Seems like everyone is talking about threat intelligence these days. The feds are promoting public/private threat intelligence sharing across the executive and legislative branches while the industry is buzzing about threat intelligence feeds, sharing platforms, and advanced analytics.
Lots of talk about threat intelligence but what’s really going on here? Is all of this talk real or nothing but hot air? Most importantly, are enterprise organizations on board with threat intelligence or not?
I was very curious about threat intelligence myself so I’ve spent the last 6 months or so doing research to answer these very questions. This effort culminated with the publication of a new ESG research report titled, Threat Intelligence and its Role within Enterprise Cybersecurity Practices (note: I am an ESG employee).
As it turns out, large organizations get it and a vast majority are actively building in-house threat intelligence programs. To be clear, most enterprises have been reviewing open source threat intelligence and purchasing commercial threat intelligence for years but this was done on a haphazard basis by individual members of the cybersecurity team. Now they are investing in formal threat intelligence programs with a dedicated cybersecurity team tasked with collecting, processing, analyzing, and operationalizing internal and external threat intelligence from a growing number of sources.
So all of the industry focus on threat intelligence is absolutely appropriate but there is a big caveat here – most enterprise threat intelligence programs are fairly immature today. In fact, formal threat intelligence programs have been in place for less than 2 years at 40% of enterprise organizations (note: ESG defines “enterprise” as organizations with more than 1,000 employees). Furthermore only 43% of cybersecurity professionals consider their organization’s threat intelligence program as “very mature,” while the other 57% claim that their threat intelligence programs are “somewhat mature” or “immature.”
There are several implications associated with threat intelligence program immaturity that came to light in this research project:
- Threat intelligence programs remain hamstrung by manual processes. Collecting, processing, correlating, and analyzing threat intelligence is still a manual slog. So while threat intelligence programs are intended to improve cyber-threat awareness, analytics, and incident response, cybersecurity professionals spend a lot of time cutting and pasting data from emails, transforming data formats, and writing code.
- Operationalizing threat intelligence is a work-in-progress. Threat intelligence programs are intended to accelerate incident detection/response and automate remediation processes but many organizations are still figuring out how to weave threat intelligence into things like communication, collaboration, risk scoring, and IT workflows. In my humble opinion, the government and industry are paying too much attention to threat intelligence technology and not enough on threat intelligence program ramifications on the organization.
- Threat intelligence sharing is less mature than threat intelligence consumption. Yes, enterprises are sharing internally-derived threat intelligence, but they are doing so on an ad-hoc and informal basis – a phone call here, an email there and so on. That said, many current enterprise threat intelligence programs are focused on consumption, not sharing. CISOs will need to get their own houses in order and operationalize internal threat intelligence programs first, before they move on to a systematic threat intelligence sharing model.
Threat intelligence nirvana is some type of peer-to-peer threat sharing collective where organizations connect on an as-needed basis, share threat intelligence about IoCs, TTPs, and threat actors and exchange information about cyber-investigations, lessons learned, and effective remediation strategies. I too am bullish on this vision but the ESG research clearly reveals that we have a long way to go.