What a post-investment world looks like for ThreatConnect customers

Changing how teams work together

Last week we announced our investment from Providence Strategic Growth (PSG) to accelerate our go-to-market strategy and product development. I couldn’t be more excited about the ability this will give us to move faster and more powerfully to make an intelligence-driven security a reality for an ever expanding number of security teams.

The team at PSG is excited about our core value proposition – that in order to keep up with threats, security teams need to make better decisions, faster; and ThreatConnect provides the intelligence and codification of process that allows them to do this. Their investment will accelerate our current strategy to bring more insights and context needed for using cyber intelligence holistically, bring efficiency to repeatable processes through automation, and enable workflow across security operations, incident response, risk, and cyber intelligence teams.

Operational insights for faster, more accurate decision making

A big piece of the value we provide our customers today is “putting intelligence to work” operationally. To double down on that value, we’re going to be making some significant investments in new data sources within ThreatConnect’s CAL™ (Collective Analytics Layer) to help power insights needed for operational and tactical decision making. This will, of course, include insights on traditional IOC’s, but we’re looking at breaking the “IOC barrier” to provide new unique insights on vulnerabilities, adversary technique usage, and a customer’s risk posture based on exposure to both.

More integrations, more use cases, delivered faster

Leveraging the foundation of our existing orchestration and automation in our Playbooks functionality and the ability to extend this with our App Builder and SDK’s, we’re hitting the gas on the delivery of more apps, components, and playbook templates relevant for security operations, incident response, and cyber intelligence teams. We’ll be delivering numerous out-of-the-box use cases with integrations to asset management databases and products, vulnerability management platforms, commercial and open source messaging fabrics, identity and access management products, commercial intelligence providers, intelligence investigation and visualization products, to name a few.

Community enhanced security orchestration and intelligence

When we first launched ThreatConnect, we had the idea of a community enhanced ability to share and use threat intelligence. We haven’t lost sight of that vision, we’ve expanded it. What we’ve learned is that enabling an intelligence-driven security, isn’t just about having access to and sharing data. That’s only part of the equation. To do it right, you need to have your people, process, technology, and data aligned. Sharing what you have learned with others is more powerful when you share with them how to use it. It needs to include sharing of the process and technology used to implement a defense, not just the threat data. To that end, we’ll be enabling easier community sharing of codified process in the form of Playbooks, human workflows, and applications for our customers and partners.

Go-to-Market: Bringing the concepts of TIP and SOAR together

Enabling a strong intelligence-driven security requires input and participation from all roles within the security team. The most relevant, and therefore most actionable intelligence comes from one’s own network. It is produced and optimally actioned when cyber intelligence analysts, incident responders, security operations analysts, risk analysts, managers, and decision makers have access to the right data from each other’s operations, share processes, and can securely implement new controls across the ecosystem of security products within the organization. In most organizations, this is simply too far away to begin to realize. We seek to make it seamless.

The concept of a product that acts as the fabric across all security controls, processes, and teams tears apart the arbitrary market boundaries currently surrounding what a TIP and a SOAR are. Done right, we believe they are the same thing. TIPs today are mostly viewed as an aggregation point for external intelligence; we see that as too limiting. Intelligence must be like the Force — it should flow through everything and come from everything. The utility of a SOAR is coordinating and taking action across multiple products for incident responders and the SOC. This, also, is too limiting. The outcome of these actions and playbooks should be used to learn what the threats were capable of and how to prevent or respond to them better next time; in short, it is information that should be used as intelligence. Whether you call this TIP, SOAR, or something else, this just makes sense; and we’re going to change how teams work together with it.

Putting the strategy into place

To make all this happen we’ve already begun to invest heavily in resources within engineering, analysis and data science, partner enablement, and customer success. Stay tuned for news of our updates, improvements, and changes. We are excited about the future and what it means for you.



Andy Pendergast
About the Author
Andy Pendergast

Andy is a community respected analyst, innovator, and thought leader. He has over 15 years of experience working in the Intelligence and Computer Network Defense Communities from within the U.S. DoD and Fortune 500 companies. He brings his passion for intelligence-led defense to his role as Product Director for ThreatConnect. Andy is a co-founder of ThreatConnect, Inc. and is a co-author of “The Diamond Model for Intrusion Analysis“. Andy is a veteran of the U.S. Army, holds a Diploma in Chinese Mandarin and a Bachelor of Science from Excelsior University. He lives in Columbia, MD where he regularly climbs rocks and enjoys getting Thai Dynamite Chicken with his wife and three children.