CTI is developing, but there is a need to catch up in automation
The SANS Institute, the world’s leading provider of cyber security training and certification, publishes the results of its Cyber Threat Intelligence Survey for 2022. Security experts from 200 organizations worldwide were interviewed. Under the impression of supply chain attacks such as the incident at SolarWinds and massive security vulnerabilities such as Log4j, the respondents stated that they want to quickly put huge amounts of shared information into context and minimize cyber threats. Their goal is to obtain an overview and awareness of the threat situation. Cyber Threat Intelligence (CTI) has gained a place among the most important IT security measures in recent years.
The main results of the survey are:
- More and more companies are starting to develop their CTI skills, although this is often at an early stage and processes still need to be developed.
- Some promising trends from recent years, such as collaboration between CTI teams and other departments, have been declining since the home office situation in response to the COVID-19 pandemic. Companies may find that coordination, which was already less intuitive when working on site before the pandemic, is now even more difficult.
- A not inconsiderable percentage of 21 percent of respondents stated that they cannot measure whether their CTI program is actually valuable for their organization. This result highlights the need for more and better ways to measure the effectiveness of CTI programs, tools and their sources.
- Threat intelligence platforms are still not the main tool used by CTI teams – they are not in the top four places, with “spreadsheets/emails” once again at the top. One in two respondents still prefers self-developed CTI platforms. Providers of such platforms can certainly improve the analysts’ experience by understanding the use cases and better sharing the requirements between practitioners and vendors. However, an encouraging trend is the slight increase in commercial and open source CTI management platforms in terms of automation and integration.
Vena Rebekah Brown
The authors and SANS trainers Rebekah Brown and Pasquale Stirparo summarize the main results of the survey as follows: “CTI requires both collaboration and communication. The relocation of many workplaces to the home office, the increasing cyber threats and the high workload in the last two years have affected some key components of cooperation. Companies can address these factors through both processes and tools. You should check if you have lost communication channels with key stakeholders and find ways to rebuild these channels. In some cases, organizations may need additional tools to facilitate collaboration. Many CTI tools, such as TIPs, have built-in collaboration features that teams can check to see if they fit existing processes and workflows.“
Cyrille Badeau, Vice President of International Sales at ThreatQuotient
“An interesting finding from the survey is that a high percentage of companies are still unable to measure the effectiveness of CTI programs, tools and sources. Accurately determining the value of an intelligence program allows teams to justify the need for more resources, new employees and new tools, as well as bring organizations and the industry to a higher level of maturity. This is a call to action, for both practitioners and vendors, to find better and easier ways to measure the success of CTI,” adds Cyrille Badeau, Vice President of International Sales at ThreatQuotient add.
The survey was sponsored by Anomali, Cisco, Dragos, EclecticIQ, Infoblox, Team Cymru and ThreatQuotient.