Threat Management, Ransomware

Organizations want threat intelligence, but struggle to make it actionable

Share
A network defender participates in a cybersecurity exercise

Threat intelligence has long posed a great challenge for security teams. Any program using robust, reliable data sources should help reduce response times and prevent existing and emerging threats from penetrating networks and databases. But without proper mechanisms to manage the volume and velocity of threat feeds, security teams are easily overwhelmed, and security operations are stymied by an inability to makes sense of a firehose of feed data and false positives.

CyberRisk Alliance (CRA) conducted two online studies on threat intelligence, one in June 2022 among 183 respondents and another in October 2022 that included 208 respondents. The June survey found that for most respondents (62%), a fear of ransomware attacks stands as the top strategic driver of their threat intelligence strategies, followed by regulatory requirements (48%) and recommendations from industry experts (39%).

Leading takeaways from the two studies include the following:

  • The vast majority of respondents from the October survey use threat intelligence at some level within their organization. A large majority of respondents (70%) said security operations has become among their top use cases for threat intelligence. Some 64% also said they use threat intelligence to increase the utility of the vulnerability management process. Other top uses for threat intelligence include incident response (53%) and risk analysis (53%).
  • Security teams use threat intelligence to predict future attacks. A large majority of respondents from the October survey said they use threat intelligence data for operational (70%) purposes, which helps in predicting future attacks and planning defense strategies. About two-thirds (67%) said they used threat intelligence data for technical objectives, primarily focusing on attackers’ resources and tools and the specific implementations used for the attacks.  
  • Threat intelligence has become central to security teams. Many respondents from the June survey pointed out that having access to early and credible intelligence has become a core requirement for their organization. About 6 in 10 (57%) said they subscribe to up to 10 threat intelligence feeds while another quarter (26%) gather their intelligence from 11 to 50 feeds. The largest shares of respondents said they use threat data from malware analyses (75%) or indicators of compromise (IoCs) (72%).
  • Data from existing network infrastructure are leveraged for threat intelligence. The security pros said in the October survey that the most common types are data they use for threat intelligence are from IDS, firewalls, and endpoints (reported by 67%), network traffic analysis packs and flow (62%), incident response and live forensics (57%), application logs (56%) and email or spreadsheets (55%). Use of information from the dark web (39%), MSSPs (36%), industry groups such as CERT (34%), and media/news sources (33%) are slightly less common.
  • Security teams are looking to automate threat intelligence. In the June survey, respondents cited the importance of having an automated action and response capability as part of their chosen solution. Nearly half (46%) say they already incorporate automation in their threat intelligence strategies, and almost as many (41%) said they plan to add that capability, making this the top planned component of their threat intelligence strategies.

Overall, about 66% of respondents from the June survey said they anticipate spending more on threat intelligence in 2023. This bodes well for security operations centers (SOCs) hoping to boost defense capabilities through improved threat intelligence. However, security pros remain cautious about how much money management will let them spend, and finding the right tool to automate all these threat speeds remains challenging, so there’s much work ahead.

Organizations want threat intelligence, but struggle to make it actionable

Without proper mechanisms to manage the volume and velocity of threat feeds, security teams are easily overwhelmed, and security operations are stymied by an inability to makes sense of a firehose of feed data and false positives.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.