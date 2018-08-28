Verdict: Solid solution that has a lot to offer. Playbooks are a nice touch and really help this product stand out.

Summary

Reviewed By: Matthew Hreben & Michael Diehl

Written By: Dan Cure

ThreatConnect's offering in this space is TC Complete, a solid threat intelligence platform solution that focuses on facilitating automated processes. Operators familiar with the SOAR (Security Operations, Automation and Response) conceptual framework will find TC Complete a formidable utility designed to immediately carry out strategic plans. Using configurable playbooks, analysts can draw a clear line from threat recognition and identification to the specific acts of triage that will counter and nullify the danger within a specific environment.

Users start with 30-plus built-in playbooks, with others available on appropriate playbook repositories like GitHub. ThreatConnect has its own channel on Slack for customers to communicate with the company. The key efficiency of a playbook is found in its separable components, where fellow users can save a piece of the code and reuse it in other playbooks. In fact, among its customers ThreatConnect sees an average 792 playbooks executed per day, a testament to the clear benefits of automating responses that previously required manually intensive inputs.

Managed security service providers may prove to be the greatest beneficiaries of automation, and ThreatConnect has aimed the development of its playbooks to function across multiple environments, be they office, virtual or cloud-based networks. The tremendous implication for a service provider is the ability to use the same playbooks for all clientele, thus retaining the ability to accommodate growth or changes to a specific client's system.

However, a word of caution when publishing and sharing playbooks: while it's true that camaraderie can draw together the brightest ideas for orchestrating security responses, if playbooks are too specific in detailing concrete network features and architecture, they potentially can reveal to outsiders important facets and even key advantages of a network's design. Therefore, an organization must exercise discretion about how much the published contributions reveal about a network.

TC Complete also features a Playbooks ROI Calculator for tracking the return on investment of automation and orchestration activities. In most cases, it takes the severity of a breach (postmortem) to question the cost of inaction vs. the value of sustained vigilance. This quantification makes it clear that planning and codifying an organization's responses to incidents is well worth the effort.

When it comes to visualizations, ThreatConnect ensured that dashboards are customizable. We appreciated the handy spider network graph functionality, and the ability to explode the view to see how threats are connected. From domains to different IP address and from IP addresses to domain registrars the visual elements aid in determining how far upstream to block a family of related threats so there's no need to worry about any of them.

For intelligence that requires further scrutiny, consider the investigation links feature, offering data-enriching resources that can be used when incorporating additional context-building and data sources to better understand a specific indicator. The solution boasts solid SIEM integration with Arcsight, Splunk, LogRhythm, QRadar, RSA NetWitness and others. In all, 350-plus integrations and applications are combined in TC Complete.

Entry-level pricing may be as low as $100,000, depending on deployment and configuration options chosen. Basic Support is 8/5 and is included in the list cost of the product. Enhanced support is 24/7 and typically costs 25 percent of the product's list price.