When it comes to threat intelligence, there seem to be two primary focus areas in play: The threat intelligence data itself and the legislative rhetoric around threat intelligence sharing (i.e. CISA, CISPA, etc.). What’s missing? The answer to a basic question: How do organizations get actual value out of threat intelligence data and threat intelligence sharing in a meaningful way?
As it turns out, the answer to this question isn’t obvious and many enterprises continue to struggle as they seek to “operationalize” threat intelligence. In a recently published ESG research report titled, Threat Intelligence and Its Role Within Enterprise Cybersecurity Practices, ESG surveyed 304 cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees), and asked them to rate themselves in terms of their ability to operationalize threat intelligence (note: I am an ESG employee). The data indicates that:
- 19% say that their organization’s “ability to automate threat intelligence collection from external sources” is either fair or poor. In other words, security analysts are still collecting threat intelligence via email, spreadsheets, and cutting/pasting information from web-based sources. Obviously, these manual processes don’t scale.
- 19% say that their organization’s “ability to correlate different types of threat intelligence to gain additional context about threats” is either fair or poor. In this case, threat intelligence may offer clues but human beings are left to do the heavy lifting by investigating and analyzing the data on their own.
- 19% say that their organization’s “ability to act upon threat intelligence in a timely manner” is either fair or poor. Threat intelligence may add some value but it doesn’t seem to be helping them accelerate their security investigations.
This data is a good representation of the maturity level of most enterprise threat intelligence programs today. Organizations are collecting lots of internal security data, buying commercial threat intelligence feeds, and combing through open source threat intelligence, but still have problems when it comes to analyzing and operationalizing threat intelligence data for risk management or incident response. What about threat intelligence sharing? Alas, what Washington doesn’t seem to realize is that most enterprises are at least 12 to 24 months away from developing the business, legal, and technical processes to regularly share internal threat intelligence efficiently or effectively.
There are many technologies aimed at improving the operationalization of threat intelligence, vendors like BrightPoint Security, IBM, Norse, Splunk, Symantec, ThreatConnect, ThreatQuotient, ThreatStream, and Webroot come to mind. Unfortunately, most enterprises I speak with need more than tools alone. They need more fundamental help with the development of threat intelligence best practices, skills, processes, metrics, and workflows. Accenture, CSC, Deloitte, E&Y, HP, Lockheed, PWC, Raytheon, and Unisys could clean up here with the right mix of threat intelligence professional and managed services.