Ponemon offers best practices for threat intelligence

May 1, 2019
  • Establish a formal and dedicated team to manage threat intelligence activities.
  • Allocate adequate budget to threat intelligence, including threat hunting and advanced
  • attacker investigations.
  • Participate in threat intelligence sharing.
  • Participate in an ISAC/ISAO or other industry sharing group.
  • Increase the security team’s knowledge about adversaries including their motivations, infrastructure and methods.
  • Improve ability to integrate threat intelligence with their tools.
  • Improve ability to integrate threat intelligence data with SIEM and IDS/IPS.
  1.   Adequate budget. Forty-one percent of high performing organizations have resources that focus on threat detection versus only 33 percent of respondents in the overall sample.
  2.   Focused on improving the use of threat intelligence to detect threats. Seventy-two percent of respondents in high performing organizations rate their organizations’ use of threat intelligence data as part of its threat detection efforts as highly effective. In contrast, 41 percent of respondents in the overall sample rate their effectiveness as very high.
  3.   Understand their adversaries. Virtually all high performing organizations want to understand the motivations, infrastructure, and methods of attackers.
  4.   Pay for threat intelligence. Sixty percent of respondents say the primary source of threat intelligence is paid threat intelligence feeds. Twenty-three percent of respondents in the overall sample are more likely than high performing organizations to use open source threat intelligence feeds.
  5.   Implement a dedicated threat intelligence platform. Sixty-nine percent of respondents in high performing organizations have a dedicated threat intelligence platform but less than half (48 percent) of respondents in the overall sample have this.
  6.  Integrate threat intelligence with its SIEM and IDS/IPS with less difficulty than the overall sample. Eight-six percent of respondents in high performing organizations either integrate threat intelligence data from a threat intelligence platform (45 percent) or integrate built-in threat intelligence data provided by the SIEM vendor (41 percent). Eighty-one percent of these respondents say their organizations integrate threat intelligence with their IDS/IPS. High performing organizations also report that the integration with SIEM and IDS/IPS was not as difficult as the overall sample believes.
  7.   Share intelligence with other organizations. Seventy-seven percent of respondents in high performing organizations share threat intelligence with other organizations versus 59 percent of respondents in the overall sample.
  8.   Have a dedicated threat hunting team. Fifty-nine percent of high performing organizations have a dedicated threat hunting team. 43 percent of respondents in the overall sample.
prestitial ad