ThreatConnect makes order out of threat feed chaos

Dealing with too many threat feeds exemplifies that old proverbial wisdom that too much of a good thing can become a bad thing. That's where ThreatConnect comes in.

flood breach

One critical step that most organizations need to take on their path to better cybersecurity maturity is to acquire threat feed data. Looking at intelligence reports about the various threats targeting organizations can provide a lot of awareness about cyber dangers and threat actors. But some organizations equate security with the number of feeds they subscribe to, not realizing that their analysts couldn’t possibly monitor the hundreds or thousands of threat reports generated every day, or even every few minutes.

In that sense, having too many threat feeds is almost as bad as not having any at all. Unless you have some way of managing that information, there is just too much noise to identify the relevant attack reports and create actionable threat intelligence. The ThreatConnect platform is designed to focus those disparate feeds and information on just those threats that pose a real danger, and can even trigger automatic responses against the most dangerous attacks.

ThreatConnect can be installed on premises, or within a private or public cloud. There are different versions of the product including TC Complete, which gives users full access to both management and response capabilities, and TC Identify, which only consolidates and manages the threat feeds. For this article, an instance of TC Complete running within a private cloud was tested.

Main dashboard

The main dashboard for TC Complete gives an overview of threats tracked by feeds that an organization subscribes to, and any specific actions taken by ThreatConnect regarding them. The main program comes with many public feeds already in place and ready to be monitored, plus a specific feed generated by ThreatConnect. Users can add an unlimited number of other feeds to ThreatConnect without affecting their pricing, which is based on which version of the program they are using and how many external programs, like SIEMs, attach to it.

ThreatConnect main dashboard John Breeden/IDG

The main dashboard for the ThreatConnect Platform provides a graphical look at all the threats, and potential threats, affecting a host organization.

Users probably won’t spend too much time in the main dashboard before diving deeper into the management portion of the program. Analysts will likely spend much of their time browsing the consolidated lists of threats, which can be sorted in several ways to make them more digestible. Specific threats can also be flagged and highlighted, which is helpful for collaboration efforts and can be used later to set up various automatic triggers if elements of those threats are detected interacting with the protected network.

Use cases

There are likely two potential main use cases for ThreatConnect. First, it would be a great tool for quickly learning more about specific threats that are hitting a network. For example, if a new type of attack hit the SIEM or firewall, analysts could query ThreatConnect to see if any of their subscribed feeds knows more about it. More valuable would be using the platform proactively, learning about threats that are targeting specific industries or equipment, and learning how to build up defenses against relevant ones before they strike.

To continue reading this article register now

Microsoft's very bad year for security: A timeline