In today’s rapidly changing threat landscape, early actionable access to credible threat intelligence has become critical. Many consider it a core requirement of doing business.
According to 183 security pros surveyed by CyberRisk Alliance (CRA), threat intelligence arms their security operations centers (SOCs) and incident response teams with operational threat intelligence to help them make timely, informed decisions to prevent system downtime, thwart the theft of confidential data, and protect intellectual property.
Many respondents also said threat intelligence helps them protect their company and customer data – and potentially saves the reputation of their organizations. Some say that with threat intelligence, there’s no better way to keep leadership informed so that the company can prioritize security efforts. “Without threat intelligence we would be chasing ghosts,” commented one respondent.
Here are four important findings from the new CRA threat intelligence report:
- Security pros are worried about imminent cyberattacks. About two-thirds (64%) said they are “very” or “extremely concerned” about cyberthreats in the next 12 months. Their main concerns are ransomware (70%), followed by expanding attack surfaces (55%). For most respondents (62%), a fear of ransomware attacks was viewed as the top strategic driver of their threat intelligence strategies, followed by regulatory requirements (48%) and recommendations from industry experts (39%).
- Companies have very functional uses for threat intelligence. Respondents reported their top use cases for threat intelligence are vulnerability management (68%), security operations (66%), and incident response (62%). Technical (73%) and operational (71%) threat intelligence are more common than the more difficult strategic or more basic tactical use cases. Only 5% said they did not use any threat intelligence.
- Good threat intelligence has become a core requirement. Many respondents pointed out that having access to early and credible intelligence is a “core requirement” for their organization. About 6 in 10 respondents (57%) said they subscribe to up to 10 threat intelligence feeds while another quarter (26%) gather their intelligence from 11 to 50 feeds. The largest shares of respondents said they use threat data from malware analyses (75%) or IoCs (indicators of compromise) (72%).
- More security teams look to automate threat intelligence. Respondents indicated the importance of having an automated action and response capability as part of their chosen solution now and in the future. Nearly half (46%) said they already incorporate automation in their threat intelligence strategies, and almost as many (41%) said they plan to add that capability, making this the top planned component of their threat intelligence strategies
Effectively implementing threat intelligence isn’t without its challenges. Companies face everything from internal obstacles and competing priorities, such as limited resources and lack of skills/qualified staff, and budgeting/financial constraints to issues related to dealing with the evolving threat landscape and expanding attack surface.
Unfortunately, the ability to implement automated security responses to threats so they can detect and remediate the latest types of attacks remains out of reach for many. Some claim actionable intelligence is hard to find, while others grapple with threat data overload and collating and assembling critical attack data, along with controlling excessive alerts and false positives.
Finding the most efficient solution that enables rapid deployment and the greatest ROI was also considered problematic, as well as intelligence integration and deployment of advanced technologies, such as machine learning models that optimize the use of historical data to predict future events.
On the plus side, some 66% of respondents anticipate spending more on threat intelligence in the coming year. This bodes well for SOCs hoping to boost defense capabilities through improved threat intelligence, particularly as it relates to patching security flaws in current software and responding more quickly to security events.