State of Threat Intelligence...
Transcript of State of Threat Intelligence...
State of Threat Intelligence StudyHow Will Security Advance in the Data Center in 2016?
INSIDE
- Complete Survey Results
- Expert Analysis
- Insights from Jason Greenwood of ThreatTrack Security
Actionable threat intelligence is the key to effective cyber
threat detection and response. But how good is the threat
intelligence organizations receive today? And how well are
they able to put this intelligence to work to improve their
cybersecurity?
These were the questions that spawned the State of Threat Intelligence Study,
sponsored by ThreatTrack Security. Our goal with this research was to determine:
• The quality and accuracy of threat intelligence that organizations currently
receive;
• Where and how enterprises are operationalizing this threat intelligence;
• The top TI investment priorities for 2016.
This survey was conducted online during the fall of 2015, and we had more than 130
respondents from financial organizations of all sizes.
Join me in a review of the full survey responses, and then let’s discuss how you can
put this data to use to help improve your organization’s capabilities to operationalize
threat intelligence.
Threat intelligence can be the difference between detecting an attack and being
victimized by one. What’s the value of your organization’s intel?
Tom Field
Vice President, Editorial
Information Security Media Group
Tom Field
2 2016 State of Threat Intelligence Study
Letter from the Editor
Table of Contents
Introduction .................................................................................... 2
By the Numbers ..............................................................................4
Survey Results ................................................................................. 5
Establishing the Baseline .............................................................. 5
Current State of Threat Intelligence ............................................... 8
Operationalizing Threat Intelligence .............................................11
2016 Threat Intelligence Agenda .................................................16
Conclusions .....................................................................................18
Survey Analysis ..............................................................................19Insights from Jason Greenwood of ThreatTrack Security
ThreatTrack Security specializes in helping organizations identify and stop Advanced Persistent Threats (APTs),
targeted attacks and other sophisticated malware designed to evade the traditional cyber defenses deployed by
enterprises and government agencies around the world. With more than 300 employees worldwide and backed
by Insight Venture Partners and Bessemer Venture Partners, the company develops advanced cybersecurity
solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced
threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-
time threat intelligence service, and VIPRE business antivirus endpoint protection.
Learn more at www.threattracksecurity.com
Sponsored by
About this survey:
This study was conducted online during the fall of 2015. More than 130 respondents participated from organizations of
all sizes, primarily based in the U.S.
32016 State of Threat Intelligence Study
52%Of security leaders say their current threat intelligence is above average or superior.
57%Say their abilities to operationalize threat intelligence
in their cyber defenses are average or below.
By the NumbersSome standout figures from this survey.
4 2016 State of Threat Intelligence Study
In this opening section, the focus is on the
adoption of threat intelligence by enterprises.
And the responses bring good news as well as
bad:
• 73 percent of organizations currently employ threat
intelligence to improve incident detection or response.
• But 29 percent say their use of TI is challenged by either the
sheer volume of data or lack of timely data.
Read on to learn more about respondents’ baseline answers.
Does your organization currently employ cybersecurity threat intelligence to improve incident detection and/or response?
0 10 20 30 40 50 60 70 80
73%
15
7
5
Yes
No
Not currently, but we have plans toemploy threat intelligence
I don't know
As organizations increasingly have shifted from a mindset
of prevention to response, the use of threat intelligence has
increased exponentially. The surprise here is not so much
that 73 percent of survey respondents currently employ threat
intelligence to improve incident detection or response – but
rather that 27 percent are not.
How do you assess the value of the threat intelligence your organization currently uses to detect and/or respond to cybersecurity threats?
0 5 10 15 20 25 30 35 40
36%
29
16
9
9
1
Above average
Average
Superior
Below average
Incomplete
Failing
Quantity of threat intelligence is rarely an issue. There is so
much data available today from internal systems or feeds, as
well as third-party tools and services. But how good is it? That’s
the key question.
In this instance, 52 percent of respondents say their current TI is
either above average or superior.
Yet, nearly as many – 48 percent – say their data is average or
below. Clearly, TI is coming up short for nearly half of responding
organizations. Subsequent responses will shed light on the
perceived shortcomings.
Establishing the Baseline
52016 State of Threat Intelligence Study
Survey Results
Has your organization in the past year experienced a cybersecurity incident where threat intelligence played a significant role in detection and/or response?
42%
45
13
Yes
No
I don’t know
Despite the broad adoption of threat intelligence, only
42 percent of organizations say they have experienced a
cybersecurity incident in the past year where TI played a
significant role in detection or response.
Forty-five percent say they have not experienced such an
incident, while 13 percent say they do not know.
If you answered “yes” to the previous question, what role did threat intelligence play in these incidents (check all that apply)?
0 10 20 30 40 50 60
51%
49
22
Good threat intel helped improve response
Good threat intel helped improve detection
I don't know
For those who do credit threat intelligence as playing a role in
incident detection/response, roughly half of the respondents
say that good threat intelligence helped improve detection or
response.
Twenty-two percent indicate that bad TI actually impeded their
detection.
What constitutes bad threat intelligence for an organization?
Responses to the next question shed a bit of light.
6 2016 State of Threat Intelligence Study
Survey Results
What would you say is the single biggest deficiency of the threat intelligence upon which your organization currently relies?
0 3 6 9 12 15
15%
14
13
13
8
8
6
Lack of timely data
Inability to manage the volume of data
Lack of management support
Lack of qualified personnel to reviewand interpret the data
Inability to interpret and integrateintelligence within IT defenses
Lack of technology to deploy threatintelligence within our IT environment
Lack of qualified personnel to apply threatintelligence within our company's defenses
Respondents were asked to name the single biggest deficiency
of the threat intelligence upon which their organizations
currently rely. Top four responses: A lack of timely data; inability
to manage the volume of data; lack of management support; and
lack of qualified personnel to review and interpret the data.
With these baseline statistics as context, the report now will turn
to the current state of threat intelligence within enterprises.
“Despite the broad adoption
of threat intelligence, only
42 percent of organizations
say they have experienced a
cybersecurity incident in the
past year where TI played a
significant role in detection
or response.”
72016 State of Threat Intelligence Study
In this section, the report views the sources and
quality of threat intelligence that organizations
receive, as well as how they use the data. Some
standout statistics:
• 55 percent of respondents rate as average or below their
ability to source actionable threat intelligence
• Only 23 percent say they are highly confident in the quality
and accuracy of their threat intelligence.
What are your current sources of threat intelligence?
0 10 20 30 40 50 60 70 80
66%
59
47
41
39
31
27
26
Threat intelligence gathered fromopen-source locations
Internal analysis of our organization's IT environment
Email lists and newsletters
Threat intelligence provided bypaid services
Third-party solution providers
Social media
Threat intelligence library
A dedicated threat intelligence service
Current State of Threat Intelligence
As stated earlier, current sources of threat intelligence are
abundant. What are the most common sources for organizations
today? TI derived from open-source locations; internal analysis
of the organization’s own IT environment; and email lists and
newsletters.
Threat intelligence provided by paid services or third-party
solution providers don’t even make the top three.
How often does your organization receive threat intelligence?
0 5 10 15 20 25 30 35
35%
27
16
11
9
2
Multiple times per day
On at least a daily basis
No set frequency
On at least a weekly basis
I don't know
On at least a monthly basis
8 2016 State of Threat Intelligence Study
Survey Results
Frequency of threat intelligence is not a problem. More than
one-quarter of organizations receive it on at least a daily basis,
and more than one-third receive TI multiple times per day.
How do you assess your organization’s ability to source actionable threat intelligence?
0 5 10 15 20 25 30 35 40
9%
36
35
10
5
5
A- superior
B - above average
C - average
D - below average
F - failing
I - incomplete
But, again, receiving threat intelligence is one thing. Getting
good TI is quite another. Not even 10 percent of respondents
rate as “superior” their organization’s current ability to source
actionable threat intelligence.
Fifty-five percent of respondents assess their organizations at
average or below.
How does your organization currently use threat intelligence (check all that apply)?
0 10 20 30 40 50 60 70 80
68%
62
54
To detect intrusions quickly
To gain visibility into attackers and threat vectors
Faster, more accurate response to intrusions
How do organizations currently use threat intelligence?
Primarily to detect intrusions quickly, according to 68 percent of
respondents. The other main uses: to gain visibility into attacker
and threat vectors; and for faster, more accurate response to
intrusions.
Not even 10 percent
of respondents rate
as “superior” their
organization’s current ability
to source actionable threat
intelligence.
92016 State of Threat Intelligence Study
What is your confidence in the quality and accuracy of the threat intelligence your organization currently receives?
0 10 20 30 40 50 60
51%
23
15
8
3
Moderately confident
Highly confident
Low confidence
No opinion
No confidence
But how good are detection and response if organizations
lack confidence in the quality and accuracy of threat data they
receive?
Only 23 percent of respondents are highly confident in
their threat intelligence. Twenty-six percent have low or no
confidence or lack an opinion altogether.
In terms of being mission-critical to your organization, where do you rate threat intelligence alongside other technology solutions such as antivirus, intrusion detection, security incident event management and next-generation firewalls?
63%
20
17
Equally as critical as other solutions
More critical than other solutions
Less critical than other solutions
And yet despite this seeming conflict of faith, many organizations
continue to hold threat intelligence in high regard. Asked how
they rate TI alongside solutions such as antivirus, intrusion
detection and next-gen firewalls, 63 percent of respondents say
“equally as critical as other solutions.”
Twenty percent say TI is even more critical than other solutions.
The next section of this report looks at organizations’ ability to
employ threat intelligence within their cyber defenses.
10 2016 State of Threat Intelligence Study
Survey Results
And here is where threat intelligence meets
the road, so to speak. This is where survey
respondents discuss how they operationalize
the data they receive. Some telling statistics:
• 57 percent rate at average or below their organizations’ ability
to operationalize threat intelligence within cyber defenses.
• The single biggest challenge: Too few employees to manage
threat intelligence on a timely basis.
How do you assess your organization’s ability to operationalize, or employ threat intelligence within its cyber defenses?
0 5 10 15 20 25 30 35 40
9%
34
36
12
5
4
A- superior
B - above average
C - average
D - below average
F - failing
I - incomplete
It is something of a red flag to see that at a time when
organizations say they realize the critical value of threat
intelligence, only 43 percent rate as above average or superior
their organizations’ ability to employ that data in current
defenses.
More concerning: 57 percent of respondents assess their
organizations’ ability at average or below.
Where is your organization challenged to operationalize, or employ threat intelligence within its defenses (check all that apply)?
0 10 20 30 40 50 60
58%
31
28
28
26
20
Too few employees to manage threatintelligence on a timely basis
We lack the tools or skills to employ threatintelligence quickly enough to be e�ective
Threat intelligence is not reviewedfrequently enough
We lack the tools or skills to su�cientlyvalidate threat intelligence
We are unable to integrate threat intelligenceproperly in our current detection/response tools
Threat intelligence is not su�ciently accurate
Operationalizing Threat Intelligence
112016 State of Threat Intelligence Study
Why are organizations so challenged to operationalize threat
intelligence? There is not one answer, but several. For one,
a majority of organizations employ too few people who can
manage threat intelligence on a timely basis. But also roughly
one-third of organizations lack the tools and skills to work
quickly, and just over one-quarter say threat intelligence is not
reviewed frequently enough.
How often does your organization review threat intelligence?
0 5 10 15 20 25 30
30%
28
22
11
6
3
Multiple times per day
On at least a daily basis
No set frequency
On at least a weekly basis
I don't know
On at least a monthly basis
How often is threat intelligence viewed? Multiple times per day,
according to 30 percent of respondents. But 42 percent do not
review data on even a daily basis, and 22 percent have no set
frequency whatsoever.
It is hard to operationalize data when your organization does not
make time even to review it.
How many employees within your organization manage the sourcing, analysis and application of threat intelligence?
0 10 20 30 40 50
24%
44
8
3
13
8
1 employee
2 to 5
6 to 10
11 to 20
More than 20
None
There has been a recurring theme about insufficient personnel.
According to the survey, 68 percent of responding organizations
have five or fewer employees managing the sourcing, analysis
and application of threat intelligence. Seven percent have none
at all.
12 2016 State of Threat Intelligence Study
Survey Results
“It’s something of a red flag to see that at a
time when organizations say they realize the
critical value of threat intelligence, only 43
percent rate as above average or superior
their organization’s ability to employ that data
in current defenses.”
What technology tools does your organization currently use to collect and analyze threat intelligence?
0 5 10 15 20 25
23%
17
13
12
11
10
SIEM tools
Intrusion monitoring
Our own management system
Third-party management system
We currently have no such tools
Non-SIEM security analytics
As for the tools currently being used to collect and analyze this
data, 23 percent of respondents rely on SIEM tools, while 17
percent utilize intrusion monitoring.
What steps does your organization currently take to validate the quality and accuracy of the threat intelligence it receives (check all that apply)?
0 10 20 30 40 50 60 70 80
43%
39
29
15
We rely on our third-party security providerto validate threat intelligence
We conduct manual research on an ad-hoc basis
We conduct manual research consistently
We do not take any steps to validatethreat intelligence
Speaking to validity of threat data, 43 percent of respondents
say they rely on a third-party security provider to validate threat
intelligence, while 39 percent say they conduct manual research
on an ad-hoc basis. Twenty-nine percent conduct manual
research consistently.
14 2016 State of Threat Intelligence Study
Survey Results
How long does it take to interpret and apply threat intelligence within your organization?
0 5 10 15 20 25 30
29%
18
17
11
10
10
5
I don't know
Less than an hour
Instantaneous. It's embedded in ourthird party's cyber defenses
More than eight hours
Between two and four hours
One to two hours
Between four and six hours
Timeliness clearly is an issue. Asked how long it takes to
interpret and apply threat intelligence, only 18 percent say “less
than an hour,” and 17 percent say it’s virtually instantaneous. For
the rest it can take multiple hours – and 29 percent do not even
know.
Given these clear challenges to employing timely data, the next
section will review what organizations intend to do about the
problem in 2016.
Only 18 percent say [it
takes] “less than an hour” to
interpret and apply threat
intelligence...17 percent say
it’s virtually instantaneous...
[while] 29 percent do not
even know.
152016 State of Threat Intelligence Study
And now the report looks to the budget and
investment priorities of the year ahead. One
piece of good news:
• 99 percent of organizations expect to receive the same or
additional funding for threat intelligence.
In the coming year, how much will your organization’s reliance on threat intelligence change?
39%
34
27
Increase slightly
No change
Increase significantly
No surprise here. No organization will reduce its reliance
on threat intelligence in the year ahead. And 66 percent of
respondents expect to increase their reliance.
2016 Threat Intelligence Agenda
“99 percent of organizations
expect to receive the same
or additional funding for
threat intelligence...[in] the
coming year.”
How will your organization’s budget for threat intelligence change in the next year?
0 10 20 30 40 50
47%
27
13
6
5
2
No change
Increase of 1-5 percent
Increase of 6-10 percent
Increase of 10-20 percent
Increase of more than 20 percent
Decrease
As for putting money where the mouths are, only one percent
of respondents expect a decrease in budget allocated to threat
intelligence. Fifty-one percent expect budget increases of
anywhere from one percent to more than 20.
16 2016 State of Threat Intelligence Study
Survey Results
What will be your organization’s threat intelligence investment priorities? (check all that apply)
0 10 20 30 40 50
44%
43
39
37
37
35
26
New technology tools to operationalize data
New technology tools to analyze data
Enhanced skills for existing/new sta�
Additional sources of threat intelligence
Additional sta� to manage data
More accurate sources of threat intelligence
Third-party threat intelligence services
For budgeting priorities, respondents say their top three are:
new technology tools to operationalize data (44 percent); new
technology tools to analyze data (43 percent); and enhanced
skills for existing/new staff (39 percent).
Which technology tools will your organization invest in to collect and analyze threat intelligence?
0 5 10 15 20 25
25%
17
15
12
10
SIEM tools
Our own management system
Third-party management system
No investments planned
Intrusion monitoring
Which new tools are prioritized in the year ahead? SIEM tools
are cited by 25 percent of respondents, followed by proprietary
management systems (17 percent) and third-party management
systems (15 percent).
Only 12 percent of respondents say they have no further
investments planned.
With all of this information as context, the next section presents
a set of conclusions about the survey results.
Then Jason Greenwood of survey sponsor ThreatTrack offers
expert analysis of how to put these results to work to improve
the employment of threat intelligence at all organizations.
172016 State of Threat Intelligence Study
The message from the cumulative survey results is clear: Security leaders
understand the business value of operationalizing threat intelligence
to improve their organizations’ security postures. But nearly half lack
confidence in the accuracy and quality of TI they receive, and more than
half are concerned about their abilities to put this intel to work.
Resources are available to bolster the use of threat intelligence in 2016. Here are some
considerations for committing those new resources:
It Starts at the Source
It doesn’t matter what new tools or skills you invest in if you’re starting with bad data or too many
false alarms. The first step toward operationalizing threat intelligence is to re-evaluate the current
sources – homegrown, as well as third-party. Are you getting timely, accurate data, and is it giving
you proper context to reduce false-positives and focus on true indicators of compromise? How
often is the data updated? The further you are from real-time feeds, the further you are from being
able to respond appropriately.
It’s All About Context
As ThreatTrack’s Jason Greenwood points out in our survey analysis, threat intelligence has to
be more than just a flood of data about potential indicators of compromise. You need context.
Sandboxing tools and behavioral analytics can help put this raw data in context and elevate the
right alerts to the right level of scrutiny. It’s about finding needles in haystacks, and data alone is not
sufficient. You need the tools and skills to view the data in context.
Automation is the Key to Operation
At a time when the entire security sector struggles to recruit, train and retain qualified personnel,
it can be intimidating to even think about creating new positions that require experience in data
science and advanced analytics. Here is where the technology can help. Improving automation
of data monitoring and analysis can enhance the organization’s ability to operationalize threat
intelligence. And ThreatTrack’s Greenwood says these same tools can enhance the skills of your
existing staff. “The tools will help develop the skills,” he says, “but they’ll also make the people that
we have now a lot more efficient and effective in doing their job.”
In the next and final section of this report, ThreatTrack’s Jason Greenwood analyzes the survey
results and discusses how to put them to work to improve the way threat intelligence is collected,
analyzed and operationalized.
Conclusions
18 2016 State of Threat Intelligence Study
Survey Results
NOTE: In preparation of this report,
ISMG’s Tom Field sat down with
Jason Greenwood, Senior Vice
President of Marketing, ThreatTrack,
to discuss the survey results.
Following is an excerpt of that
conversation.
Surprising Confidence in TI
TOM FIELD: Jason, what’s your gut
reaction to the survey results? What
did you find either validating or maybe
surprising?
JASON GREENWOOD: I was really
surprised by the number of respondents
that had a moderate or high confidence
in their threat intelligence. Even
more surprising than the high level of
confidence they have in their threat
intelligence is the fact that less than 40
percent actually have operationalized it.
I’ve met a lot of people who don’t have
nearly that level of confidence, which
could correlate with the low percentage
of respondents who have operationalized
this intelligence in which they have such
high confidence.
Operationalizing Intel
FIELD: It also struck me that respondents
struggle with being able to operationalize
their TI. How does that gibe with what
you typically see in the industry?
GREENWOOD: I think that’s exactly right.
They do value it, but since they’re not
operationalizing it, it’s actually bringing
rise to a whole new set of technologies. If
you look out there and see some of these
threat intelligence platform providers –
they don’t do threat intelligence on their
own at all, but they take feeds from a
lot of different threat intel sources and
they’re able to ingest it, correlate it, and
then push that back out to other security
appliances in order to operationalize it.
So you’re seeing a lot of growth in that
industry today, and we’ll continue to see
that grow over time.
What’s Wrong with the Data?
FIELD: In your experience, what do
you see as the biggest deficiencies
in the threat intelligence that most
organizations currently receive?
GREENWOOD: Threat intelligence can
be pretty broad, whether you’re talking
about individual indicators of compromise
or the threat actors, the toolkits and the
procedures that they use. When talking
about operationalizing inside security
products, people typically are talking
about IOCs, and there are a couple
different problems with them. You’re
either looking at a very large quantity of
IOCs, and those typically have a lot of
false positives in them, or you’re seeing
smaller IOC sets that may not have all the
contextual data around it, which really
Learning to Trust Your IntelligenceInsights from Jason Greenwood, Senior Vice President of Marketing, ThreatTrack
19 Faces of Fraud: The 2016 Agenda
SURVEY ANALYSIS
“You’re seeing a
lot of that growth
in that industry
today, and we’ll
still continue to
see that grow
over time.”
hampers what a security operator can do
with that data.
Detection and Response
FIELD: From your experience, how do
you see leading organizations employing
threat intelligence to either detect or
respond to incidents that occur?
GREENWOOD: Today most
organizations that are able to
operationalize threat intelligence do so
a little hesitantly. They’ll put it into their
security products, but they may not
completely trust the information that’s
in there, so they’ll deploy it inside of an
IDS or something akin to that in order
to monitor traffic to and from those
indicators instead of blocking it. This will
allow them to flag something they see
as suspicious and maybe escalate that
issue or take it out to a security analyst
to investigate. That’s really kind of where
most organizations are today.
As they get more contextual data and
can wrap other categorization and things
around those threat indicators, I think
you’ll start to see organizations having
greater trust in that data and may be able
to block it in a more automated fashion in
the future.
Best Data Sources
FIELD: What do you find to be today’s
best sources of threat intelligence, and
in your opinion, how frequently should
organizations be receiving updates? It
seems sort of all over the map in our
survey results.
GREENWOOD: Going back to the idea of
metadata or other sources of information
wrapped around that threat intelligence,
the best sources of data are the ones
that come with ample contextual data
– not just individual IOCs, but data
about the categorization, the degree
of badness, the likelihood that the
information is accurate. The contextual
information wrapped around an individual
threat intelligence indicator provides a lot
of valuable information for the security
operator and for the company. As far
“Today most
organizations
that are able to
operationalize
threat intelligence
do so a little
hesitantly.”
Jason Greenwood
20 2016 State of Threat Intelligence Study
Survey Analysis
as updates are concerned, the best
feeds are real-time ones. You may have
some feeds that are updated daily, even
weekly or monthly, but to provide the
best protection for this fast-moving threat
environment, you need a feeds that
update in real time.
Maturity of Threat Intel
FIELD: This isn’t something we
necessarily got into in the survey, but
I’m curious from your perspective: What
do you see as the maturity of threat
intelligence today? I’ve always heard
criticism in the past about false positives
and subpar intelligence, but my gut is
that these problems have been refined
over the past couple of years.
GREENWOOD: It’s definitely come a
long way and has matured quite a bit.
Historically, we’ve been trying to get
ahold of every single piece of available
data, but in recent years we’ve focused
more on correlating that data, bringing
in the context of that data, and making it
available in a way that can be more easily
operationalized. So I think the quality is
definitely going up, although overall, the
industry still has a long way to go.
Accuracy and Quality
FIELD: We talked early on about the
respondents’ confidence in threat
intelligence and the number who were
moderately or highly confident. What’s
your confidence in the accuracy and
quality of intelligence that organizations
most commonly receive?
GREENWOOD: It varies greatly, both in
quantity and quality across all different
types of threat intelligence. Companies
need to work really hard on the specific
requirements their organizations need,
the types of threat intel they are able
to ingest, and how they will correlate it.
What types of information do they have?
Are they doing their own behavioral
analysis of malicious code? Are they
able to combine the threat intelligence
they’re generating within their own
networks and their own operations with
open-source threat intelligence to make
it more valuable and meaningful to the
organization? I think it varies greatly, but
there are ways companies can look at
what they can do to help minimize those
false positives and really have a positive
impact on their security posture.
Trusting the Intelligence
FIELD: Let’s go back to this topic of
operationalizing threat intelligence.
Where do you see organizations struggle
most in this area?
GREENWOOD: It really comes down to
the trust level. Can they trust the threat
intelligence to be completely accurate?
If they can’t, it really puts limits on what
they’re willing to do with that information.
Therefore, they struggle to operationalize
it because they can’t completely trust it,
which goes back to vetting both external
sources and their internal sources. It also
relates to the manpower required to do
that type of vetting.
FIELD: What do you believe would
help organizations most in this effort to
operationalize threat intelligence and to
have that trust?
GREENWOOD: If organizations are
able to generate a threat intelligence
feed that combines outside TI with
the TI they generate usually through
sandboxing technologies and their own
behavioral analysis, they can trust and
operationalize it. That would go a long
way to building that trust and allowing
them to be able to operationalize it more
across all of their security sites.
Tools & Skills
FIELD: What are the key tools and skills
that organizations need to maximize the
value of the threat intelligence that they
receive?
GREENWOOD: Organizations really need
to invest in robust analysis and detection
engines, like sandboxing technologies,
that allow for deep-packet inspection
of malicious codes. They also need to
“The best sources of data are the ones that come with
ample contextual data – not just individual IOCs, but data
about the categorization, the degree of badness, the
likelihood that the information is accurate.”
212016 State of Threat Intelligence Study
invest in the people with expertise to use
them. As you know, these people are
harder and harder to find all the time.
FIELD: But at a time when we’re already
strapped to fill basic information security
positions, where are we going to find the
skills to maximize threat intelligence?
GREENWOOD: That really is a tough
question to answer, and you know the
industry is working really hard to respond
to this increased need by increasing
training and certification programs for
security experts. At the same time,
security vendors are working equally
as hard to create tools that will make
existing security operators much more
efficient and effective in combating
today’s threats.
FIELD: In other words, the tools can help
us to develop these skills?
GREENWOOD: Yes, the tools will help
develop the skills, and they’ll also make
the people that we have now a lot more
efficient and effective in doing their job.
So as the threat moves and evolves,
we’ll have the resources and tools to
be able to process more and more of
those threats and combat them in a more
effective way.
Future Investments
FIELD: Jason, the respondents laid out
for us pretty clearly what they intend
to invest in for threat intelligence in the
coming year. What’s your perspective on
the investments that organizations say
that they will make? Do you see them
making some smart decisions, or would
you make some other recommendations?
GREENWOOD: I think many
organizations are on the right track.
We’re really coming to grips with the
reality that many of the systems across
almost every organization in the world
are compromised, and their perimeter
defenses – even though they offer
this layered approach to security –
have been ineffective in keeping most
persistent threats outside and away
from their highest-value targets. So
companies will likely invest more heavily
in protecting critical assets, and they’ll
do this by identifying solutions that don’t
rely on keeping the bad guys outside
of the network. These solutions will
work hard to understand the types of
behavior going on in their network and
differentiating between normal and
abnormal behavior.
Put the Report to Work
FIELD: So we’ve thrown a lot of
information at people today. How do you
recommend that people put to work the
results of our survey and the analysis, so
they can make a difference in their own
organizations?
GREENWOOD: I think they should start
by really looking at the type of threat
intelligence they currently receive. They
need to vet what it provides, what it
doesn’t provide, and how they’re using
it and operationalizing it. And then
they need to really understand what
those requirements are going forward.
I mentioned this before, but if they can
have the ability to create their own threat
intelligence through behavior analysis of
malicious code and effectively combine
that with other public sources or sources
that they collect, this will give people the
most relevant intel possible. n
“It really comes
down to the trust
level. Can they
trust the threat
intelligence to
be completely
accurate?”
State of Threat Intelligence Study Results WebinarPresented by Tom Field and Jason Greenwood
Actionable threat intelligence is the key to effective cyber threat detection and response. But how
good is the threat intelligence organizations receive today? And how well are they able to put this
intelligence to work to improve their cybersecurity?
These were the questions that spawned the State of Threat Intelligence Study, sponsored by
ThreatTrack Security. Our goal with this research was to determine:
• The quality and accuracy of threat intelligence that organizations currently receive;
• Where and how enterprises are operationalizing this threat intelligence;
• The top TI investment priorities for 2016.
This survey was conducted online during the fall of 2015, and we had more than 130 respondents
from financial organizations of all sizes. Join me in a review of the full survey responses, and then
let’s discuss how you can put this data to use to help improve your organization’s capabilities to
operationalize threat intelligence.
Threat intelligence can be the difference between detecting an attack and being victimized by one.
What’s the value of your organization’s intel?
REGISTER NOW
http://www.inforisktoday.com/webinars/2016-state-threat-intelligence-study-w-897
RESULTS WEBINAR
902 Carnegie Center • Princeton, NJ • 08540 • www.ismgcorp.com
About ISMGHeadquartered in Princeton, New Jersey, Information Security Media
Group, Corp. (ISMG) is a media company focusing on Information
Technology Risk Management for vertical industries. The company
provides news, training, education and other related content for risk
management professionals in their respective industries.
This information is used by ISMG’s subscribers in a variety of
ways —researching for a specific information security compliance
issue, learning from their peers in the industry, gaining insights into
compliance related regulatory guidance and simply keeping up with
the Information Technology Risk Management landscape.
Contact(800) 944-0401