Posted
Build Your Cybersecurity Program Using ThreatConnect
This is the first in a series of blog posts about how organizations are utilizing the ThreatConnect platform. We’ll share stories of how customers just like you have transformed their security programs using ThreatConnect.
Introducing Gringotts
A Fortune 1000 Financial Services company, who we will call Gringotts, has a robust IT department. This year they have established a cyber security team, which currently consists of four people. In a scramble to quickly address their cybersecurity concerns, they purchased quite a few tools. The team uses Tanium, Palo Alto, Splunk, and PhishMe; a MySQL database; and they subscribe to FS-ISAC (Financial Services ISAC).
Gringotts ran into a few problems using this infrastructure. They were not able to de-dupe their threat data, which led to wasted time for the few employees they did have in-house. They had nowhere to pull all of their data together, so each tool’s data lived on its own. They were reliant on each vendor’s data independently. Although they kept track of their team’s tasks, Gringotts had no way to record how a process was done. Because of this, each team member needed to figure out how to perform a task from scratch again each time it was assigned. There was no process consistency and a lot of time wasted reinventing the wheel.
Once Gringotts implemented ThreatConnect, they were able to:
Sync all of their cybersecurity tools together
Using ThreatConnect’s Open API (application programming interface), Gringotts integrated all of their tools and were able to view all of the data in one place. The API allows all of their current software tools and systems to ‘integrate’, or ‘talk to each other’ — basically, now they can share data. By looking at all of their data at once, they get a better view into the state of their cybersecurity program. And, each of their tools can now use data from the other tools; no longer relying solely on their own information. Allowing the cyber team to focus on their most relevant threats, rather than chasing false positives and manually compiling information from separate tools into spreadsheets, has made their team 30% more efficient.
Get data on the effectiveness of their cybersecurity efforts
Since Gringotts was just starting their cyber team, measuring the effectiveness of their current investments was especially important. ThreatConnect’s ROI for Intelligence feature records how many times an indicator was seen on a particular tool or feed, how many false positives it has, and the threat rating (based on other information in ThreatConnect). Using this feature, Gringotts was able to gauge the effectiveness of their cybersecurity sources and tools. Then, they were able to adjust their strategy as needed and take a data-driven approach to building their cybersecurity program.
Set up repeatable cybersecurity processes
Gringotts began to use ThreatConnect as their system of record for their program. ThreatConnect captures exactly what was done during each incident, and even provides teams the opportunity to add their own thoughts by leaving short ‘posts’, or messages to their teammates, on each piece of data. This has allowed Gringotts to begin to build and repeat their own processes, streamlining each teammate’s efforts in the process. In the future, Gringotts will even be able to set up fully or partially automated playbooks (like automatically assigning your teammate a task based on alerting or automatically enriching indicators using various integrations) using ThreatConnect’s Orchestration feature.