At the Black Hat USA 2014 conference, Ryan Trost spoke about the challenges and opportunities of building a threat intelligence library from multiple sources. Trost is the co-founder and CIO of ThreatQuotient, which officially launched on June 3, turning part of the strategy that was discussed at Black Hat into a real product, ThreatQ.
The goal of ThreatQuotient, according to Trost, is enable an organization to manipulate and understand threat intelligence data from any number of different sources. The idea of being able to handle and understand multiple forms of threat data is not a new one and is being chased by a number of vendors, including ThreatStream.
“What differentiates us from others in the market is the fact that we’re completely on-premises,” Trost told eWEEK. “We’re a middleware platform for threat intelligence.”
From a core technology perspective, Trost explained that ThreatQ includes a number of Python language-based connectors that reach out to different threat intelligence source APIs to pull data in. In addition, the data can be enriched by ThreatQ for additional context.
Trost said a traditional Security Information and Event Management (SIEM) platform is limited in that it is only correlating alerts. “If a malicious attack isn’t enough to trigger an alert, the threat intelligence in the SIEM isn’t doing anything,” he said.
The ThreatQ model is about pushing threat intelligence to an organization’s existing tools, including firewalls, to make faster use of the data to secure an enterprise. Trost added that the biggest challenge for his company is that not all organizations have mature threat intelligence processes.
“The challenge for us is how we build a tool that can cater to both advanced as well as less advanced organizations that everyone can benefit from,” he said. “We don’t want to force a round block into a square hole.”
Trost said his company’s ThreatQ platform can also be used to help do a bake-off across multiple commercial threat intelligence vendors that an organization might be considering. With ThreatQ, it’s possible for an organization to look at the frequency of reports and the types of threat indicators that are being distributed from a given commercial threat intelligence vendor.
“Customers can do a bake-off and determine which threat intelligence provider is the best one for them,” Trost said. “For example, they can evaluate the C2 [command and control] elements that are attacking the enterprise against the threat indicators provided by the threat intelligence vendors.”
The next step for ThreatQuotient will be a second version of ThreatQ that will further improve the user interface and experience for enterprise analysts.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
