Tag Archives: threat intelligence

Tech, Technology

Navigating the Evolving Threat Intelligence Landscape and Organisational Responsibility

Written by Gigi Schumm, Chief Revenue Officer, ThreatQuotient & Shimon Modi, Vice President Product Management, Dataminr

 

Cyber Rhino Threat Week (which took place from 9th to 13th December 2024) aims to inform, sharing threat intelligence insights and best practices with our customers, partners and industry ecosystem. This keynote session certainly set the stage for the week, exploring the complexities that organisations must consider when establishing and operating an effective Cyber Threat Intelligence (CTI) program. The panel discussion examined how diverse organisational structures, responsibilities, priorities, and desired outcomes influence the role and integration of CTI.

Shimon Modi, Vice President of Cyber Product at Dataminr, a Platinum sponsor of ThreatQuotient’s online event, was one of the panelists in this session along with Sebastien Bombal, Technical Director, National Directorate of Customs Intelligence and Rick McElroy, Founder and CEO of NeXasure. The panel was hosted by Gigi Schumm, Chief Revenue Officer at ThreatQuotient. Here Gigi and Shimon capture some of the highlights from this discussion.

Why are no two CTI programs alike?

The panel explored that – while we might think we all have a common understanding of the purpose of a cyber threat intelligence (CTI) program and the role the CTI team plays within an organisation – the reality is that this can differ enormously from one organisation to another. This is because no two companies have the same priorities, organisational structure, processes and desired outcomes when it comes to CTI. However, everyone agreed that CTI has become more of a priority and is now viewed as a ‘must have’ rather than a ‘nice to have’.

A CTI program provides all the information required to guide the entire cybersecurity process from strategic to tactical implementation and is a crucial component of the overall security program. It is therefore critically important to take time upfront to consider the desired outcomes and what the organisation is expecting to achieve from such a program.  The panel urged companies to establish up front whether they are looking for a very technical/tactical capability or something more strategic and what types of cyber threats they are looking to combat. This will of course depend on the maturity of the business and the type of industry it is in.

CTI programs and teams must continuously evolve

As we all know, cybersecurity threats have evolved and are much broader today than they were five years ago, encompassing anything from ransomware to disinformation to deepfakes to geopolitical threats.  Consequently, the role and responsibility of the CTI team must evolve all the time, especially as responsibilities of the CTI program and team can differ from one CISO to the next.

While larger enterprises tend to have budgets and headcount to resource and staff a CTI program, it is harder for smaller to mid-sized companies to resource with an in-house team and many of these organisations outsource, whether that’s through an MSP or MSSP. As such it is important that any program reflects the threats and vulnerabilities of the environment it is being applied to.

What has also changed is the organisational structure of programs, which now have different kinds of stakeholders who care about threat intelligence. The traditional view of these programs was very technically – and cybersecurity infrastructure-driven; today there are executive board stakeholders involved in most CTI programs. They care about business issues such as third-party risk, geopolitical tensions, supply chain risk, and that means the organisational structure of the program must evolve to reflect this.

But ultimately any initiative must be mission-oriented and those involved must define their priority intelligence requirements (PIRs). Additionally, they need to ensure they can operationalise in real time before looking to expand the program.

CTI is cross-functional 

CTI sits in a unique position in that it is cross-functional, so it must interact with a lot of constituents around the organisation. The question of who the CTI program should report to often comes up. This can cause tension between groups such as the SOC incident responders, SOC analysts and CTI teams. These issues are generally around who owns what responsibilities and who decides what tools to procure and implement and so on, which can create siloed thinking.

Ultimately, intelligence should be part of every process in the security operation – from alerting to triage to investigation to threat hunting. Leaders who look and think about it from that perspective will make a lot of progress in their CTI program. This is where collaborative goal setting is important across all these teams, continuously communicating what these key goals are. This minimises the siloes, which ultimately become more reporting structures as opposed to operational hindrances.

Sharing and collaboration 

The group discussed the primary functions of the CTI team and most agreed that this was about situational awareness, data-sharing within the organisation and the extended partner ecosystem and creating operational efficiencies so that teams can detect threats faster and prioritise patching accordingly.  All agreed that the dissemination of information and sharing is essential in CTI.  The conversation also touched on standards, reflecting that – in order to be able to disseminate and share – standards in CTI must be in place.

One big change we’ve seen in the last few years, which is now driving operational efficiencies and how teams operationalise threat intelligence across the organisation, is how the threat intelligence lifecycle has gone from being applied to reactive situations to a more proactive ‘shift left’ approach. Teams are keen to move ahead of the threat and understand the important role that threat intelligence plays in enabling this thinking and delivering that situational awareness. In fact, teams are now thinking about efficiency and enriching their situation awareness outcomes which will ultimately benefit the organisation’s risk posture and enable it to better combat threats. There were many other areas that the group examined like emerging technologies to take us to new levels of efficiency; to watch the full debate and hear the recommendations from our panelists, please go to: https://www.threatq.com/cyber-rhino-threat-week/

Business Advice, Investment, News, Tech, Technology, Wellbeing

ThreatQuotient Publishes 2024 Evolution of Cybersecurity Automation Adoption Research Report

Survey results highlight that cybersecurity automation is now an important part of cybersecurity professionals’ defensive strategy – but organisations want highly targeted, customised automation and threat intelligence that enables them to collaborate.

 

LONDON, UK – 19th of November, 2024 – ThreatQuotient™, a leading threat intelligence platform innovator, today released the Evolution of Cybersecurity Automation Adoption 2024. Based on survey results from 750 senior cybersecurity professionals at companies in the U.K., U.S. and Australia from a range of industries, this in-depth research report examines the progress senior cybersecurity professionals are making towards adopting automation, its key use cases and the challenges they face. The fourth edition of this annual survey highlights how automation is maturing and how, in a world of continuous change, organisations are adopting cybersecurity automation for resilience, scale and collaboration. The report examines approaches to integration, whether respondents are taking a single-vendor platform approach or best-of-breed, the adoption of AI and the importance of cyber threat intelligence sharing.

 

Eight-in-ten respondents (80%) now say cybersecurity automation is important, up from 75% last year and 68% the previous year. Additionally, budget for cybersecurity automation has increased every year, and this year’s survey is no different with 99% of respondents increasing spend on automation. Interestingly, 39% of respondents now have net new budget specifically for automation, a significant rise on the 18.5% who said this last year. Previously, decision-makers were diverting budget from other cybersecurity tools or reallocating unused headcount funds. In 2024 respondents have a better understanding of key uses cases and the benefits automation delivers is helping them make a stronger business case for dedicated budget, which is another indication that cybersecurity automation is maturing.

 

Key research findings also include:

 

  • Key use cases: Incident response was the top use case for automation (32%), rising consistently through the course of the study. This was followed by phishing analysis (30%) and threat hunting (30%) which has also continued to rise.

 

  • Challenges are evolving: Nearly every survey participant reported problems with cybersecurity automation: the top three challenges were technological issues, lack of budget and lack of time.  As automation deployments mature, trust in the outcomes of automated processes has increased. Just 20% of respondents reported a lack of trust in outcomes, compared to 31% last year. In 2023 there was also significant concern around bad decisions, slow user adoption and lack of skills, but these concerns have abated in 2024.

 

  • Top measurement metrics: Employee satisfaction and retention remains the main metric for assessing cybersecurity automation ROI for 43% of leaders, but this has dropped from 61.5% citing it as the key metric in 2023. Resource management, in terms of staff efficiency, effectiveness and budget (42%), and how well the job is being done in terms of MTTR and MTTD (38%) have both become more prevalent as measurement tools as organisations home in on metrics more closely linked to productivity and efficiency.

 

  • Growth in threat intelligence sharing: Ninety-nine percent of cybersecurity professionals say they share cyber threat intelligence through at least one channel; 54% share cyber threat intelligence with their direct partners and suppliers and 48% share with others in their industry through official threat sharing communities.

 

  • Integration is key: Two thirds (67%) of respondents integrate best of breed solutions into their architecture to effectively deliver their cybersecurity strategy. Regardless of whether they focus solely on best of breed tools or they start with a single vendor platform and then supplement with best of breed tools, integrating tools is an important activity.

 

  • AI gathers momentum: Fifty eight percent of respondents say they are using AI in cybersecurity. Half are using it everywhere, and half in specific use cases.  A further 20% are planning deployments in the year ahead.

 

  • Expected attack vectors in the year ahead: Cyber-physical attacks are considered most likely in the year ahead, followed by phishing and ransomware. Although not a top three attack vector, 20% of respondents expect to see attacks via the supply chain and one in five see state-sponsored attacks affecting their business.

 

“It is tough for cybersecurity professionals who now face fast-changing cyber and cyber-physical threats of unprecedented sophistication, volume, velocity and variety,” said Leon Ward, Vice President, Product Management, ThreatQuotient. “Defending their business is an enormous task, and cybersecurity professionals must become more resilient.

 

“What we are seeing in this ‘new normal’ landscape is the need for more automation, scale and better threat intelligence sharing.  A collaborative approach to cybersecurity helps organisations better defend as industries scale their knowledge to respond to attacks.”

 

As organisations double down on cybersecurity automation use cases that deliver value and embrace more intelligence sharing, this will result in more effective and proactive cyber defence. This year the survey highlights the focus has shifted toward ROI metrics that are more closely linked to productivity and efficiency and – while employee retention and satisfaction remains important – it is no longer heavily outweighing performance and efficiency KPIs.

 

Ward concludes, “We believe that scaling security operations and collaboration across teams, ecosystems and industries is the most urgent challenge facing cybersecurity professionals. Successfully uniting human expertise, automation and AI and enabling seamless integration across tools and intelligence feeds will drive cyber resilience and agility at organisational, industry, and international levels.”

 

To download the full Evolution of Cybersecurity Automation Adoption in 2024 report, including more detail on the survey questions, regional and industry snapshots, and recommendations for senior security professionals to follow if they are looking to automate their security processes, click here. To access the report, click here.

 

Report Methodology

Leading threat intelligence platform innovator, ThreatQuotient, commissioned a survey undertaken by independent research organisation, Opinion Matters, in June 2024. 750 senior cybersecurity professionals in the UK., US. and Australia from companies employing 2,000+ people from a range of industries including Central Government, Defence, Critical National Infrastructure, Retail, and Financial Services sectors, with 150 respondents from each.

 

About ThreatQuotient 

ThreatQuotient improves security operations by fusing together disparate data sources, tools and teams to accelerate threat detection and response. ThreatQ is the first purpose-built, data-driven threat intelligence platform that helps teams prioritise, automate and collaborate on security incidents; enables more focused decision making; and maximises limited resources by integrating existing processes and technologies into a unified workspace. The result is reduced noise, clear priority threats, and the ability to automate processes with high fidelity data. ThreatQuotient’s industry leading integration marketplace, data management, orchestration and automation capabilities support multiple use cases including threat intelligence management and sharing, incident response, threat hunting, spear phishing, alert triage and vulnerability management. ThreatQuotient is headquartered in Northern Virginia with international operations based out of Europe, MENA and APAC. For more information, visit www.threatquotient.com.

 

Media Contact 

Paula Elliott
C8 Consulting for ThreatQuotient
+44 7894 339645
paula@c8consulting.co.uk

 

Business Mergers, Acquisitions & Partnerships, Tech, Technology

Silobreaker expands US reseller programme with ThreatQuotient

Strengthened collaboration to deliver unique threat insight, leveraging contextualisation and analysis of unstructured threat data at scale.

London, UK – Security and threat intelligence technology company, Silobreaker, has announced the expansion of its US reseller programme through a strengthened partnership with threat intelligence platform innovator, ThreatQuotient. This collaboration leverages Silobreaker’s vast datasets from open, deep and dark web sources to enrich the ThreatQ Platform, providing organisations with advanced capabilities to contextualise technical threat indicators and analyse unstructured threat information at scale. 

Silobreaker reseller programme expansion 

Building on the success of its existing reseller programme, Silobreaker’s expanded partnership with ThreatQuotient aims to extend its reach and enhance service offerings in the US market. This strategic move underscores Silobreaker’s commitment to working closely with resellers to deliver cutting-edge threat intelligence solutions. 

By integrating Silobreaker’s rich data sources, ThreatQuotient is strengthening the partnership between the two companies, ensuring that users benefit from a seamless and powerful threat intelligence experience. 

Utilising enrichment for enhanced threat intelligence 

The integration brings in several new features that significantly boost threat intelligence capabilities. On-demand querying allows users to easily access and query Silobreaker’s unequalled dataset of sources using intuitive search terms from the ThreatQ ​Platform. 

Silobreaker provides powerful insights on threat indicators, drawn from a customisable pool of relevant data, as well as advanced correlation of high-relevance entities from Silobreaker documents, such as malware, threat actors, attack types and more. 

Integration use cases 

The integration supports a variety of key use cases, including threat monitoring across open sources and the deep and dark web, including novel attack methods and campaigns targeting various industries. It also facilitates vulnerability tracking and offers enhanced credential monitoring and indicator enrichment for IPs, domains and subdomains.  

“Our expanded reseller programme with ThreatQuotient underscores our commitment to providing top-tier threat intelligence solutions,” said Kristofer Mansson, CEO of Silobreaker. “The integration of Silobreaker’s capabilities with the ThreatQ Platform not only enhances our collective offerings but also provides organisations with a sharper, more holistic view of potential threats. Together, we enable our partners and customers to detect, analyse, and mitigate risks before they escalate into critical incidents, ensuring they have the crucial insights needed to make proactive, informed decisions to protect their organisations.” 

John Czupak, CEO, ThreatQuotient comments: “Today’s threats are constantly evolving and if we are to remain one step ahead of adversaries we need to share, involve, collaborate, respond, learn and take swift action. Our partnership with Silobreaker enables us to deliver even deeper insights into real world threats in open and dark web sources, so customers can accelerate understanding and harden their defences. These critical insights enable customers to ensure that incident handlers, malware researchers, SOC analysts and investigation leads gain more control, and are able to take the right steps at the right time to better manage risks.” 

For more information, please visit Silobreaker and ThreatQuotient. 

About Silobreaker
Silobreaker is a leading security and threat intelligence technology company, that provides powerful insights on emerging risks and opportunities in near-real time. It automates the collection, aggregation and analysis of data from open and dark web sources in a single platform, allowing intelligence teams to produce and disseminate high-quality, actionable reports in line with priority intelligence requirements (PIRs). This enables global enterprises to make intelligence-led decisions to safeguard their business from cyber, physical and geopolitical threats, mitigate risks and maximise business value.  

Learn more at www.silobreaker.com 

About ThreatQuotientTM  

ThreatQuotient improves security operations by fusing together disparate data sources, tools and teams to accelerate threat detection, investigation and response (TDIR). ThreatQ is the first purpose-built, data-driven threat intelligence platform that helps teams prioritise, automate and collaborate on security incidents; enables more focused decision making; and maximizes limited resources by integrating existing processes and technologies into a unified workspace. The result is reduced noise, clear priority threats, and the ability to automate processes with high fidelity data. ThreatQuotient’s industry leading integration marketplace, data management, orchestration and automation capabilities support multiple use cases including threat intelligence management and sharing, incident response, threat hunting, spear phishing, alert triage and vulnerability management.  

For more information, visit www.threatquotient.com 

 

Media Contact 

Michelle Edge, Eleven Hundred Agency 

T: +44 (0) 20 7688 5202 

E: silobreaker@elevenhundredagency.com 

 

 

Mergers & Acquisitions, News

Crossword Cybersecurity Plc acquires threat intelligence company, Threat Status Limited

14 March 2022 – London, UK – Crossword Cybersecurity Plc (AIM:CCS, “Crossword”, the “Company” or the “Group”), the technology commercialisation company focused on cyber security and risk, is pleased to announce its acquisition of the whole of the share capital of Threat Status Limited (“Threat Status”), the threat intelligence company and provider of Trillion™, the cloud based software as a service (SaaS) platform for enterprise-level credential breach intelligence has now completed. Additionally, Threat Status’s more recently released product, Arc, protects the users of customer-facing applications from the threat of Account Takeovers. The acquisition of Threat Status takes the Company’s portfolio to five cyber security offerings, alongside its cyber security consulting and managed services offerings. The transaction was first mentioned on 21 December 2021 in an RNS announcement.

Threat Status’s platform enables businesses and managed service providers to monitor data that has been stolen and shared on the dark web and criminal forums which could harm the security of their business or that of their customers. Threat Status has developed its subscription-based, enterprise-class services to be turnkey, highly scalable, very secure and ready to go. The platform is quick for onboarding new clients, with no complex integrations needed, allowing rapid delivery of customer value.

Crossword Cybersecurity has agreed to pay a total consideration of £1.529m for Threat Status. This price represents an annual recurring revenue multiple of 5.25. The payments are structured as follows;

  • An initial cash payment of £500,210;
  • On the first anniversary of the transaction, a cash payment of £281,758 and £171,942 in Company stock;
  • On the second anniversary of the transaction, a cash payment of £125,000 and £450,000 in Company stock; and
  • All shares will be issued at a price based on the average mid-market price for the three months prior to the date of issue.

Threat Status was founded in 2017 by Jon Inns, who is the CEO of the business. He was joined by Ian Nice, CTO, and was supported by a third-party fund. Jon, Ian and their team of developers and apprentices will join Crossword to drive the continued commercialisation and development of Threat Status products. For the 12 months ended 31 March 2021, Threat Status made a loss of £54,864 and had net assets of £75,586 at that date. Threat Status is reaching breakeven, with 90% recurring revenue. Cross sell opportunities are being explored with the acquisition, alongside operating synergies.

Tom Ilube, CEO of Crossword Cybersecurity plc, commented: “Crossword is pleased to incorporate Trillion and Arc into its product suite, completing our aim of having five products in the market by the end of 2022 and adding over twenty new recurring revenue clients. We welcome Jon, Ian and their team to Crossword and are excited about the opportunities Threat Status brings to Crossword and our clients, as we continue in our mission to reduce the cyber risks for our clients by providing a portfolio of innovative products and services. This is our third acquisition in less than a year and shows the extent of our ambition to provide a portfolio of subscription-based, enterprise-class products and services.”

 

Jon Inns, CEO of Threat Status Limited, commented: “Threat Status has developed one of the strongest and most advanced credential leak monitoring services in the market and we’re looking forward to leveraging the opportunities and synergies this acquisition by Crossword represents. With Crossword’s experienced sales team and growing client base, and our proven and trusted technology, we expect market penetration to accelerate, increasing revenue and client protection.”

News

RiskIQ announces platform that delivers tailored security intelligence by lighting up internet relationships

RiskIQ, a leader in internet security intelligence, announced the launch of its RiskIQ Illuminate Internet Intelligence Platform, the only security intelligence solution that provides a tailored view of the global internet attack surface and pinpoints security exposures most critical for an organisation, all in one place.

With the entire internet now the security perimeter, defending the extended enterprise is a global-scale challenge. Attacker tools have flooded the web, and advanced adversaries target massive vulnerabilities in ubiquitous systems used across the world. To defend their organisations, security teams need actionable security intelligence that provides a bird’s eye view of the global attack surface and shows precisely how their organisation’s unique internet relationships fit inside it.

RiskIQ Illuminate is powered by the company’s Internet Intelligence Graph, built by assembling, labelling, and storing real-world observations over more than ten years. This real-time map of the web pre-computes the deep digital relationships that make up the global attack surface. By layering investigative capabilities over the graph, the RiskIQ Illuminate Platform delivers actionable intelligence that gives CISOs visibility and control amid a chaotic and unpredictable threat landscape.

With RiskIQ Illuminate, security intelligence evolves as fast as threat actors do because it’s fortified with trillions of observations of both an organisation’s unique attack surface and threat groups and their tools and tactics. This real-time data gives security leaders, researchers, analysts, and teams on-the-ground visibility into their digital presence from every angle to understand how they’re being targeted. This context prioritises the most critical exposures, future-proofs security programmes against emerging threats, and optimises precious security resources.

“Working closely with our Global 2000 clients and over 100,000 community members, we saw an opportunity to solve one of the most difficult cybersecurity problems at internet-scale,” said RiskIQ chief product office Dean Coza. “Instead of shining a light on the problem one vulnerability or breach at a time, RiskIQ Illuminate flips the switch and brings the entire global attack surface to light, all at once.”

This real-time intelligence derived from both the enterprise attack surface and adversary infrastructure is key to prioritising, analysing, and triaging the new breed of pervasive, massive-scale threats currently wreaking havoc on the global community. RiskIQ Illuminate delivers four types of intelligence that can immediately help modern security operations fight back:

Attack surface intelligence: RiskIQ Illuminate connects digital relationships that show who is attacking you, your assets at risk, and your most critical exposures across your digital ecosystem.

Security operations intelligence: reputation scoring and one-click lookups across the open internet and deep and dark web remove the guesswork from threat intelligence. Security teams can increase value across their ecosystem of people, processes, and technology via flexible APIs, apps, and integrations with more than 100 security products and service providers.

Third-Party intelligence: RiskIQ’s view of the global attack surface—the good, bad, and everything in between—enables customers to identify risks within other digital footprints, including organisations and institutions, partners, peers, vendors, and more. Continuous discovery allows dynamic risk and reputation scoring for the most actionable intelligence across the digital supply chain.

Cyber threat intelligence: RiskIQ’s global view of adversary infrastructure exceeds what is currently possible with traditional threat intelligence approaches, presenting new ways to detect, hunt, and respond to advanced adversaries—including top APT actors and widely used tools leveraged by all adversaries. RiskIQ Iluminate cyber threat intelligence enables automated response, deep investigations, and board and CISO-level context.

Illuminating internet relationships

RiskIQ Illuminate is where cyber threats and critical asset intelligence converge to connect digital relationships for customers’ internet ecosystems. Mapping these relationships was recently highlighted as a core strength of RiskIQ’s technology by Forrester. In March, the research firm named RiskIQ a strong performer in The Forrester Wave: External Threat Intelligence Services, Q1 2021.

The Forrester report cited RiskIQ Illuminate’s ability to uncover global infrastructure and notes, “[RiskIQ] excels in uncovering infrastructure masquerading as a brand and, via its managed service, has a robust takedown service, relieving clients of adding headcount.” The report also states, “RiskIQ offers extensive tracking of both threat and friendly infrastructure.”

The launch of RiskIQ Illuminate is the latest in a rollout of new intelligence capabilities from RiskIQ. The company recently introduced a powerful Threat Intelligence Portal featuring daily attack surface threat intelligence on global, industry, and local threats. These insights help analysts detect and investigate suspicious and malicious indicators affecting their organisation with recommended actions. RiskIQ has curated threat intelligence from open and closed sources, including actual real-time attacks observed in the RiskIQ Global Collection Network, which spans over 2,500 observation points for attacks globally.

RiskIQ Illuminate also builds on the momentum generated by RiskIQ’s PassiveTotal platform, which saw users increase by 37,299, or 40 percent, in 2020. This hypergrowth was fueled by new integrations and significant improvements to RiskIQ’s one-of-a-kind data sets. RiskIQ’s community of users now stands at over 100,000, each of which contributes intelligence that adds to the company’s community defense model.

“As you use Illuminate and claim your attack surface, you are making the internet safer for all by tracking down adversaries and removing footholds attackers can use against you, your partners, and your customers,” said RiskIQ CEO Lou Manousos. “We are very excited to be opening up our platform and allowing defenders to leverage our visibility into global threats and exposures.”

“We believe this groundbreaking, innovative approach has leapfrogged several current state-of-the-art cybersecurity solutions and can fundamentally transform external attack surface management, threat intelligence, and third-party risk markets,” Coza said. “RiskIQ Illuminate leaves attackers no place to hide.”