CTI proving value to security operations, says SANS Institute
Cyber Threat Intelligence is improving prevention, detection and response capabilities, survey shows
Cyber Threat Intelligence implementations are proving their worth to organisations, but lack of skills required to run CTI is holding up utilisation, according to SAN Institute.
The 2018 SANS Cyber Threat Intelligence Survey shows that organisations believe that CTI, the combined use of tools and data feeds to improve operational awareness of security threats, has improved their security abilities.
Eighty-one percent of respondents said that their CTI implementations have resulted in improved prevention, detection and response capabilities, up from 78% in 2017 and 64% two years ago.
The survey took data from 323 respondents, across a broad range of industries including Cyber Security, Banking and Finance, Government, and Technology. Twenty-seven percent of respondents work in organisations with 5,000–50,000 employees, and over sixteen percent are in organisations larger than 50,000.
Sixty-eight percent of respondents say they have implemented CTI this year, and another 22% plan to introduce it in the future. Only 11% of companies have no plans to do so, falling from 15% in the previous year.
Finding skilled staff to operate CTI consoles is getting more difficult, according to this year's report, despite the trends showing that CTI can play an important role in an organisation's security strategy. In this year's survey, 62% of respondents cite a lack of trained CTI professionals and skills as a major roadblock, an increase of nearly 10% points over 2017 (53%). This indicates that the more CTI is used and consumed, the more this skill set is in demand. It may therefore be much more difficult to find staff members who are experienced in setting up and operating CTI programs. Similarly, 39% cite a lack of technical ability to integrate CTI tools into the organisational environment.
"As the threat landscape continues to change, and with more advanced attackers than ever, security teams need all the help they can get to more effectively prevent, detect and respond to threats," said the survey's author, Dave Shackleford, SANS Analyst and Senior Instructor.
Responses to the 2018 survey reveal a growing emphasis on CTI being used for security operations tasks: detecting threats (79%), incident response (71%), blocking threats (70%) and threat hunting (a little further down the list at 62%). The survey responses indicate that threat intelligence is key in augmenting and improving firewall rules, network access control lists and reputation lists. Known sites and indicators associated with ransomware are then being shared through threat intelligence, allowing operations teams to quickly search for existing compromise and proactively block access from internal clients.
"Fortunately, many organisations are sharing details about attacks and attackers, and numerous open source and commercial options exist for collecting and integrating this valuable intelligence. All of this has resulted in improvements in organisations' abilities to improve security operations and detect previously unknown attacks," Shackleford said.
"These results reinforce the trends we're seeing that indicate CTI is being primarily aligned with the SOC and is tying into operational activities such as security monitoring, threat hunting and incident response."