The study sheds light on the evolution of Cyber Threat Intelligence (CTI) in cyber security and shows that CTI is maturing as a discipline.
In one of the clearest trends SANS has seen in the last three years, respondents have increasingly stated that CTI is improving their prevention, detection and response capabilities.
In 2018, 81% of respondents state their cyber threat intelligence implementations have resulted in improvements, compared to 78% in 2017 and 64% in 2016. In addition, the number of respondents who answered “unknown”, in other words, they didn’t feel they could answer the question confidently, has more than halved since 2016, jumping from 34% in 2016 to 21% in 2017, and now to only 15% in 2018.
What’s more, 68% of respondents say they have implemented CTI this year, and another 22% plan to introduce it in the future. Only 11% of companies have no plans to do so, falling from 15% in the previous year. This indicates that CTI is becoming more useful overall, especially to security operations teams that are working hard to integrate intelligence into their prevention, detection and response strategies.
“As the threat landscape continues to change, and with more advanced attackers than ever, security teams need all the help they can get to more effectively prevent, detect and respond to threats,” says the survey’s author, Dave Shackleford, SANS Analyst and Senior Instructor.
CTI skill set in demand
However, finding skilled staff to operate CTI consoles is getting more difficult, according to this year’s report, despite the trends showing that CTI can play an important role in an organisation’s security strategy. In this year’s survey, 62% of respondents cite a lack of trained CTI professionals and skills as a major roadblock, an increase of nearly 10% age points over 2017 (53%). This indicates that the more CTI is used and consumed, the more this skill set is in demand. It may therefore be much more difficult to find staff members who are experienced in setting up and operating CTI programs. Similarly, 39% cite a lack of technical ability to integrate CTI tools into the organizational environment.
Better visibility and improved security operations
As a result of their CTI program efforts, respondents report better visibility and improved security operations. For example, 71% indicate overall satisfaction with visibility into threats and indicators of compromise (IoCs). When specifying improvements, 70% of participants report improved security operations, while 66% cite improved ability to detect previously unknown threats.
Responses to the 2018 survey reveal a growing emphasis on CTI being used for security operations tasks: detecting threats (79%), incident response (71%), blocking threats (70%) and threat hunting (a little further down the list at 62%). The survey responses indicate that threat intelligence is key in augmenting and improving firewall rules, network access control lists and reputation lists. Known sites and indicators associated with ransomware are then being shared through threat intelligence, allowing operations teams to quickly search for existing compromise and proactively block access from internal clients.
“Fortunately, many organizations are sharing details about attacks and attackers, and numerous open source and commercial options exist for collecting and integrating this valuable intelligence. All of this has resulted in improvements in organizations’ abilities to improve security operations and detect previously unknown attacks,” Shackleford continues.
He summarises the results this way: “These results reinforce the trends we’re seeing that indicate CTI is being primarily aligned with the SOC and is tying into operational activities such as security monitoring, threat hunting and incident response.”