Empowering Better Security Operations with Intelligence


The Möbius strip has several curious properties. A line drawn along the edge travels in a full circle to a point opposite the starting point. If continued, the line returns to the starting point, and is double the length of the original strip: this single continuous curve traverses the entire boundary1. This process naturally creates a continuous feedback loop, much like threat intelligence and security operations should.

Using ThreatConnect's security operations solutions, which combine Threat Intelligence (TIP) Platform and Security Orchestration, Automation and Response (SOAR) capabilities, enables you to make intelligence-driven operations a reality. ThreatConnect places intelligence at the core of the decision making process in security. As threat intelligence drives operational decision making, the result of those actions can be used to create or enhance existing threat intelligence which creates that feedback loop.

Image of a mobius strip

Intelligence and operations as functions on the security team should be cyclical and symbiotic. Intelligence informs decisions for operations resulting in actions being taken based on those decisions. Those actions (such as cleanups, further investigations, or other mitigations) will beget data and information in the form of artifacts such as lists of targeted or affected assets, identified malware, network-based IOC's, newly observed attack patterns, etc. These artifacts can be refined into intelligence that can thus inform decisions for future operations.

Threat intelligence acts as a catalyst for taking an action or starting a process and informing how the process and decision making are done throughout. As threat intelligence drives your orchestrated actions, the result of those actions can be used to create or enhance existing threat intelligence. Thus, a feedback loop is created — threat intelligence drives orchestration, orchestration enhances threat intelligence.

Orchestration is facilitating human and automated processes by integrating multiple security tools and systems. It should be the connective tissue that facilitates efficiency and scale across people, processes, and technology. Orchestration informed by threat intelligence is more effective, resilient, and adaptive. It uses available relevant information on threats and information about your own environment to adjust and improve your processes dynamically.

Using threat intelligence and orchestration together, situational awareness and historical knowledge determine what and how processes should be handled. So you build this cyclical relationship. Threat intelligence allows the process to automatically adjust itself and helps you drive further decision making. Taken one step further, threat intelligence allows you to cross reference what you observe with historical knowledge and situational awareness. This information provides insight that enables you to decide which action to take. And then, you can automate that action. Using threat intelligence to determine automation empowers you to be proactive in mitigating threats to your organization.

ThreatConnect helps you create your own single source of truth, enabling team members to assign each other tasks, work from the same data, and easily collaborate. ThreatConnect can also become your system of record, because it stores every piece of threat data, all of the additional context added to it, and all of your processes in one place.


Sustaining Partners