In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on?
It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.
Threat intelligence helps organizations stay informed about the latest cyber threats and vulnerabilities. By gathering and analyzing information about potential attacks, threat intelligence can provide organizations with valuable insights into the tactics, techniques and procedures (TTPs) used by cyber criminals.
Given the deep value provided by threat intelligence, why aren’t more cyber pros taking advantage of it?
Not using threat intelligence
Almost four in five organizations are making cybersecurity decisions without any insight into the threats they face. This is according to a new survey from Mandiant, a unit of Google Cloud. Likewise, only 35% of survey respondents say their organization has a comprehensive understanding of threat groups’ TTPs.
The results of this survey make one wonder how security teams make resource allocation decisions. This is especially important given the budget crunch and talent shortage that all companies are facing now. In fact, over half of those surveyed (53%) said the security talent shortage threatened their ability to stay ahead of the latest trends. Nevertheless, nearly all respondents (95%) say they feel they can prove to senior leadership that their organization has a moderate to highly effective cybersecurity program.
Other findings in the report shine even more light on the situation. On average, survey respondents indicated that cybersecurity is only discussed once every four to five weeks with groups outside the security team. This includes the board, C-suite and other senior stakeholders. Discussions are even less frequent with investors; the average falls to once every seven weeks.
The value of threat intelligence
Consider these key reasons why threat intelligence is important in cybersecurity:
- Proactive defense: Threat intelligence allows organizations to stay ahead of potential attacks and proactively defend against them. By identifying emerging threats and vulnerabilities, organizations can take steps to mitigate risk and protect systems and data.
- Better detection: Threat intelligence can help organizations identify indicators of compromise (IOCs) and other patterns that may indicate an ongoing or imminent attack.
- Contextual understanding: Threat intelligence provides valuable contextual insight into attackers’ motivations and capabilities. This helps organizations better understand the nature of the threat and develop more effective defensive strategies.
- Improved decision-making: Threat intelligence can inform decision-making across a range of security functions. This includes incident response, vulnerability management and risk assessment. By providing timely and relevant information, organizations can make more informed decisions and reduce the risk of costly errors.
In a nutshell, threat intelligence saves time, reduces risk and minimizes costs. Logically, executives would want to take advantage of this. But do they know their security teams — by their own admission — don’t take full advantage of threat intelligence?
Read the Threat Intelligence Index
Not in complete denial
Those surveyed in the Mandiant report fully recognize the importance of threat intelligence. Most (85%) of the respondents deemed it important to identify attackers, the TTPs used by the attacker (88%) and the attacker’s motivation (87%). Despite this, only 34% say they always consider the source of a potential attack when testing security defenses and operations.
A large majority (84%) of respondents said that they are worried they may be missing out on threats or incidents. Why? This is due to the large number of alerts and data they are faced with every day. This information overload also impacts the well-being of personnel: more than two-thirds (69%) of security teams admit feeling overwhelmed.
Keys to improve threat intelligence
The Mandiant study revealed significant gaps in security team confidence vs. adequate threat intelligence approaches. So how might organizations close the gap with the goal of improving overall security? Here are some key approaches to consider for an effective threat intelligence strategy:
- Threat analysis enrichment. Utilize threat group profiles, malware analysis reports, malware detection rules and insights gathered from near real-time threat intelligence to consolidate incident detection and response efforts.
- Automate and share. Automate the collection and integration of internal and external data sources through a comprehensive ecosystem of security tools and open-source intelligence (OSINT) feeds, enabling teams to swiftly detect and disseminate threat data.
- Enlist expert advice. Streamline threat intelligence management by partnering with security experts who can create, develop and manage an automated cyber threat platform. Quality security provides real-time threat data to keep you ahead of potential attacks.
Participating in threat intelligence sharing also improves protection for everyone. For example, CISA’s Automated Indicator Sharing (AIS) facilitates the real-time exchange of machine-readable cyber threat indicators and defensive measures between public and private sector organizations.
The AIS community includes private sector entities, federal agencies, state, local, tribal and territorial (SLTT) governments, information sharing and analysis centers (ISACs) and information sharing and analysis organizations (ISAOs), as well as foreign government partners and companies.
AIS is free, and it’s part of CISA’s mission to collaborate with public and private sector partners to identify and mitigate cyber threats through information sharing.
Speak up about threat intelligence
Luke McNamara, a principal analyst at Mandiant in Google Cloud, suggests that the power of threat intelligence can significantly influence the ability to detect and respond to incidents, as well as proactively hunt for potential threats. It can also aid C-level executives and board members in gaining a deeper understanding of the current threat landscape and its potential impact on business operations.
“Ultimately, threat intelligence is an input into the security function of an organization, that when properly used and disseminated to the right stakeholders within the organization, helps mitigate business risk,” McNamara said.
Perhaps the most important finding in the Mandiant report is the communication gap between key stakeholders. It’s unlikely that security teams openly admit they make decisions without adequate intelligence insight. But what if they did? What if they clearly outlined the problem and led the charge to come up with solutions?
Remember, threat intelligence saves time, reduces risk and minimizes costs. These are things all board members, investors, CEOs and security leaders want. So why not go all in and take advantage of threat intelligence?
The IBM Security® X-Force® Threat Intelligence Index 2023 offers actionable insights to help you understand how threat actors are waging attacks and how to proactively protect your organization.