Report Reveals Growing Reliance on Threat Intelligence

Cybersecurity teams are relying on more — and more advanced — threat intelligence as they expand and improve their operations to counter mounting cyber risk. Threat intelligence is already used by virtually all the security professionals surveyed in a recent CyberRisk Alliance (CRA) report sponsored by Mimecast. Two-thirds of them say they will spend even more on threat intelligence in the coming year. And they are turning to more advanced, automated threat management, according to the report, titled “Threat Intelligence: Critical in the Fight Against Cyber Attacks, But Tough to Master.” 

By one estimate, global threat intelligence spending will double in the next five to eight years, to more than $20 billion annually.[1] The takeaways included below, on top-level threat intelligence attitudes and trends, represent the first installment in a three-part series on the CRA report’s findings.

Practical Uses of Threat Intelligence

Threat intelligence use cases are broken down in the CRA report across operational, technical, strategic, and tactical applications, as follows:

• Operational: Security teams use threat intelligence feeds in planning and executing day-to-day operations (cited by 70% in the survey).
• Technical: For 67% of respondents, threat intelligence helps focus their technical defenses based on the resources, tools, and other aspects of attackers’ exploits.
• Strategic: Over half (53%) use threat intelligence in communications with senior management for planning and budgeting.
• Tactical: Incident response is another priority, cited by 46% who apply threat intelligence when an attack occurs.

What’s Driving Growth in Threat Intelligence

Spending increases on threat intelligence are driven by several concerns, the top one being ransomware attacks (70%), followed by an expanded attack surface (55%). Increased use of email and collaboration platforms also is driving the growth of threat intelligence. 

Overarching goals for the increase in spending also vary. These include enabling security teams to make timely, informed decisions to prevent downtime due to an attack, for instance, and to stop the theft of confidential data. Cybersecurity leaders are also looking to threat intelligence to ease their teams’ workload and to increase their own confidence when investing in tools and solutions.

Sources of Threat Intelligence

The number of sources of threat intelligence used by security teams ranges widely, with some survey respondents reporting that they rely on only five to 10 sources while others use as many as 50. Some threat feeds are commercially available, while others are free or government-sponsored. Additional input comes from a team’s own cybersecurity tools. Among the data sources cited in the report:

• Malware analysis data (75%)
• Indicators of compromise (72%)
• Intrusion detection systems, firewalls, and endpoints (67%)
• Network traffic analysis packs and flow (62%)
• Incident response and live forensics (57%)
• Application logs (56%)
• Email or spreadsheets (55%)
• Information from the Dark Web (39%)
• Managed cybersecurity services (36%)
• Government and industry groups such as the U.S. Computer Emergency Readiness Team (34%)
• Media/news sources (33%)

Applying Intelligence Feeds

Threat intelligence contributes to a wide range of specific applications, according to survey participants, including:

• Security operations (70%)
• Vulnerability management (64%)
• Keeping leaders informed (53%)
• Incident response (53%)
• Fraud prevention (36%)
• Risk analysis (53%)
• Board reporting (16%)

Threat Intelligence Benefits

Security teams see the following benefits to threat intelligence feeds: 

• Securing the cyber environment and proactively configuring malware defenses, noted by 57% of those surveyed
• Real-time detection for quicker response (43%)
• Operating efficiencies and agility (28%)
• Better security posture and reduced risk (24%)
• Helping with tool investment and selection (4%)

Obstacles Preventing Full Implementation

Numerous challenges worry respondents as they expand their threat intelligence and management initiatives: 

• Limited staff resources and expertise in threat intelligence
• Budget and financial constraints
• Difficulty in automating threat response
• Elusiveness of actionable intelligence
• Data overload, excessive alerts, and false alarms
• Difficulty finding the best solution for rapid deployment and the greatest return on investment
• Complexity of integrating and deploying advanced technology such as artificial intelligence/machine learning

Integration and Automation Trending

Looking ahead, security leaders are making a big move toward automation, which is becoming a top strategic priority. They are integrating intelligence feeds as they move to integrate security tools and platforms. And they are introducing artificial intelligence and predictive analytics to improve threat intelligence insights, productivity, and economies of scale. In a Catch 22, however, many say that the current cybersecurity skills shortage makes it difficult to set up some of the very technologies that can automate threat management and reduce security teams’ workloads.

The Bottom Line

Security teams are increasing their reliance on threat intelligence as they recognize its many uses and benefits. Still, they face significant hurdles to realizing its full benefits, especially as they also move to embrace automation, artificial intelligence, and predictive analytics. Read more in the new CyberRisk Alliance report, “Threat Intelligence: Critical in the Fight Against Cyber Attacks, But Tough to Master.”

[1] “Threat Intelligence Market,” Emergen Research