State of Threat Intelligence...

State of Threat Intelligence StudyHow Will Security Advance in the Data Center in 2016?

INSIDE

- Complete Survey Results

- Expert Analysis

- Insights from Jason Greenwood of ThreatTrack Security

Actionable threat intelligence is the key to effective cyber

threat detection and response. But how good is the threat

intelligence organizations receive today? And how well are

they able to put this intelligence to work to improve their

cybersecurity?

These were the questions that spawned the State of Threat Intelligence Study,

sponsored by ThreatTrack Security. Our goal with this research was to determine:

• The quality and accuracy of threat intelligence that organizations currently

receive;

• Where and how enterprises are operationalizing this threat intelligence;

• The top TI investment priorities for 2016.

This survey was conducted online during the fall of 2015, and we had more than 130

respondents from financial organizations of all sizes.

Join me in a review of the full survey responses, and then let’s discuss how you can

put this data to use to help improve your organization’s capabilities to operationalize

threat intelligence.

Threat intelligence can be the difference between detecting an attack and being

victimized by one. What’s the value of your organization’s intel?

Tom Field

Vice President, Editorial

Information Security Media Group

[email protected]

Tom Field

2 2016 State of Threat Intelligence Study

Letter from the Editor

Table of Contents

Introduction .................................................................................... 2

By the Numbers ..............................................................................4

Survey Results ................................................................................. 5

Establishing the Baseline .............................................................. 5

Current State of Threat Intelligence ............................................... 8

Operationalizing Threat Intelligence .............................................11

2016 Threat Intelligence Agenda .................................................16

Conclusions .....................................................................................18

Survey Analysis ..............................................................................19Insights from Jason Greenwood of ThreatTrack Security

ThreatTrack Security specializes in helping organizations identify and stop Advanced Persistent Threats (APTs),

targeted attacks and other sophisticated malware designed to evade the traditional cyber defenses deployed by

enterprises and government agencies around the world. With more than 300 employees worldwide and backed

by Insight Venture Partners and Bessemer Venture Partners, the company develops advanced cybersecurity

solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced

threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-

time threat intelligence service, and VIPRE business antivirus endpoint protection.

Learn more at www.threattracksecurity.com

Sponsored by

About this survey:

This study was conducted online during the fall of 2015. More than 130 respondents participated from organizations of

all sizes, primarily based in the U.S.

32016 State of Threat Intelligence Study

52%Of security leaders say their current threat intelligence is above average or superior.

57%Say their abilities to operationalize threat intelligence

in their cyber defenses are average or below.

By the NumbersSome standout figures from this survey.


In this opening section, the focus is on the

adoption of threat intelligence by enterprises.

And the responses bring good news as well as

bad:

• 73 percent of organizations currently employ threat

intelligence to improve incident detection or response.

• But 29 percent say their use of TI is challenged by either the

sheer volume of data or lack of timely data.

Read on to learn more about respondents’ baseline answers.

Does your organization currently employ cybersecurity threat intelligence to improve incident detection and/or response?

0 10 20 30 40 50 60 70 80

73%

15

7

5

Yes

No

Not currently, but we have plans toemploy threat intelligence

I don't know

As organizations increasingly have shifted from a mindset

of prevention to response, the use of threat intelligence has

increased exponentially. The surprise here is not so much

that 73 percent of survey respondents currently employ threat

intelligence to improve incident detection or response – but

rather that 27 percent are not.

How do you assess the value of the threat intelligence your organization currently uses to detect and/or respond to cybersecurity threats?

0 5 10 15 20 25 30 35 40

36%

29

16

9

9

1

Above average

Average

Superior

Below average

Incomplete

Failing

Quantity of threat intelligence is rarely an issue. There is so

much data available today from internal systems or feeds, as

well as third-party tools and services. But how good is it? That’s

the key question.

In this instance, 52 percent of respondents say their current TI is

either above average or superior.

Yet, nearly as many – 48 percent – say their data is average or

below. Clearly, TI is coming up short for nearly half of responding

organizations. Subsequent responses will shed light on the

perceived shortcomings.

Establishing the Baseline


Survey Results

Has your organization in the past year experienced a cybersecurity incident where threat intelligence played a significant role in detection and/or response?

42%

45

13

Yes

No

I don’t know

Despite the broad adoption of threat intelligence, only

42 percent of organizations say they have experienced a

cybersecurity incident in the past year where TI played a

significant role in detection or response.

Forty-five percent say they have not experienced such an

incident, while 13 percent say they do not know.

If you answered “yes” to the previous question, what role did threat intelligence play in these incidents (check all that apply)?

0 10 20 30 40 50 60

51%

49

22

Good threat intel helped improve response

Good threat intel helped improve detection

I don't know

For those who do credit threat intelligence as playing a role in

incident detection/response, roughly half of the respondents

say that good threat intelligence helped improve detection or

response.

Twenty-two percent indicate that bad TI actually impeded their

detection.

What constitutes bad threat intelligence for an organization?

Responses to the next question shed a bit of light.


Survey Results

What would you say is the single biggest deficiency of the threat intelligence upon which your organization currently relies?

0 3 6 9 12 15

15%

14

13

13

8

8

6

Lack of timely data

Inability to manage the volume of data

Lack of management support

Lack of qualified personnel to reviewand interpret the data

Inability to interpret and integrateintelligence within IT defenses

Lack of technology to deploy threatintelligence within our IT environment

Lack of qualified personnel to apply threatintelligence within our company's defenses

Respondents were asked to name the single biggest deficiency

of the threat intelligence upon which their organizations

currently rely. Top four responses: A lack of timely data; inability

to manage the volume of data; lack of management support; and

lack of qualified personnel to review and interpret the data.

With these baseline statistics as context, the report now will turn

to the current state of threat intelligence within enterprises.

“Despite the broad adoption

of threat intelligence, only

42 percent of organizations

say they have experienced a

cybersecurity incident in the

past year where TI played a

significant role in detection

or response.”


In this section, the report views the sources and

quality of threat intelligence that organizations

receive, as well as how they use the data. Some

standout statistics:

• 55 percent of respondents rate as average or below their

ability to source actionable threat intelligence

• Only 23 percent say they are highly confident in the quality

and accuracy of their threat intelligence.

What are your current sources of threat intelligence?

0 10 20 30 40 50 60 70 80

66%

59

47

41

39

31

27

26

Threat intelligence gathered fromopen-source locations

Internal analysis of our organization's IT environment

Email lists and newsletters

Threat intelligence provided bypaid services

Third-party solution providers

Social media

Threat intelligence library

A dedicated threat intelligence service

Current State of Threat Intelligence

As stated earlier, current sources of threat intelligence are

abundant. What are the most common sources for organizations

today? TI derived from open-source locations; internal analysis

of the organization’s own IT environment; and email lists and

newsletters.

Threat intelligence provided by paid services or third-party

solution providers don’t even make the top three.

How often does your organization receive threat intelligence?

0 5 10 15 20 25 30 35

35%

27

16

11

9

2

Multiple times per day

On at least a daily basis

No set frequency

On at least a weekly basis

I don't know

On at least a monthly basis


Survey Results

Frequency of threat intelligence is not a problem. More than

one-quarter of organizations receive it on at least a daily basis,

and more than one-third receive TI multiple times per day.

How do you assess your organization’s ability to source actionable threat intelligence?

0 5 10 15 20 25 30 35 40

9%

36

35

10

5

5

A- superior

B - above average

C - average

D - below average

F - failing

I - incomplete

But, again, receiving threat intelligence is one thing. Getting

good TI is quite another. Not even 10 percent of respondents

rate as “superior” their organization’s current ability to source

actionable threat intelligence.

Fifty-five percent of respondents assess their organizations at

average or below.

How does your organization currently use threat intelligence (check all that apply)?

0 10 20 30 40 50 60 70 80

68%

62

54

To detect intrusions quickly

To gain visibility into attackers and threat vectors

Faster, more accurate response to intrusions

How do organizations currently use threat intelligence?

Primarily to detect intrusions quickly, according to 68 percent of

respondents. The other main uses: to gain visibility into attacker

and threat vectors; and for faster, more accurate response to

intrusions.

Not even 10 percent

of respondents rate

as “superior” their

organization’s current ability

to source actionable threat

intelligence.


What is your confidence in the quality and accuracy of the threat intelligence your organization currently receives?

0 10 20 30 40 50 60

51%

23

15

8

3

Moderately confident

Highly confident

Low confidence

No opinion

No confidence

But how good are detection and response if organizations

lack confidence in the quality and accuracy of threat data they

receive?

Only 23 percent of respondents are highly confident in

their threat intelligence. Twenty-six percent have low or no

confidence or lack an opinion altogether.

In terms of being mission-critical to your organization, where do you rate threat intelligence alongside other technology solutions such as antivirus, intrusion detection, security incident event management and next-generation firewalls?

63%

20

17

Equally as critical as other solutions

More critical than other solutions

Less critical than other solutions

And yet despite this seeming conflict of faith, many organizations

continue to hold threat intelligence in high regard. Asked how

they rate TI alongside solutions such as antivirus, intrusion

detection and next-gen firewalls, 63 percent of respondents say

“equally as critical as other solutions.”

Twenty percent say TI is even more critical than other solutions.

The next section of this report looks at organizations’ ability to

employ threat intelligence within their cyber defenses.


Survey Results

And here is where threat intelligence meets

the road, so to speak. This is where survey

respondents discuss how they operationalize

the data they receive. Some telling statistics:

• 57 percent rate at average or below their organizations’ ability

to operationalize threat intelligence within cyber defenses.

• The single biggest challenge: Too few employees to manage

threat intelligence on a timely basis.

How do you assess your organization’s ability to operationalize, or employ threat intelligence within its cyber defenses?

0 5 10 15 20 25 30 35 40

9%

34

36

12

5

4

A- superior

B - above average

C - average

D - below average

F - failing

I - incomplete

It is something of a red flag to see that at a time when

organizations say they realize the critical value of threat

intelligence, only 43 percent rate as above average or superior

their organizations’ ability to employ that data in current

defenses.

More concerning: 57 percent of respondents assess their

organizations’ ability at average or below.

Where is your organization challenged to operationalize, or employ threat intelligence within its defenses (check all that apply)?

0 10 20 30 40 50 60

58%

31

28

28

26

20

Too few employees to manage threatintelligence on a timely basis

We lack the tools or skills to employ threatintelligence quickly enough to be e�ective

Threat intelligence is not reviewedfrequently enough

We lack the tools or skills to su�cientlyvalidate threat intelligence

We are unable to integrate threat intelligenceproperly in our current detection/response tools

Threat intelligence is not su�ciently accurate

Operationalizing Threat Intelligence


Why are organizations so challenged to operationalize threat

intelligence? There is not one answer, but several. For one,

a majority of organizations employ too few people who can

manage threat intelligence on a timely basis. But also roughly

one-third of organizations lack the tools and skills to work

quickly, and just over one-quarter say threat intelligence is not

reviewed frequently enough.

How often does your organization review threat intelligence?

0 5 10 15 20 25 30

30%

28

22

11

6

3

Multiple times per day

On at least a daily basis

No set frequency

On at least a weekly basis

I don't know

On at least a monthly basis

How often is threat intelligence viewed? Multiple times per day,

according to 30 percent of respondents. But 42 percent do not

review data on even a daily basis, and 22 percent have no set

frequency whatsoever.

It is hard to operationalize data when your organization does not

make time even to review it.

How many employees within your organization manage the sourcing, analysis and application of threat intelligence?

0 10 20 30 40 50

24%

44

8

3

13

8

1 employee

2 to 5

6 to 10

11 to 20

More than 20

None

There has been a recurring theme about insufficient personnel.

According to the survey, 68 percent of responding organizations

have five or fewer employees managing the sourcing, analysis

and application of threat intelligence. Seven percent have none

at all.


Survey Results

“It’s something of a red flag to see that at a

time when organizations say they realize the

critical value of threat intelligence, only 43

percent rate as above average or superior

their organization’s ability to employ that data

in current defenses.”

What technology tools does your organization currently use to collect and analyze threat intelligence?

0 5 10 15 20 25

23%

17

13

12

11

10

SIEM tools

Intrusion monitoring

Our own management system

Third-party management system

We currently have no such tools

Non-SIEM security analytics

As for the tools currently being used to collect and analyze this

data, 23 percent of respondents rely on SIEM tools, while 17

percent utilize intrusion monitoring.

What steps does your organization currently take to validate the quality and accuracy of the threat intelligence it receives (check all that apply)?

0 10 20 30 40 50 60 70 80

43%

39

29

15

We rely on our third-party security providerto validate threat intelligence

We conduct manual research on an ad-hoc basis

We conduct manual research consistently

We do not take any steps to validatethreat intelligence

Speaking to validity of threat data, 43 percent of respondents

say they rely on a third-party security provider to validate threat

intelligence, while 39 percent say they conduct manual research

on an ad-hoc basis. Twenty-nine percent conduct manual

research consistently.


Survey Results

How long does it take to interpret and apply threat intelligence within your organization?

0 5 10 15 20 25 30

29%

18

17

11

10

10

5

I don't know

Less than an hour

Instantaneous. It's embedded in ourthird party's cyber defenses

More than eight hours

Between two and four hours

One to two hours

Between four and six hours

Timeliness clearly is an issue. Asked how long it takes to

interpret and apply threat intelligence, only 18 percent say “less

than an hour,” and 17 percent say it’s virtually instantaneous. For

the rest it can take multiple hours – and 29 percent do not even

know.

Given these clear challenges to employing timely data, the next

section will review what organizations intend to do about the

problem in 2016.

Only 18 percent say [it

takes] “less than an hour” to

interpret and apply threat

intelligence...17 percent say

it’s virtually instantaneous...

[while] 29 percent do not

even know.


And now the report looks to the budget and

investment priorities of the year ahead. One

piece of good news:

• 99 percent of organizations expect to receive the same or

additional funding for threat intelligence.

In the coming year, how much will your organization’s reliance on threat intelligence change?

39%

34

27

Increase slightly

No change

Increase significantly

No surprise here. No organization will reduce its reliance

on threat intelligence in the year ahead. And 66 percent of

respondents expect to increase their reliance.

2016 Threat Intelligence Agenda

“99 percent of organizations

expect to receive the same

or additional funding for

threat intelligence...[in] the

coming year.”

How will your organization’s budget for threat intelligence change in the next year?

0 10 20 30 40 50

47%

27

13

6

5

2

No change

Increase of 1-5 percent



Increase of more than 20 percent

Decrease

As for putting money where the mouths are, only one percent

of respondents expect a decrease in budget allocated to threat

intelligence. Fifty-one percent expect budget increases of

anywhere from one percent to more than 20.


Survey Results

What will be your organization’s threat intelligence investment priorities? (check all that apply)

0 10 20 30 40 50

44%

43

39

37

37

35

26

New technology tools to operationalize data

New technology tools to analyze data

Enhanced skills for existing/new sta�

Additional sources of threat intelligence

Additional sta� to manage data

More accurate sources of threat intelligence

Third-party threat intelligence services

For budgeting priorities, respondents say their top three are:

new technology tools to operationalize data (44 percent); new

technology tools to analyze data (43 percent); and enhanced

skills for existing/new staff (39 percent).

Which technology tools will your organization invest in to collect and analyze threat intelligence?

0 5 10 15 20 25

25%

17

15

12

10

SIEM tools

Our own management system

Third-party management system

No investments planned

Intrusion monitoring

Which new tools are prioritized in the year ahead? SIEM tools

are cited by 25 percent of respondents, followed by proprietary

management systems (17 percent) and third-party management

systems (15 percent).

Only 12 percent of respondents say they have no further

investments planned.

With all of this information as context, the next section presents

a set of conclusions about the survey results.

Then Jason Greenwood of survey sponsor ThreatTrack offers

expert analysis of how to put these results to work to improve

the employment of threat intelligence at all organizations.


The message from the cumulative survey results is clear: Security leaders

understand the business value of operationalizing threat intelligence

to improve their organizations’ security postures. But nearly half lack

confidence in the accuracy and quality of TI they receive, and more than

half are concerned about their abilities to put this intel to work.

Resources are available to bolster the use of threat intelligence in 2016. Here are some

considerations for committing those new resources:

It Starts at the Source

It doesn’t matter what new tools or skills you invest in if you’re starting with bad data or too many

false alarms. The first step toward operationalizing threat intelligence is to re-evaluate the current

sources – homegrown, as well as third-party. Are you getting timely, accurate data, and is it giving

you proper context to reduce false-positives and focus on true indicators of compromise? How

often is the data updated? The further you are from real-time feeds, the further you are from being

able to respond appropriately.

It’s All About Context

As ThreatTrack’s Jason Greenwood points out in our survey analysis, threat intelligence has to

be more than just a flood of data about potential indicators of compromise. You need context.

Sandboxing tools and behavioral analytics can help put this raw data in context and elevate the

right alerts to the right level of scrutiny. It’s about finding needles in haystacks, and data alone is not

sufficient. You need the tools and skills to view the data in context.

Automation is the Key to Operation

At a time when the entire security sector struggles to recruit, train and retain qualified personnel,

it can be intimidating to even think about creating new positions that require experience in data

science and advanced analytics. Here is where the technology can help. Improving automation

of data monitoring and analysis can enhance the organization’s ability to operationalize threat

intelligence. And ThreatTrack’s Greenwood says these same tools can enhance the skills of your

existing staff. “The tools will help develop the skills,” he says, “but they’ll also make the people that

we have now a lot more efficient and effective in doing their job.”

In the next and final section of this report, ThreatTrack’s Jason Greenwood analyzes the survey

results and discusses how to put them to work to improve the way threat intelligence is collected,

analyzed and operationalized.

Conclusions


Survey Results

NOTE: In preparation of this report,

ISMG’s Tom Field sat down with

Jason Greenwood, Senior Vice

President of Marketing, ThreatTrack,

to discuss the survey results.

Following is an excerpt of that

conversation.

Surprising Confidence in TI

TOM FIELD: Jason, what’s your gut

reaction to the survey results? What

did you find either validating or maybe

surprising?

JASON GREENWOOD: I was really

surprised by the number of respondents

that had a moderate or high confidence

in their threat intelligence. Even

more surprising than the high level of

confidence they have in their threat

intelligence is the fact that less than 40

percent actually have operationalized it.

I’ve met a lot of people who don’t have

nearly that level of confidence, which

could correlate with the low percentage

of respondents who have operationalized

this intelligence in which they have such

high confidence.

Operationalizing Intel

FIELD: It also struck me that respondents

struggle with being able to operationalize

their TI. How does that gibe with what

you typically see in the industry?

GREENWOOD: I think that’s exactly right.

They do value it, but since they’re not

operationalizing it, it’s actually bringing

rise to a whole new set of technologies. If

you look out there and see some of these

threat intelligence platform providers –

they don’t do threat intelligence on their

own at all, but they take feeds from a

lot of different threat intel sources and

they’re able to ingest it, correlate it, and

then push that back out to other security

appliances in order to operationalize it.

So you’re seeing a lot of growth in that

industry today, and we’ll continue to see

that grow over time.

What’s Wrong with the Data?

FIELD: In your experience, what do

you see as the biggest deficiencies

in the threat intelligence that most

organizations currently receive?

GREENWOOD: Threat intelligence can

be pretty broad, whether you’re talking

about individual indicators of compromise

or the threat actors, the toolkits and the

procedures that they use. When talking

about operationalizing inside security

products, people typically are talking

about IOCs, and there are a couple

different problems with them. You’re

either looking at a very large quantity of

IOCs, and those typically have a lot of

false positives in them, or you’re seeing

smaller IOC sets that may not have all the

contextual data around it, which really

Learning to Trust Your IntelligenceInsights from Jason Greenwood, Senior Vice President of Marketing, ThreatTrack

19 Faces of Fraud: The 2016 Agenda

SURVEY ANALYSIS

“You’re seeing a

lot of that growth

in that industry

today, and we’ll

still continue to

see that grow

over time.”

hampers what a security operator can do

with that data.

Detection and Response

FIELD: From your experience, how do

you see leading organizations employing

threat intelligence to either detect or

respond to incidents that occur?

GREENWOOD: Today most

organizations that are able to

operationalize threat intelligence do so

a little hesitantly. They’ll put it into their

security products, but they may not

completely trust the information that’s

in there, so they’ll deploy it inside of an

IDS or something akin to that in order

to monitor traffic to and from those

indicators instead of blocking it. This will

allow them to flag something they see

as suspicious and maybe escalate that

issue or take it out to a security analyst

to investigate. That’s really kind of where

most organizations are today.

As they get more contextual data and

can wrap other categorization and things

around those threat indicators, I think

you’ll start to see organizations having

greater trust in that data and may be able

to block it in a more automated fashion in

the future.

Best Data Sources

FIELD: What do you find to be today’s

best sources of threat intelligence, and

in your opinion, how frequently should

organizations be receiving updates? It

seems sort of all over the map in our

survey results.

GREENWOOD: Going back to the idea of

metadata or other sources of information

wrapped around that threat intelligence,

the best sources of data are the ones

that come with ample contextual data

– not just individual IOCs, but data

about the categorization, the degree

of badness, the likelihood that the

information is accurate. The contextual

information wrapped around an individual

threat intelligence indicator provides a lot

of valuable information for the security

operator and for the company. As far

“Today most

organizations

that are able to

operationalize

threat intelligence

do so a little

hesitantly.”

Jason Greenwood


Survey Analysis

as updates are concerned, the best

feeds are real-time ones. You may have

some feeds that are updated daily, even

weekly or monthly, but to provide the

best protection for this fast-moving threat

environment, you need a feeds that

update in real time.

Maturity of Threat Intel

FIELD: This isn’t something we

necessarily got into in the survey, but

I’m curious from your perspective: What

do you see as the maturity of threat

intelligence today? I’ve always heard

criticism in the past about false positives

and subpar intelligence, but my gut is

that these problems have been refined

over the past couple of years.

GREENWOOD: It’s definitely come a

long way and has matured quite a bit.

Historically, we’ve been trying to get

ahold of every single piece of available

data, but in recent years we’ve focused

more on correlating that data, bringing

in the context of that data, and making it

available in a way that can be more easily

operationalized. So I think the quality is

definitely going up, although overall, the

industry still has a long way to go.

Accuracy and Quality

FIELD: We talked early on about the

respondents’ confidence in threat

intelligence and the number who were

moderately or highly confident. What’s

your confidence in the accuracy and

quality of intelligence that organizations

most commonly receive?

GREENWOOD: It varies greatly, both in

quantity and quality across all different

types of threat intelligence. Companies

need to work really hard on the specific

requirements their organizations need,

the types of threat intel they are able

to ingest, and how they will correlate it.

What types of information do they have?

Are they doing their own behavioral

analysis of malicious code? Are they

able to combine the threat intelligence

they’re generating within their own

networks and their own operations with

open-source threat intelligence to make

it more valuable and meaningful to the

organization? I think it varies greatly, but

there are ways companies can look at

what they can do to help minimize those

false positives and really have a positive

impact on their security posture.

Trusting the Intelligence

FIELD: Let’s go back to this topic of

operationalizing threat intelligence.

Where do you see organizations struggle

most in this area?

GREENWOOD: It really comes down to

the trust level. Can they trust the threat

intelligence to be completely accurate?

If they can’t, it really puts limits on what

they’re willing to do with that information.

Therefore, they struggle to operationalize

it because they can’t completely trust it,

which goes back to vetting both external

sources and their internal sources. It also

relates to the manpower required to do

that type of vetting.

FIELD: What do you believe would

help organizations most in this effort to

operationalize threat intelligence and to

have that trust?

GREENWOOD: If organizations are

able to generate a threat intelligence

feed that combines outside TI with

the TI they generate usually through

sandboxing technologies and their own

behavioral analysis, they can trust and

operationalize it. That would go a long

way to building that trust and allowing

them to be able to operationalize it more

across all of their security sites.

Tools & Skills

FIELD: What are the key tools and skills

that organizations need to maximize the

value of the threat intelligence that they

receive?

GREENWOOD: Organizations really need

to invest in robust analysis and detection

engines, like sandboxing technologies,

that allow for deep-packet inspection

of malicious codes. They also need to

“The best sources of data are the ones that come with

ample contextual data – not just individual IOCs, but data

about the categorization, the degree of badness, the

likelihood that the information is accurate.”


invest in the people with expertise to use

them. As you know, these people are

harder and harder to find all the time.

FIELD: But at a time when we’re already

strapped to fill basic information security

positions, where are we going to find the

skills to maximize threat intelligence?

GREENWOOD: That really is a tough

question to answer, and you know the

industry is working really hard to respond

to this increased need by increasing

training and certification programs for

security experts. At the same time,

security vendors are working equally

as hard to create tools that will make

existing security operators much more

efficient and effective in combating

today’s threats.

FIELD: In other words, the tools can help

us to develop these skills?

GREENWOOD: Yes, the tools will help

develop the skills, and they’ll also make

the people that we have now a lot more

efficient and effective in doing their job.

So as the threat moves and evolves,

we’ll have the resources and tools to

be able to process more and more of

those threats and combat them in a more

effective way.

Future Investments

FIELD: Jason, the respondents laid out

for us pretty clearly what they intend

to invest in for threat intelligence in the

coming year. What’s your perspective on

the investments that organizations say

that they will make? Do you see them

making some smart decisions, or would

you make some other recommendations?

GREENWOOD: I think many

organizations are on the right track.

We’re really coming to grips with the

reality that many of the systems across

almost every organization in the world

are compromised, and their perimeter

defenses – even though they offer

this layered approach to security –

have been ineffective in keeping most

persistent threats outside and away

from their highest-value targets. So

companies will likely invest more heavily

in protecting critical assets, and they’ll

do this by identifying solutions that don’t

rely on keeping the bad guys outside

of the network. These solutions will

work hard to understand the types of

behavior going on in their network and

differentiating between normal and

abnormal behavior.

Put the Report to Work

FIELD: So we’ve thrown a lot of

information at people today. How do you

recommend that people put to work the

results of our survey and the analysis, so

they can make a difference in their own

organizations?

GREENWOOD: I think they should start

by really looking at the type of threat

intelligence they currently receive. They

need to vet what it provides, what it

doesn’t provide, and how they’re using

it and operationalizing it. And then

they need to really understand what

those requirements are going forward.

I mentioned this before, but if they can

have the ability to create their own threat

intelligence through behavior analysis of

malicious code and effectively combine

that with other public sources or sources

that they collect, this will give people the

most relevant intel possible. n

“It really comes

down to the trust

level. Can they

trust the threat

intelligence to

be completely

accurate?”

State of Threat Intelligence Study Results WebinarPresented by Tom Field and Jason Greenwood

Actionable threat intelligence is the key to effective cyber threat detection and response. But how

good is the threat intelligence organizations receive today? And how well are they able to put this

intelligence to work to improve their cybersecurity?

These were the questions that spawned the State of Threat Intelligence Study, sponsored by

ThreatTrack Security. Our goal with this research was to determine:

• The quality and accuracy of threat intelligence that organizations currently receive;

• Where and how enterprises are operationalizing this threat intelligence;

• The top TI investment priorities for 2016.

This survey was conducted online during the fall of 2015, and we had more than 130 respondents

from financial organizations of all sizes. Join me in a review of the full survey responses, and then

let’s discuss how you can put this data to use to help improve your organization’s capabilities to

operationalize threat intelligence.

Threat intelligence can be the difference between detecting an attack and being victimized by one.

What’s the value of your organization’s intel?

REGISTER NOW

http://www.inforisktoday.com/webinars/2016-state-threat-intelligence-study-w-897

RESULTS WEBINAR

902 Carnegie Center • Princeton, NJ • 08540 • www.ismgcorp.com

About ISMGHeadquartered in Princeton, New Jersey, Information Security Media

Group, Corp. (ISMG) is a media company focusing on Information

Technology Risk Management for vertical industries. The company

provides news, training, education and other related content for risk

management professionals in their respective industries.

This information is used by ISMG’s subscribers in a variety of

ways —researching for a specific information security compliance

issue, learning from their peers in the industry, gaining insights into

compliance related regulatory guidance and simply keeping up with

the Information Technology Risk Management landscape.

Contact(800) 944-0401

[email protected]

State of Threat Intelligence...

Documents

Transcript of State of Threat Intelligence...