An XDR (Extended Detection and Response) platform is currently the most sought-after cybersecurity solution since Gartner called it the Number 1 Security and Risk Trend for 2021. It is defined as a solution that “automatically collects and correlates data from multiple security products into a single incident for increased detection and response efficiency and accuracy.”
SIRP XDR improves upon this definition by integrating with disparate solutions, tools, and systems and unifying them to put forth a single risk-based detection and response ecosystem. SIRP integrates with various threat intelligence platforms and feeds for enhanced detection, investigation, and response — that much we know. But to stand apart from the rest, we must go beyond, and this is where ThreatQuotient comes into play.
ThreatQ enhances SIRP XDR's capability to effectively automate playbooks and provides actionable intelligence that boosts the speed, relevance, and breadth of detections. What does this entail? It means that SIRP, with ThreatQ, integrates with both internal and external data and sources for faster response and automation of manual tasks. By aggregating, prioritizing, and scoring threat intel through SIRP Security Score (S3) and ThreatQ, SIRP is able to provide relevant and prioritized data and automate processes to take the right next steps in your threat intelligence lifecycle.
Integration between SIRP and ThreatQuotient ensures that the automated playbooks don’t automate noise - as the noise gets amplified with continuous repetition. It means that the threat intel from ThreatQ is contextual, relevant, and high priority, and in turn, reduces the redundant playbook runs so that fewer resources are utilized, and the efficiency and effectiveness of SIRP improves.
Organizations use at least 10 to 15 external and internal feeds in their environment. These include various government, financial sector, security vendors, open and commercial feeds, and sources. It is critical to take advantage of these multiple threat feeds and map it to the organization's risk to construct a well-structured defense and response strategy. Therein lies the issue; security solutions work in silos and are unable to connect and combine the data from disparate sources into one single platform. The processes and playbooks are also run redundantly without any enhancement.
SIRP and ThreatQ aggregate internal and external data, normalize it from multiple sources, languages, and formats to a single entity, enrich the data with related and linked intel, prioritize them for relevance and to filter out unnecessary data, and translate it into an intelligible and unified source. Not only does this improve the detection and response capabilities of the XDR, but it also allows the team and analysts to collaborate and correspond to threats. A single incident becomes easier to investigate when its history and similar attacks are clearly visible to an analyst.
In the following instance, SIRP ingests malicious indicators of compromise (hashes and URL) from ThreatQ. The automatic playbooks are executed where the reputation of the hashes are checked from various sources including VirusTotal, AlienVault OTX, and IBM Xforce, etc. After ingesting the Artifacts, the playbook is set to perform the following actions:
The following Artifacts are ingested:
The actual playbook in SIRP is shown below:
In this next example, threat feeds are ingested to SIRP from ThreatQ. These actionable Indicators of Compromise (IoCs) are added to a security platform, like SIEM, EDR, Firewall, etc. If the reported score is higher than 5, then the hashes are blocked at the EDR. If the analyst detects a score higher than 7, then the indicators and hashes are blocked at the firewall. The threat intelligence summary and information on the hashes is also shared inside the organization.
Here’s how the SIRP playbook plays out:
Once the playbook is executed either manually or automatically, it is set to perform following actions: