In the battle to protect businesses from relentless attempts at infiltration, theft and disruption by cybercriminals, knowledge is power. Over recent years, this fact has been formalised through the growing adoption of cyber-threat intelligence (CTI) With the creation of teams and implementation of CTI programmes, organisations aim to build a proactive defence posture and stay one step ahead of adversaries. The 2020 SANS Cyber-threat Intelligence survey sponsored by ThreatQuotient, analyses the state of play in cyber-threat intelligence worldwide, indicates that we are entering an exciting period. CTI shows strong signs of maturing and cementing its place in the cybersecurity arsenal. 82 per cent of survey respondents say their CTI activities are delivering value. We are also seeing organisations become more strategic about how they implement the intelligence process and a growing recognition of the value of collaboration with the wider threat intelligence community. The following are my key highlights from this year’s research findings.
CTI is coming of age
There were twice as many respondents to this year’s survey compared to 2019 and more respondents than ever before reported that they are operating a CTI programme in their organisation. 85 per cent overall said that they had some form of CTI resource, with nearly half (49.5 per cent) having a formal, dedicated team. A further 27 per cent have shared responsibility with staff drawn from other teams, while 9 per cent have a solo CTI analyst. This is a welcome sign that CTI is accelerating as a component of companies’ cybersecurity strategies.
Also encouraging was the fact that the percentage with a dedicated team has risen steadily in the past three years. Investment in headcount is on the rise, indicating that businesses are committing to CTI for the long term.
In-house teams are not going it alone, either. 61 per cent of respondents said CTI tasks are handled by a combination of in-house and service provider teams, an increase of 54 per cent in 2019. This combination of external resources and internal expertise means organisations can better understand and address the threats they face.
Organisations are becoming more strategic about CTI
At the start, and the heart, of an effective CTI programme are clearly defined intelligence requirements (IRs). These identify the specific questions and concerns to be addressed by the programme to ensure the right data is collected and the appropriate focus is placed on the relevant threat areas by analysts. They are critical in providing the business-specific context for CTI programmes so that they deliver the most valuable outcomes for that organisation.
So it is encouraging that this year’s survey found the percentage of respondents reporting that they have clearly defined intelligence requirements has jumped 13.5 per cent, from 30 per cent in 2019 to 44 per cent in 2020. Another positive sign is the growth in the number of contributors to CTI requirements – there was more input from security operations teams, incident response teams and C-Suite executives, showing that a diverse group of stakeholders is helping to drive both the tactical and strategic direction of the CTI programme. The next stage in maturity will be to see more regular and structured reviews of intelligence requirements, as most still review IRs on an ad hoc or unknown basis.
Intelligence sources, automation and management advances - but more to be done
When it comes to collecting data to answer the intelligence requirements, there has been a jump in the percentage consulting both open source feeds and those from CTI-specific vendors. There has also been an increase in organisations producing threat intelligence data in-house to complement externally sourced data – more than 40 per cent of organisations said they both produce and consume threat intelligence data.
With this wealth of data at their disposal, the survey asked how organisations process high volumes of intelligence to gain actionable insight, and the degree of automation used to lift the burden from CTI teams. The survey shows that automation is still some ways off, with the majority of processing tasks completed either manually or semi-automated. While basic tasks such as data de-duping are commonly automated, more complex activities, such as reverse-engineering samples are a manual undertaking for 48 per cent of respondents.
In CTI management, the picture is slightly better with more organisations reporting automation in SIEM platforms and CTI management platforms. As CTI continues to prove its value, we would anticipate seeing more automation and tuning of tools to fit the context, priorities, and specific threats that businesses face. This supports analysts to focus their efforts where human evaluation is most effective and respond more proactively to threats.
Measurement is proving a challenge
Another sign that an approach is maturing is when focus shifts from operational considerations around what tools and teams can do, to measuring the effectiveness of their actions. Here the survey found that there is still some way to go. While a resounding 82 per cent of respondents find value in CTI, only 4 per cent had processes in place to measure effectiveness. However, the growing rigour in identifying clear intelligence requirements can offer a good starting point here. Once these are set, goals can be set based on answering the IRs through the CTI programme.
Collaboration is critical
Perhaps the most encouraging finding from the SANS Cyber-threat Intelligence survey is confirmation that collaboration is being embraced as a core component of security programmes. 45 per cent reported membership of an Information Sharing and Analysis Centre (ISAC) which is a high percentage, given that they are not available in all verticals or territories. The main benefits noted are timely and relevant threat information and the ability to network with contacts at other member organisations.
Now, more than ever, the uncertain cyber and physical environment and new threats emerging out of the disruption of Covid-19 pandemic mean that intelligence analysts need to share best practice data and strategies to overcome threats.
Ultimately, the 2020 SANS Cyber-threat Intelligence survey offers robust evidence that CTI is increasing in adoption and is proving its worth to a greater number of organisations than ever before. When threat intelligence is effectively collected, integrated, automated, prioritised and shared between analysts and wider stakeholders, organisations become more agile and effective at addressing the threats they face. We are in an exciting period for the industry, where organisations can see real, measurable impact from their accelerating investment in CTI teams and tools and we look forward to seeing further evidence of success in next year’s survey.
Anthony Perridge,. VP International, ThreatQuotient