A new report by the Information Security Forum (ISF) entitled Threat Intelligence: React and Prepare made headlines last month with its main finding that only 25% of companies surveyed felt that threat intelligence is delivering on its promise. While the findings in the report are all valid, pointing to threat intelligence and crying foul is an easy scapegoat. Nobody said threat intelligence was going to be easy…it is difficult for a number of reasons. But it also delivers tremendous value when it’s approached thoughtfully and strategically.
The following address some of the findings within the report.
90% said they would benefit from a single definition.
While most people have an understanding of threat intelligence (whether a deep-rooted knowledge or a high-level understanding), expecting a single definition is not realistic particularly given its complexity, varying degrees of industry expertise and skills. But perhaps the main reason we should not expect a single definition is because its ultimate objective differs widely – for less mature companies it’s providing situational awareness and for more mature shops it’s providing better situational understanding to validate their own internal intelligence. How you define it depends on what you need to address.
Only 8% said that they can find all the skills required for their threat intelligence capability.
The skills shortage impacts all aspects of cyber security and threat intelligence probably feels the impact most strongly. In fact, intelligence has been a government and/or military practice and even then, a very, very, selective discipline. The government saw a massive exodus as companies poached their intel teams (which was an indirect key takeaway from last week’s AFCEA Cyber Symposium. This led to mainstream companies hitting several early “cultural” hurdles while building intelligence programs because companies were trying to force a cultural uniformity in a symbiotic consensus approach…not typically what ex-military personnel are accustomed to. Ex-military and government folks building threat intelligence programs within the culture and walls of non-government entities didn’t lend itself to optimal policies and procedures.
In addition to the pure lack of skilled professionals is the fact that building a rock solid program around intelligence requires a 2-3 year roadmap with a quarterly re-evaluation. Threat intelligence isn’t turnkey as most companies want – it takes time. With both managers and analysts job jumping at alarming rates, staying on course is a monumental obstacle. The job-jumping speaks directly to the supply and demand of the skilled resources available. Employers are offering significant pay bumps, sign-on bonuses, even large equity stakes to hire the right employees – who are only poached by a larger organisation or their friend 10 months later.
Only 7% have achieved considerable integration of threat intelligence into their decision making and none have done so “fully.”
From a tactical standpoint, the industry is just beginning to wrap its arms around operationalising threat intelligence with some form of understanding and rhythm. Using intelligence to make strategic decisions that align with an organisation’s mission statement is likely 12-18 months away.
And finally, only 32% using a formal process to manage their threat intelligence capability.
No wonder most organisations are failing to find value – being able to detect, respond, anticipate and prevent threats to your organisation is essential! From a tactical standpoint, the security team never really managed the sensor grid tools performing the block/detect/deny functions. This has been more the realm of the network engineers. With threat intelligence platforms (TIPs) and various orchestration capabilities this type of automation is knocking on the door and companies that answer can help to relieve their overburdened, lean staff while strengthening security posture.
Back to the number we started with: 25% of companies surveyed feel that threat intelligence is delivering on its promise. So what’s needed for the remaining 75% to start to get the value from threat intelligence? The first step is aggregating all the data they have into one manageable location and translating it into a uniform format to achieve a single source of truth. Then you can start augmenting it with context so that you can prioritise and use it to better protect your organisation now and in the future.