The amount of interest enterprises are now showing in threat intelligence − that is, the understanding of the “who,” “what,” and “how” of adversaries targeting enterprise assets − has grown much in recent years.
For instance, a recent Threat Intelligence Survey conducted by Enterprise Strategy Group (on behalf of BrightPoint Security), shows that 94 percent of enterprises find value in sharing cyberthreat intelligence data. However, not so surprisingly to those who have been watching, less than one-third of enterprises actually regularly share such data with peers or industry Information Sharing and Analysis Centers. It’s always been the case, except for a few successful ISACs, such as that in the financial services industry, that there is more interest in cross-organization information sharing than willingness to carry it out.
The Enterprise Strategy Group study is based on the answers of more than 300 IT and security professionals involved in the planning, implementation, and daily operations of their organization’s threat intelligence program.
Interest in cyberthreat intelligence isn’t just growing a little bit – it is growing considerably. A total of 72 percent of respondents said they would increase somewhat or significantly their spending on their overall threat intelligence program in the next year to year and a half.
Also coming in at 72 percent was the number of respondents who said that they will “collect and analyze significantly or somewhat more internal threat intelligence over the next 12 to 24 months.” Similarly, 55 percent plan to collect and analyze significantly or somewhat more external threat intelligence over the same period.
These ESG survey results echo the findings of a SANS Institute survey that was released earlier this year. That survey, Who’s Using Cyber threat Intelligence and How?, found:
- 27% indicated that their teams have fully embraced the concept of CTI and integrated response policies across systems and staff.
- 41% have partially embraced CTI concepts by applying some intelligence to monitoring and incident response processes, but also indicated that they have a long way to go for full integration into response procedures and systems.
- 16% haven’t implemented any procedures yet, but are aware of CTI and plan to start deriving and/or using intelligence in the next 12 months.
- 8% don’t currently use CTI and have no plans to adopt the concept.
- 7% aren’t aware of CTI at all.
The SANS survey was also small, with 326 qualified respondents, but 69 percent did report having implemented Cyber Threat Intelligence to “some extent.” Only 16 percent reported that they don’t have plans to implement CTI. A solid 64 percent said that they have a dedicated team, person, or services organization assigned to implement and monitor intelligence.
And they are finding value, both studies found. A full 75 percent in the SANs survey said that CTI was important to their security. And they are integrating CTI into their security information and event management (55 percent) systems; 54 percent use intrusion monitoring platforms; 76 percent gather intelligence from the security community; and 56 percent use intelligence from vendor-driven CTI feeds.