Two Heads Are Not Always Better Than One

ThreatConnect Brain of Security TIP and SOAR

Since its inception, ThreatConnect has used the analogy that it wants to be the “brain of security,” to act as its central nervous system providing both decision and operational support. We use this analogy because of the relationship between decision-making and taking action that the brain does naturally. What makes humans exceptional at decision making is the ability to review the logical options while simultaneously considering existing knowledge and the risk with a particular decision path.

In a recent blog post, I spoke about risk specifically, but today I’m talking about existing knowledge. The human brain is made powerful through experiences, education, and over time knowledge gained. The more knowledge the brain has, theoretically the more powerful it can become. This coupled with the ability for the human brain to connect what is going on in the moment with that knowledge makes it very powerful.

The Brain Surgeon & The Whittler

Consider a brain surgeon. In order to become a brain surgeon, one must go through an arduous process of education, residency, publish papers, and (I hope) have many successful surgeries before they operate on anyone. Their years of experience and knowledge is what makes you and I comfortable having them cut into our brain.

Now consider a whittler. If they are an expert in their craft, they also have many years of experience, possibly have professional training, and most importantly have whittled many successful projects. Based on this, they presumably are very good at what they do.

For our customers, their organization’s knowledge of cyber threats has been amassed in their Threat Intelligence Platform (TIP). This is a complex set of relational data made up of associations across indicators, adversaries, and cases. As the system of record for cyber threat data, ThreatConnect has become the brain surgeon of experiences and knowledge for the organization.

Now enter, the surgeon’s goal of “cutting,” or in the case of ThreatConnect using knowledge operationally to inform decisions and manage our security program. I hope you can agree that having a brain surgeon’s experience, coupled with a whittler’s hand and eye coordination is not a good idea. In this case, two heads are not better than one.


TIP and SOAR must be integrated for this reason. The knowledge stored in a TIP, which must be used to inform automation and workflows, is far too complicated to simply integrate that data with an external SOAR. The alternative is that you end up in a situation where you have a whittler being told what to do by the brain surgeon. The fidelity and accuracy of the surgeon instructing the whittler would be far less sophisticated than if the brain surgeon was doing the surgery themselves. Despite the respectable skills, the whittler can’t possibly connect their actions adequately with the surgeon’s years of experience.

For this reason, ThreatConnect’s platform has been built to replicate the way the human brain works — experiences are amassed and analyzed to produce the fuel for decision making. Risks are calculated and made available. Then we leverage the capabilities of SOAR to automate or respond as required based on knowledge and understanding of risk.

Adam Vincent
About the Author
Adam Vincent

Adam is an information security expert and is currently the CEO and a founder at ThreatConnect, Inc. He possesses over a decade of experience in programming, network security, penetration testing, cryptography design & cryptanalysis, identity and access control, and a detailed expertise in information security. The culmination of this knowledge has led to the company’s creation of ThreatConnect, the first-of-its-kind threat intelligence platform. He currently serves as an advisor to multiple security-focused organizations and has provided consultation to numerous businesses ranging from start-ups to governments, Fortune 500 organizations, and top financial institutions. Adam holds an MS in computer science with graduate certifications in computer security and information assurance from George Washington University. Vincent lives in Arlington, VA with his wife, four children, and dog.