ThreatConnect has developed its threat intelligence platform to gain insights into indicators of compromise and various threat intelligence feeds, then analyze and operationalize that intelligence for better decision making. TheatConnect leverages this information to enable security orchestration and the aggregation and normalization of threat data from any source. The platform also operates as an intelligence-driven Security Orchestration, Automation and Response (SOAR) product that puts security data into context with intelligence and performs cross-platform analytics provided by the ThreatConnect Collective Analytics Layer (CAL) to measure security effectiveness.

This product intertwines intelligence with operations, a powerful combination that initiates a series of actions that ultimately results in observable artifacts. These artifacts become part of future intelligence that can then inform more operations, creating a recursive feedback loop.

Playbooks optimize threat response through automation and orchestration to avoid the laborious manual work analysts would otherwise have to conduct in their daily investigations. Flexible triggers set playbooks into motion, while orchestration templates that come out-of-the-box serve as security process blueprints. These blueprints can help guide junior analysts as they attempt to capture information while conducting research and investigations. Automating tasks within workflows further reduces the manual work that SOC teams must face, increasing the value of their overall security investments and alleviating some of their headaches.

The flexible dashboard lets analysts create as many sub-dashboards as they like to highlight the data most relevant to their organizations. The overview page captures all platform information and presents it in an easily digestible way. In effect, these dashboards give analysts everything they need to see trends, prioritize tasks, and uncover datapoints that will help them make informed decisions. We especially like the Captured Timeline, a feature which logs every activity that occurs during a case, from the moment analysts initiate a case issue to the time they close it.

The many exportable reports ensure that the platform always displays the most relevant data in the most digestible, actionable way possible. Analysts may delve into specific incident reports for more details, including a visual representation of all indicators of compromise, IP addresses, and other indicators of malicious activity. Each element gets linked to a detailed screen with extensive information that covers everything necessary to conduct a successful threat hunting investigation. By giving a composite of all threat ratings and confidence values available for an indicator of compromise, we also found the ThreatAssess Score very useful.

Overall, security pros will find ThreatConnect a highly-customizable threat intelligence platform with powerful dashboards and effective, automated playbooks and a handful of customizable, out-of-the-box templates geared towards individual use cases. CAL insights optimizes the performance of almost any security team and bolsters security because it proactively issues direct alerts regarding high-fidelity indicators of compromise. CAL breaks down silos of disparate systems and aggregates all data and intelligence into one reporting space, thereby maximizing analyst and tool efficiency and drastically simplifying threat management. Because of its unique approach to intelligence-driven operations, ThreatConnect can add value to any organization. Pricing starts at $100,000. This price includes 9/5 phone, email, and website support. Organizations also have access to a user-friendly knowledgebase and FAQ list. Additional deployment, configuration, and support options are available for a fee.

Written by Katelyn Dunn

Tested by Tom Weil