but also some of the enrichment tools and sources. We have to combine all those, and you put it into the platform which becomes a single source of truth that becomes integrated into your architecture to get the right data to the right tools, in fact, with the right teams at the right time.
Jon: You know, you've been characterized in the past as a threat intelligence platform, but you also have a lot of SOAR capabilities. So, what are you seeing in terms of process automation, and where do you kind of end up, and where do the SOAR platforms begin?
Marc: Yeah, it's a great question, and I look at it from a maturity model standpoint. A lot of organizations are still early, right, and they're focusing on automating known processes, like triage or spear phish analysis. Those moving up the maturity curve utilize a platform like ThreatQuotient for orchestrating and automating intel into their infrastructure to support a variety of use cases including hardening of systems, incident response, threat hunting, vulnerability prioritization, etc.
So, what we focus on is really the data, and we will get the right data bubbled up from a priority standpoint, and then we can automate actions onto that data. People can actually utilize tools to do investigations on the data, and frankly, we integrate with some of those playbook and orchestration tools to run some of the plays that then return the data back into us for further analysis, but also to keep a memory of what happened, and we can utilize that data in future analysis and analytics.
Jon: Is that integration with threat intelligence per se, or is that across the board for any type of use case?
Marc: It's a variety of use cases. You know, threat intelligence has a variety of different, you know, form factors, but the key thing is getting the data, processing the data, analyzing the data to trigger what needs to happen, either from a priority or taking an action that can be done internally, through the platform, externally.
But then getting those results back, because the more context, the more data that we learn within the tool helps that scoring and prioritization, and ultimately makes the SOC more efficient and effective.
Jon: I'm right there with you. Now, when I first came up with SOAPA, Marc, the top layer was the security operations workbench or the security operations platform. I'm now thinking that there's a layer above that, and that's security operations visualization. And I think 2021 will be a big year for that.
What are your thoughts there?
Marc: Yeah, I definitely think that's the direction. It's really no longer about teams that, you know, are working in silos or tools that are in silos. You know, but the reality is that we've been talking about a single pane of glass for a long time, and so we have to be careful that, you know, the visualization is not going to be the end-all, be-all. There are existing tools that people are going to be utilizing.
That's why integration of the data is so critical, and if you end up putting the data in a single source of truth that can be leveraged by a common interface across groups, as you're mentioning from a SOAP layer standpoint, that's fantastic. But the reality is, if you can also access that data from existing tools that people are utilizing and have processes around, then you're actually sharing that data and have instantaneous knowledge transfer across different teams over time, which makes everybody more efficient even if they aren't working in a common interface.
Jon: Speaking of 2021, I've got to ask you, because my colleague Dave Gruber and I are doing a lot of research around XDR, which is sort of a quasi-SOAPA platform. You've written about XDR, you have some thoughts. Can you share your thoughts with us about XDR?
Marc: Yeah, I think, actually, XDR is really important going forward. Let's be honest, the SOC has really become a detection and response organization. You need to be able to look at detection response, you know, beyond just a single vendor or a set of tools from a single vendor. You need to be able to integrate across vendors. And that requires, once again, normalization of data, so the different systems can talk to one another.
That's extremely, you know, important. So you need to integrate all the different systems, you need to be able to integrate third-party intelligence into the infrastructure, and frankly, you have to integrate hybrid environments, meaning, your cloud applications as well as your on-prem applications, which can be really, you know, difficult. In the end, you know, XDR is a really interesting way of looking at just the future and the direction that the SOC is going into.
Jon: You've been with me on the SOAPA journey. Clearly, you're marching to that with ThreatQuotient. What do you think the future is for SOAPA?
Marc: Frankly, I think it's, you know, the future of security operations. The SOC today really is detection and response. Security operations is actually beyond that, you include a vulnerability management. In the future, there's going to be additional use cases, you know, as well. Here's another way of looking at it, because we just talked about XDR as well. There's three different markets: threat intel, SOAR, and XDR, right. Threat intel is about the data, SOAR is really about orchestrating and automating the process, and XDR is really expanding the detection and response across all tools.
The reality is, looking at the market and talking to people, there's a convergence happening between all three of those markets. And you start looking at it, and say, "Well, what does that convergence look like?" Well, you know, it looks like SOAPA, right. You have a framework that fits all of those things, and it's a direction that people are going into for a single architecture for security operations and analytics.
Jon: Great answer, Marc, and I couldn't agree more. And that's the end of this SOAPA video. Marc, thanks so much for participating.
Marc: Thank you, Jon. It was a pleasure.
Jon: Thank you. Pleasure's all mine. And we'll see you on our next SOAPA video soon.