Blog_Header.jpg

IntSights' Blog

Three Takeaways From The 2019 SANS Cyber Threat Intelligence Survey

by Nick Hayes / February 13, 2019

Last week, the SANS Institute published its 2019 Cyber Threat Intelligence (CTI) survey, and boy, did it contain some interesting nuggets! SANS surveyed CTI pros on a range of topics: current adoption of threat intel tools and feeds, how to connect CTI to business value, and common pain points many still face today.

I highly recommend you read the full findings from SANS (link above). But if you’re short on time, here are my key three takeaways, best practices we can cherry pick, and how I see the cyber threat intelligence industry evolving in 2019.

#1: CTI Lives And Dies On Its Value To Security

This report shows crystal clear that threat intelligence drives value to security teams, security operations, and security strategy. In fact, a whopping 81% of respondents said their CTI efforts had meaningfully improved their security (prevention and detection) AND their incident response.

It’s great to see threat intelligence transition from conceptual and strategic to operational and tactical. There’s still a lot more work to keep CTI maturing in our respective organizations. But I expect this trend to gain momentum over the next year and beyond -- as CTI further embeds itself into even more cybersecurity use cases. CTI will morph from “nice-to-have” and “bolted-on” to “must-have” and “embedded” within the security technology stack. 

#2: Threat Intelligence Leaders Must Drive Cross-Functional Interaction

One stat that shocked me was that only 14% of organizations seek out input from other departments as they set CTI requirements. Making matters worse, only 6% of threat intel teams have active members from other business units within the organization. Insulating threat intelligence programs is a critical error. We need to encourage diverse stakeholder participation from a variety of business and risk owners, both to ensure holistic coverage and response, and even more importantly, to garner broad, companywide support for CTI activities.

Brand security and customer trust must become core CTI objectives. Your organization’s digital footprint is innately connected to your business and your brand. Whether your tailored threat intel detects phishing and typosquatting, account takeovers, social media or mobile app impersonations, or exposed customer credentials – they are all connected to your brand, your people, and your valuable and sensitive data. These attributes and associated metadata in turn inform your intelligence strategy, enrich context, and reduce noise from false-positives.

#3: Operationalized Threat Intelligence Is The Future

Let me cite one of the takeaways from this year’s SANS CTI survey: 

Operationalizing narrative-based intelligence reports…is time-consuming for CTI analysts. A lack of automation for these reports makes them especially time-consuming.”

The mantra we must live by: Insight to action. Keep repeating this, to yourself and your team. When intelligence is actionable, IoCs become outcomes and mitigation becomes automation. 

Moreover, intelligence cannot be generic. As SANS finds, the more specific, the better:

“The more specific intelligence is, the better. Respondents report that intelligence on the general threat landscape is useful, but not as useful as intelligence specific to their industry, their brand and even their executives.”

Despite the clear value that actionable and tailored CTI offers, SOC and threat analysts struggle to consistently curate it. Automation and integration is the key here, which makes sense given that it’s one of the acute pain points that threat teams struggle with today. When asked to rate their satisfaction with the gamut of CTI tool capabilities, Automation and integration of CTI information” was at the bottom of their lists, ranking 11th out of 14 capability areas.

SANS CTI Satistfaction Table

Start Small, Add Scenarios Over Time

Perform a CTI gap analysis to evaluate your current CTI maturity. Then, identify one or two use-cases to roll out and ramp up the necessary proficiencies, first. For example, you might choose credential and data leakage detection as an initial CTI initiative. It’s a pervasive problem, one of the most common “goods” you can find on the dark web, and the mitigation procedures are relatively straightforward (compared to others).

There are lots of other good stats and findings from the 2019 SANS CTI Report. No matter your role or your department, I highly recommend reading through the report. I’m confident you’ll find something of value for your team in the year ahead! And please connect and continue the conversation with me on Twitter: @nickhayes10.

Survey_CTI-2019_IntSights-Cover
2019 SANS Cyber Threat Intelligence Report
Download Now

Tags: Threat Intelligence Cyber Intelligence Research Trends Industry News

0 Comments
previous post What Really Happened to the Dark Web Insider Trading Forum ‘Kickass’ Over the Weekend?
Next Post Why Digital Risk Protection (DRP) Will be the Hottest Topic at RSA 2019
Nick Hayes

Nick Hayes

Nick Hayes is the VP of Strategy at IntSights Cyber Intelligence. Prior to IntSights, Nick was a senior analyst at Forrester Research where he advised security and business leaders at Fortune 500 and growth companies on cybersecurity strategy, technology adoption, and industry and technology market trends. During his time at Forrester, he pioneered the firm’s digital risk protection (DRP) research and authored more than 100 published reports and technology evaluations, covering a wide range of cybersecurity, risk, and threat intelligence domains. Some of Nick’s unique areas of expertise include social media weaponization, brand security, and threat detection, prevention, and response. Nick is a prominent speaker at leading industry events, such as RSA Conference, ISACA, Cybersecurity Chicago, and Forrester’s annual security and privacy conferences. He also makes appearances and is regularly cited in high-profile media outlets, including CSO Magazine, Dark Reading, Financial Times, NBC News, The Wall Street Journal, and VentureBeat, among others.