• Advertise
  • Subscribe
  • Forums
  • Buyer's Guide
  • Contact Us
  • Connect on LinkedIn
    1. Security Executives

    Not all TIP technology solutions are created equal

    Oct. 2, 2024
    SOC teams should view the vendor selection process as a journey, not a simple product purchase.
    Credit: Dragos Condrea
    If the business questions why the SOC team needs a TIP, it delivers plenty of benefits: It can reduce risk, improve defenses, and enable the organization to execute strategic and tactical enterprise goals while staying on budget.
    If the business questions why the SOC team needs a TIP, it delivers plenty of benefits: It can reduce risk, improve defenses, and enable the organization to execute strategic and tactical enterprise goals while staying on budget.

    In today’s escalating threat landscape, Security Operations Center (SOC) teams face a constant cat-and-mouse battle against adversaries as they try to stay one step ahead. This situation isn’t helped by the fragmented tools, multiple data feeds, and data siloes they must contend with. Likewise, with so many security vendors with different approaches and solutions, how do they know what cybersecurity solutions they should invest in?

    Making any security purchase is always an onerous task as SOC decision-makers analyze what questions to ask and what tools and solutions best fit their environment. However, SOC teams must equip themselves for the cyberthreat landscape they face, and many are now establishing their own threat intelligence operations and capabilities.

    Sifting Through Mountains of Disparate Data

    In the process of building out their threat intelligence capability, many SOC teams acquire multiple data feeds—from commercial sources, open source, the industry, and their existing security vendors—each in a different format. They soon realize they lack the manpower and technology to programmatically sift through mountains of disparate global data and use it. Without the proper resources, the data they’ve invested in becomes more noise, potentially generating many false positives.

    Many organizations also fail to incorporate internal data into their threat intelligence. This is the telemetry, content, and data created by each layer in their security architecture, on-premises and in the cloud. It also includes data from modern security tools and technologies. Not only is this data high-fidelity, but it’s also free.

    Numerous organizations invest in a threat intelligence platform (TIP) to use this data more productively. Selecting a TIP is important as it is the foundation for the entire security operations program. It allows teams to understand and act upon the highest-priority threats they face while enabling them to get more from their existing resources.

    Not All Technology Vendor Solutions are Created Equal

    But what are the essential capabilities SOC teams should look for in a TIP? It is important to note that not all technology vendor solutions are created equal. Below, we outline the core questions that SOC teams should ask vendors to make the best decisions about which TIP to implement into their SOC operation.

    But what are the essential capabilities SOC teams should look for in a TIP? It is important to note that not all technology vendor solutions are created equal.

    It is worth noting that SOC teams should view the selection process as a journey, not a simple product purchase, as the vendor they select must have the capacity to become a strategic partner. Factors to consider include platform maturity, service and support, user base, company track record, and specific use cases.

    The Benefits of a TIP

    If the business questions why the SOC team needs a TIP, it delivers plenty of benefits: It can reduce risk, improve defenses, and enable the organization to execute strategic and tactical enterprise goals while staying on budget.

    The organization can arm its SOCs, incident response teams, and threat intelligence analysts with a platform to efficiently structure, organize, and utilize threat intelligence across the enterprise. This platform also helps security analysts improve situational understanding, accelerate detection and response, maximize existing security investments, and collaborate more effectively as a team.

    Incident response teams can automate the prioritization of threats and security incidents, accelerate investigations, and automatically push intelligence to detection and response tools. Threat intelligence analysts can efficiently structure and organize threat intelligence with context and prioritization to build adversary dossiers, make better decisions, and take action.

    Asking the Right Questions

    With stakeholders now convinced, other business questions will be considered alongside technical questions. Some key questions SOC teams should be thinking about asking the vendor are outlined here:

    • How does the platform consume structured and unstructured data and how many “out-of-the-box” commercial feeds and/or open-source feeds do you have?
    • What about context and transparency? For example, are customer-defined IOC tags/context/attributes shared across the vendors’ other customers?
    • What about scoring and prioritization? Can customers customize scoring based on their own organization, team, resources, and capability without broadcasting those customizations to other customers? Is the vendor scoring transparent?
    • What is the vendor’s approach to the expiration of intelligence?
    • What about correlating internal and external data? If bi-directional data is enabled, does your company have sole ownership rights to my company’s data within the system?
    • Do you have bidirectional integration with all SIEMs, ticketing systems, vulnerability management solutions, and SOAR solutions?
    • With notifications and alerts, can an analyst create an alert list within your dashboard for any object/node in the system?
    • Can we opt in and opt out of sharing data with a vendor or community when it comes to sharing and collaboration?
    • Does the TIP support data-driven automation natively and through API integration with SOAR platforms?

     This is not an exhaustive list. Questions about pricing models, service and support, different use cases, and questions specific to each SOC team’s environment will also be asked. Hopefully, this will help put the SOC team on the right path, armed with key questions to ask and potential hidden risks, to navigate the process successfully, and to find the right platform to meet their requirements.

    About the Author

    Gigi Schumm | Chief Revenue Officer of ThreatQuotient

    As Chief Revenue Officer of ThreatQuotient, Gigi Schumm is responsible for revenue growth and driving global channel strategy. Gigi brings over two decades of experience leading high-performing sales and services organizations, spanning commercial sales, services, channels, alliances, business development and operations. Before ThreatQuotient, Gigi served as Symantec's VP and General Manager of the Public Sector. During her 15-year Symantec tenure, her roles included VP Eastern Area and VP Services. Gigi has also held leadership roles at various technology companies, including Oracle, NeXT Software, and Sun Microsystems. She has a proven track record of leading change, optimizing sales organizations, and exceeding revenue and margin goals. Additionally, Gigi co-hosts the long-running weekly radio show on WFED, Women of Washington, where she interviews the most accomplished female executives from the area to share their life lessons and secrets to success.