Many organizations found themselves caught in the crossfire of 2023’s worst cyberattacks — a fate that could likely have been avoided with access to better cyber threat intelligence (CTI).
Thanks to a recent survey of more than 200 IT security professionals, we now know that a majority of businesses are flying blind when it comes to rooting out potential adversaries in their threat environment.
Just 39% of the respondents in a December 2023 survey by CyberRisk Alliance (CRA) acknowledged using threat intelligence to help prevent or mitigate cyberattacks. Fifty-five percent, meanwhile, said they are considering or planning to adopt CTI in the near future.
If those aspirations lead to action, 2024 could be a huge year for the CTI market. Resources and funding are scarce, however, and survey respondents tell us they’re prioritizing two features above all else.
CTI essential: Integrated threat intelligence
Respondents want a CTI platform that easily integrates with existing security solutions and data sources, not something that creates additional complexities or overhead just to manage.
Unfortunately, finding such a platform that can accommodate and build on legacy building blocks has proven difficult for many.
“The biggest challenge we continue to face is the integration from all sources of security products providing relevant and immediate recommendations,” writes one respondent. “Third-party products have helped, but have not provided full visibility into the data.”
Others describe the complexities of trying to build unified threat intelligence when so many existing tools operate in silo, ignorant of the signals their peers are picking up.
“We have multiple environments and campuses globally so integrating all the data can be cumbersome,” says one respondent. “Combine that with DOD, NIST, PCI, HIPAA and more compliance [policies], and it can be rather stressful.”
“In order to effectively implement a threat intelligence program, our organization would need the most help in integrating it into existing systems and ensuring compatibility with existing and legacy devices,” writes another.
The bottom line: There’s a huge appetite for CTI that can help prevent and mitigate cyberattacks, but those responsible for keeping watch are struggling to find a solution that can integrate seamlessly with existing IT without producing more problems in the process.
CTI essential: Real-time data analysis
Besides the integration aspect, respondents of CRA’s survey see real-time data analysis as an essential feature to a CTI platform.
Attack after attack reminds us of the stiff penalties awaiting organizations who fail to identify an active adversary in their midst. Static or infrequent security alerts simply can’t keep pace with the speed of today’s more sophisticated ransomware and malware players. Respondents know this firsthand, acknowledging the impact that limited visibility and agility played in their own breaches.
- “A challenge our organization had was dealing with a large-scale outage affecting multiple locations. Since the cause diagnostics were not clear, the challenge we had was quickly trying to determine if it was a threat-based attack or a failure of the network infrastructure itself.”
- “We had an issue with our SOAR platform. We felt that we were blind until the company could rectify the issue.”
- “In our case, we struggled to identify the source of a service found running on DC [domain controller]. We either open the firewall to a scanner which is unsafe, or we get limited intelligence. Choose your poison.”
These testimonials should act as a wake-up call to manufacturers of solutions supporting CTI functionality. Respondents desire real-time data analysis that can proactively inform incident responders to take action. Moreover, an effective CTI operation should be able to detect and prioritize real threats without generating false positives that distract analysts from the real cause.
In summary
Approximately 6 in 10 organizations do not yet use CTI to prevent or mitigate cyberattacks. While a majority have intentions to establish a CTI platform in 2024, it is critical that vendors and manufacturers of CTI products address the customers' need for tools that can integrate and build on existing solutions while providing SOC responders real-time data analysis.
