Integration: The Core Challenge of Threat Intelligence 

The integration of cyber threat intelligence — a top priority on most security teams — is proving difficult to achieve, according to a recent survey. A mere 17% of security professionals are very satisfied with their ability to correlate the data coming from a growing profusion of security products and services.[1]

Most companies are spending more this year to integrate and otherwise improve their threat intelligence capabilities. They know there’s a lot at stake — and not just the speed at which their security teams can detect and respond to cyberattacks. Integration also lays the foundation for automating cybersecurity operations, which is another top priority as the volume, variety, and velocity of threat feeds is overwhelming the security analysts on their teams.

Money alone may not solve the integration problem, though. Amid today’s cybersecurity skills shortage, the top challenge CISOs cite in using threat intelligence effectively is hiring someone capable of setting up integrated systems and automated processes.

These and other findings come from a new CyberRisk Alliance (CRA) report, “Threat Intelligence: Critical in the Fight Against Cyber Attacks, But Tough to Master,” sponsored by Mimecast. Cybersecurity vendors like Mimecast are rising to the challenge by providing third-party integration with technology partners’ offerings to enable threat data collection and application across the range of cybersecurity defenses.

This article is the third in a three-part series on the CRA report’s findings on threat intelligence attitudes and trends.

Integrating Cyber Threat Intelligence

Nearly six in 10 survey respondents (59%) already integrate at least some of their cyber threat intelligence as part of their cyber strategy, according to the CRA report, with another 28% planning to do so in the future. Many use a dedicated threat intelligence platform for this.

The integration of cyber threat intelligence is a key aspect of a growing move to tame the “tool sprawl” that characterizes many companies’ cyber programs, due to reliance on dozens of security solutions. Mimecast’s just-released State of Email Security 2023 (SOES 2023) report corroborates the CRA’s findings, with 81% of SOES 2023 respondents expressing a preference for using integrated security ecosystems. Their top driver, they said, was improved detection of threats. Then as the analytical capabilities of artificial intelligence and machine learning (AI/ML) are added, which about half of SOES 2023 respondents said they have started to do, threat intelligence becomes more actionable and responses to threats can be automated.

Mapping the Types of Threat Intelligence Used

Participants in the CRA survey gave insight into the types of intelligence that feed into their management of threats:

• Security systems data: 67% (from intrusion detection systems, firewalls, endpoints, etc.)
• Network traffic analysis: 62%
• Incident response and live forensics: 57%
• Application logs: 56%
• Email: 55%
• Dark web: 39%
• Managed security service provider logs: 36%
• Feeds from security groups: 34% (such as the U.S. Computer Emergency Response Team, or US-CERT)
• Media/news sources: 33%
• Sandbox detonation: 27% (as indicators of compromise are safely disarmed)
• Honey pots: 19% (as attackers are lured by a virtual trap)

Another survey, by the Ponemon Institute, listed the most desirable features of integrated threat data, including:[2]

• Management of signatures, rules, and queries, including integration with intrusion detection and prevention systems.
• Integration with malware analysis automation, such as isolating anomalies in a sandbox.
• Providing workflow management/prioritization for analyst teams.

Systems that manage threat intelligence and response include the following options, as well as dedicated threat intelligence platforms — many of which may work in tandem: endpoint detection and response (EDR), extended detection and response (XDR), security information and event management (SIEM), and security orchestration and response (SOAR). Mimecast’s email security offerings, in turn, integrate into many such systems.

The Benefits of Integrating Intelligence Feeds

Integration delivers several benefits, including:

• Ease of use
• Faster identification of attacks
• Streamlined investigations
• Automation and simplification

Yet Integration Is Challenging

One CRA survey respondent described their top challenge in integrating intelligence feeds as “finding the correct people and building processes to help make this effective.” In fact, one-third of respondents cited a lack of skills as a barrier to effective threat intelligence.

One in five also cited the inability of their legacy tools to integrate well into more advanced systems. “The age of this equipment does not allow for integration,” one security professional said.

Assessing the relevance of open-source intelligence feeds from groups such as US-CERT presents smaller companies with a different sort of problem. “Much of it is centered on government, defense, or other large corporate targets. We have a different threat profile,” said another. 

At the same time, one-third of security professionals cited the changing threat landscape. One survey respondent observed, “It’s the vast amount of threats that have escalated … and also keeping up with the massive amount of patching.”

The Information Systems Security Association (ISSA) suggests developing a three-year strategy. “A security technology architecture may take years to establish as security teams replace point tools, consolidate vendors, and integrate technologies,” ISSA said in a recent report. “This process should start with a solid three-year plan that details the current security stack/architecture, defines gaps, and specifies project phases for addressing weaknesses.”[3]

The Bottom Line

Security professionals agree that integrating cyber threat intelligence is a priority to improve their odds against mounting cyberattacks. Many are investing in the means to do so, but challenges like finding skilled professionals to implement the integration often stand in their way. Vendors like Mimecast are helping surmount such obstacles, integrating with technology partners to help customers create security ecosystems that benefit from integrated cyber threat intelligence. For more, read the CyberRisk Alliance (CRA) report, “Threat Intelligence: Critical in the Fight Against Cyber Attacks, But Tough to Master.

[1] “XDR Poised to Become a Force Multiplier for Threat Detection,” CyberRisk Alliance

[2] “The State of Threat Feed Effectiveness in the U.S. and U.K.,” Ponemon Institute

[3] “Tech Perspectives from Cybersecurity Professionals,” Information Systems Security Association