Published on: July 7, 2024
In this SafetyDetectives interview, we sit down with Dan Young, the CEO and Founder of QuoLab Technologies, to explore the innovative approaches his company brings to cyber threat operations management. QuoLab stands out in the cybersecurity landscape with its unique source-agnostic and vendor-agnostic platform, offering seamless integration across various technology ecosystems. Dan shares insights into how QuoLab’s multi-tenancy features and automation capabilities are transforming the way organizations handle cybersecurity threats. Join us as we delve into the challenges and breakthroughs in managing today’s most pressing cyber threats.
Thank you for your time today, can you share a little about your background and what led you to create QuoLab?
Absolutely. I founded QuoLab in January 2020. Before that, I worked in the federal government as a cyber operator. I was in Air Force intelligence for 10 years and then spent six more years as a DoD civilian employee doing computer network defense and cyber operations. This involved incident response, network operations, digital forensics, and the like on networks and endpoint systems.
The genesis for the QuoLab platform came out of the problems we faced in disseminating reports, collecting data from different sources, and the lack of an inter-organizational collaboration platform for actual threat data. In the business world, we have ecosystems like Microsoft Office, where we can follow email chains and manage workflows with tools like SharePoint. This doesn’t really exist in cybersecurity. When you’re talking about highly complex data points, and you’re trying to do it via Microsoft Excel or simple JSON files that you’re passing back and forth, or even in a shared Splunk databases, it loses that analytic touch that the human operators provided, and that was the inspiration for the platform.
We said, let’s create something that I like to call a layer 8 focus tool, layer 8 being the human layer on the on the OSI stack. The goal is to answer the question: “how can we best leverage the output from the tools that operators are using and the processes that they use on a daily basis to deliver better intelligence vale?”. And at the same time, bring those results into a holistic, more business intelligence driven value for that data and that intelligence,
How does QuoLab differentiate itself from other similar threat management platforms?
There are several key differentiators between us and our competitors
One major differentiator for us is that we are a source-agnostic and vendor-agnostic platform. It doesn’t matter if you’re in the Palo Alto ecosystem, Google, Microsoft, you know, pick a company that’s providing holistic cybersecurity software and services—we integrate and interact with all of them. This is ideal for organizations like MSSPs with different clients and technology stacks. It’s also specifically beneficial for supply chain environments where you have tier-one manufacturers and tier-two or tier-three suppliers. These are different companies with different ecosystem needs, and QuoLab bridges the gap between their cybersecurity teams, processes and tool stack.
As an example, a compromise in a tier-three supplier—a 20-person company providing a critical component for a tier-one supplier—can directly impact the tier-one supplier and disrupt the supply chain. QuoLab, with our multi-tenancy feature, allows different QuoLab nodes to communicate in real-time on cases they are tracking. If a threat actor hits one organization, they can quickly create a case and share it with their other team members across the supply chain. They share not just indicators of compromise (IOCs) but the entire case, enabling them to respond collectively and look for similar threats.
Another major differentiator is that we work both on-prem and in the cloud. Our hybrid cloud deployment capability allows QuoLab to run on a laptop in a deployed environment—putting my military hat back on— and also works in air-gapped environments, as well as large multi-cloud environments like AWS and Azure. The platform scales equally in these environments.
The third key market differentiator for our platform is our customized reporting. With QuoLab, you can track high-level technical data points and business intelligence value, whether it’s insider threats or financial systems. These data points are collected within the system, and with a click of a button, an analyst can generate a report. Instead of copy-pasting data into a Word or PowerPoint presentation, the system generates an auto PDF based on the company’s templates, including the right letterhead, formatting, and logo. The analyst creates their case, does their work, [places] it into a folder, and QuoLab handles the rest, generating the report with all the necessary screenshots and data in the organizations preferred reporting format.
What role does automation play in your approach to threat intelligence?
Huge, automation is massive. I just mentioned one use case—automating reporting. That alone saves hundreds of FTE hours with the platform. On the other side, automation plays a crucial role in ingesting and processing data feeds. This includes external source threat intelligence and internal data from security controls like endpoint detection response (EDR) and network detection monitoring tools.
Automating the collection and aggregation of these data points is essential. It allows for the automatic propagation of tags, such as MITRE ATT&CK tags, and other key identifiers for different attacks. Additionally, automation facilitates the workflows associated with this data, such as pushing revised findings back to improve rule sets and triggers that identify these threats.
Automation is integral throughout our platform, enhancing the efficiency and effectiveness of threat intelligence processes. This extends to machine learning (ML) applications we are building into the platform. Instead of relying solely on binary or Boolean logic, we are now looking at heuristics and behavior patterns. By identifying threat actors or entities trying to penetrate our network through specific vectors and tactics, techniques, and procedures (TTPs), we can monitor everything that matches those signatures and apply that across our analytics.
How does single-source access improve the efficiency of threat detection and response, especially compared to traditional methods?
Single-source access is important from an operator standpoint. Currently, in most organizations, especially large ones, operators might have 10 to 15 different tools open in different tabs in their analytic environment. The industry often uses the phrase “single pane of glass,” which implies an easy button for managing these tools. While creating a true single pane of glass is a massive technical undertaking, we’ve made large strides in delivering this through the QuoLab platform.
QuoLab aggregates data from both external and internal sources, regardless of the source, and provides single-source access to this data within the case environment and reporting framework. This integration simplifies the workflow for operators, allowing them to access all necessary information in one place. By reducing the need to switch between multiple tools and tabs, operators can improve the efficiency of threat detection and response. This streamlined approach leads to faster decision-making and a more cohesive understanding of the threat landscape.
What are some of the most pressing cybersecurity threats today, and how can businesses be prepared?
Ransomware is huge right now. It’s a trillion-dollar industry, with reports from the FBI and other crime prevention centers indicating that in 2024, it’s the third largest economy. If you consider the sheer number of ransomware attacks and the financial impact they have, it’s projected to become the second largest economy, just behind the United States, by 2028. This highlights the massive scale of the issue.
We are facing a tsunami of ransomware attacks globally, and the cybersecurity environment is struggling to respond effectively. What we need is a more cooperative and holistic approach. This is an all-hands-on-deck issue, not just about protecting individual ecosystems but about collaborating to address these cybersecurity threats collectively.
One challenge is that many organizations are hesitant to share information due to legislative concerns like GDPR, especially in the financial sector. However, with a system that can sanitize personally identifiable information (PII) and GDPR-sensitive data, organizations can share threat information without compromising individual privacy. This isn’t about the employees or customers; it’s about understanding and mitigating the threats.
Another issue is the stigma around admitting a breach. Many organizations still have an old-school mentality and don’t want to disclose that they’ve been compromised, fearing embarrassment. But breaches can happen to anyone, and there’s no reason to be embarrassed. Admitting an attack and seeking help can lead to better overall security.
Changing the mindset of both operators and leadership in companies is crucial. Instead of burying incidents under the rug, as some have tried in the past, organizations should openly admit breaches and seek collaborative assistance. Legal and financial repercussions now make it more important than ever to be transparent.
Over the last decade, there have been significant strides with Information Sharing and Analysis Centers (ISACs). These organizations focus on collaborative threat sharing and incident response. Examples include the Oil and Natural Gas ISAC and the Retail ISAC, which involve companies like Target and Walmart. These efforts aim to improve holistic incident response and remediation.
However, there are still technological challenges that need addressing. Our organization is working directly on these challenges, making it easier for ISACs at the administrative level to transfer their efforts to the technology layer, enabling better data exchange and coordination.
What are some common misconceptions businesses have about managing cyber threats?
That’s a loaded question. Common misconceptions can vary, but in my experience, they often include the following:
- Technology-Only Solution: At the board level, there’s often a misconception that cybersecurity is purely a technology problem. The belief is that by throwing more cybersecurity experts and budget at the issue, they can buy more tools and become more secure. In reality, it’s also a human problem. Why did someone click on that link? Was it a lack of education, training, or awareness? Companies need to focus on internal improvements, including employee education and proactive threat hunting, not just updating rules in their systems every six months.
- Operational Resistance: Many organizations resist proactive security measures because of the operational impact. They might hesitate to perform pen testing or system reboots due to potential disruptions. However, the impact of these proactive measures is far less severe than the damage caused by a successful cyberattack.
- Incentive Misalignment: Companies, especially in the US, are often not incentivized to prioritize cybersecurity over operational efficiency and profitability. Europe’s GDPR has addressed this by imposing fines and regulatory requirements, forcing companies to take cybersecurity seriously. This kind of regulatory pressure can significantly change organizational mindsets.
- Small Business Challenges: Smaller companies, such as specialized manufacturers, may not have the technical expertise or resources to manage cybersecurity effectively. These businesses, which were traditionally non-technical, now face the added responsibility of cybersecurity. There needs to be more support for these smaller entities, especially those identified as part of critical infrastructure. Some states, like Connecticut and Maryland, are providing cybersecurity resources, but there isn’t a unified approach across all 50 states.