Skip to main content
Introducing Polarity Intel Edition: Streamlining Intel Distribution for SecOps
Polarity Intel Edition
Request a Demo

The Power and Responsibility of Customer Data and Analytics

How ThreatConnect stores, uses, and protects customer data

There has been a lot of recent news surrounding compromises in trust where companies purposefully or unintentionally misuse or allow others to misuse customer data. After my last post, in which I talked about the power of data and analytics, I thought it would a good time to describe ThreatConnect’s efforts around storing, using, and protecting our customers’ data.  

Let me start by explaining the types of data that reside in the ThreatConnect Cloud and CAL™ (Collective Analytics Layer) and how that data is stored and used. I’m not going to speak to Dedicated Cloud or On-Premises, because those platform configurations are often customized based on organizational policies or regulatory requirements.  

ThreatConnect Cloud consists of the Multi-Tenant ThreatConnect Cloud and CAL™. Users interact with the ThreatConnect Cloud through either direct logins or integrations with other technologies. ThreatConnect Cloud data is either stored in their own private account or organization, a community, or a source. Restrictions for sharing and usage are specific to the source they are stored within.  

Where data resides Data Owner Data Users
Individual Account Individual Only Individual
Organization Account Organization All Users of an Organization
Community Community Access granted by community administrators
Data Source Source Owner Access granted by source administrators to source participants

Data sharing to a community is up to the organization or user that owns the data. ThreatConnect acts as a member of some of the communities, and as such, has the same rights and privileges as all of its members.

For example, we may be a member of a particular industry community and the rules of the community could allow anyone to use the data under traffic light protocol (TLP): White guidelines. If a community administrator invited us to the community, and the data was marked TLP:WHITE, any vetted community member would possibly leverage the information in some aspect of their work. To reiterate, this means that ThreatConnect would only use said data by virtue of our membership to the community in accordance with the community usage guidelines.

ThreatConnect CAL collects anonymous data from all participating instances of ThreatConnect, including ThreatConnect Cloud. Through large data analysis, CAL provides insights and recommendations that are delivered back to any participating ThreatConnect instance – Cloud, Dedicated Cloud, and On-Premises. These insights can take many forms, including classification of indicators and indicator reputation. We’ve designed these insights to be a boost to in-platform analytics, such as ThreatAssess and Playbooks.  

Users of Dedicated Cloud and On-Premises instances of the Platform can choose whether they want to leverage CAL or not. When turned off, both anonymous sharing with CAL and CAL insights are disabled. If you want to have the benefits of CAL, but keep some indicators private, you can also do that by marking indicators as private in your instance. The table below summarizes the data CAL collects from participants, and the value it derives from the data:

Customer Data Used by CAL Value Provided
IOC False Positive Vote (Count) Provides count of False Positives across CAL-connected platforms and drives CAL recommendations for reputation and indicator status
IOC Impressions (Count) Provides count of page views, searches, and automated lookups and drives CAL recommendations for reputation and indicator status.
IOC Observations (Count) Provides count of reported observations of IOC across CAL connected platforms drives CAL recommendations for reputation and indicator status
IOC Status (Active/Inactive) Provides a holistic picture of which indicators users want to keep active or inactive in their instance, allowing CAL to recommend better indicator status and reduce time wasted on “junk” IOC’s for participants.

To reiterate, all of the above information is captured and processed in an anonymized, aggregated fashion. After authentication, any identifying information about your instance is separated from the data and it is combined to provide our analytics an understanding of how to treat the data. To put another way, we don’t track or care about who submitted any of the above information, but rather how many participants submitted it.

Finally, ThreatConnect software instances may be connected to our user feedback platform in order for our product managers and customer success personnel to learn more about our customers’ usage. This is common among most software vendors, as the insights gleaned allow our company to improve our software experience and identify data-driven ways to help our users do their jobs better. Participation in this platform also enables us to deliver interactive guides in the application to help users hit the ground running. Dedicated Cloud and On-Premises software instances can turn off this feature if they want.  

Your data, and privacy, is of the utmost importance to us. We have made, and continue to make, major investments to protect the data you entrust to us. Our Information Security Management System (ISMS) is built on the ISO 27001:2013 set of standards to ensure that we appropriately secure ThreatConnect. Also, we’ve researched GDPR extensively and are taking actions to assure compliance.  

If you have any questions regarding our corporate security program or your data privacy please use the CONTACT US form and select “Security Program/Compliance” from the dropdown menu.

About the Author

ThreatConnect

By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at www.threatconnect.com.