How Companies Use ThreatConnect To Create a System of Record: A Use Case

BG Create a System of Record

This is the third in a series of blog posts about how organizations are utilizing the ThreatConnect platform. We’re going to share stories of how customers just like you have transformed their security programs using ThreatConnect, in particular, creating a cybersecurity system of record. In order to keep our customers secure, will be using pseudonyms instead of the real organization names.

Introducing Customer C

Customer C is a Global 100 law firm based in New York City, who we will call Pearson Specter Litt. They have a large IT department, but only one IT specialist who is responsible for network security – let’s call him Benjamin. Benjamin’s main motivations include protecting his firm’s network from targeted attacks and large bags of bacon. Just last year, Pearson Specter Litt started a dedicated cybersecurity and information security effort, which is led by Benjamin. They’ve recently invested in a SIEM and are subscribed to a few blacklist feeds.


Pearson Specter Litt began to run into problems as they expanded their information security program. They found that they didn’t have a reliable way to ingest large volumes of threat data. Even if Benjamin could do that, he had no way of prioritizing their data, or figuring out what parts of each of their feeds actually matters to the security of the firm.

Once Pearson Specter Litt implemented ThreatConnect, Benjamin was able to:

Collect all of their data in one central place

Using ThreatConnect’s Open API (application programming interface), Benjamin was able to put all of their threat feeds, as well as their SIEM data, in one place – the ThreatConnect platform. ThreatConnect automatically correlates, normalizes, and aggregates all of the firm’s data, preventing Benjamin from spending hours of time manually copying and pasting data into a central spreadsheet.

Prioritize their threat data

When Benjamin put all of their data in one place, he knew they also needed to start making sense of it. He learned that their data sources were not of equal value – some were more valuable than others; some full of false positives. By using ThreatConnect, he is now able to start rating their sources by quality, relevance, and accuracy. The platform has a built-in rating scale, false positive tagging, and also tracks how often a particular indicator is observed in the network. Now, Benjamin can focus his time on the firm’s real threats.

Create a cybersecurity system of record

Benjamin can now aggregate and store all of the firm’s vetted and prioritized data in the platform. ThreatConnect also started to memorialize the processes he used, so that he could easily repeat them later. With everything stored in the platform, Benjamin has started to build a system of record for the Pearson Specter Litt security program. He is now able to look at what has been seen in their network before, how it was handled, and can make more informed decision about how to proceed.


If you’d like to see what ThreatConnect can do for your cybersecurity program, get in touch with us and we will show you firsthand.


Dan Verton
About the Author
Dan Verton

Dan Verton is ThreatConnect's Director of Content Marketing. Dan is an award-winning journalist and a former intelligence officer in the U.S. Marine Corps. He has authored several books on cybersecurity, including the 2003 groundbreaking work, Black Ice: The Invisible Threat of Cyber-Terrorism (McGraw-Hill) and The Hacker Diaries: Confessions of Teenage Hackers (McGraw-Hill). He has a Master of Arts in Journalism from American University in Washington, D.C.