Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

The Multiplier Effect of Collaboration for Security Operations

Threat Intelligence Analysts, SOCs and Incident Responders Can Work Together to Take the Right Actions Faster

Threat Intelligence Analysts, SOCs and Incident Responders Can Work Together to Take the Right Actions Faster

Remember the old police shows where the officer pulls someone over and then gets on the car radio to report back to the station, call for backup, maybe request an ambulance if needed? This was the reality for many years and acceptable as recently as 15 or 20 years ago. Traditional Land Mobile Radio (LMR) systems worked well if you were dealing with straightforward situations. But when a larger, complex event would happen that required full-scale, immediate response and investigation, communication and collaboration was difficult at best. As technology evolved, police, firefighters, paramedics and the National Guard all starting using different types of radios that didn’t interoperate. They weren’t aware of the orders various teams were receiving, the actions being taken and new information each team was discovering. 

Fortunately, technology has caught up to the needs of first responders and defenders. LMR systems now integrate with newer LTE systems and even out to the Internet, satellite or commercial cellular networks for reliable, integrated and interoperable communications for voice, video and data. Today, state, local and federal agencies are much better equipped to collaborate and coordinate response with real-time situational awareness and actionable situational intelligence. 

We’re experiencing a similar evolution in the world of cybersecurity. For years, we’ve relied on a defense-in-depth approach to security where each team uses different point products from different vendors to protect valuable digital assets and systems. The problem is that these disparate technologies don’t interoperate, and each has its own intelligence, making it extremely difficult for tools and teams to share intelligence, collaborate and coordinate response. When security teams are dispersed all over the world, the challenge is even greater.

This is where a threat intelligence platform comes into play. It can serve as the glue to integrate these disparate technologies. Automatically exporting and distributing key intelligence across the many different layers of your defense-in-depth architecture, it offers your different security teams access, as part of their workflow, to the threat intelligence they need to improve security posture and reduce the window of exposure and breach. For example, the incident response team uses forensics and case management tools. The malware team uses sandboxes. The security operations center (SOC) uses the SIEM. The network team uses network monitoring tools and firewalls. The endpoint team uses endpoint detection and response tools. 

So now that the tools are tied together, what about the teams? Typically, security teams operate in silos. For example, when a threat intelligence analyst researches an event or alert and doesn’t find information that is relevant to them, they tend to put that information aside and move on to the next task. But what if someone else in the SOC, conducting a separate investigation, could have benefitted from that work? Without the ability to collaborate as part of the workflow, key commonalities are missed, and investigations can stall. 

To address this aspect of integration, a threat intelligence platform can act as a virtual cybersecurity situation room where team members, sharing the same pool of threat data and evidence, can conduct investigations collaboratively. Seeing the work of others and sharing insights, they can detect threats faster and even use that knowledge to pivot and accelerate parallel investigations that are separate but related. They can also store a history of investigations, observations and learnings about adversaries and their tactics, techniques and procedures (TTPs) which can serve as a centralized memory to facilitate future investigations. 

However, as first responders know all too well, once you’ve quickly and accurately assessed the situation, rapid response becomes your mission. Security operations is in the same boat. Reducing mean time to detection (MTTD) through shared understanding and collaboration is great, but now you need to use that advantage to reduce mean time to response (MTTR). The challenge is that most security operations environments are chaotic, with teams acting independently and inefficiently. 

A virtual cybersecurity situation room can help here too. Managers of all the security teams can see the analysis unfolding, allowing them to coordinate tasks between teams and monitor timelines and results. Threat intelligence analysts, SOCs and incident responders can work together to take the right actions faster, reducing the time to response and remediation.

When you think about first responders, the need for collaboration is a no brainer. Thankfully, technology has caught up, making this standard practice. Now it’s time for us to apply the same thinking to cybersecurity. Enabling collaboration and coordination across all security teams to accelerate security operations should also be the norm.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Incident Response

Implementation of security automation can be overwhelming, and has remained a barrier to adoption

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...