Since Ponemon Institute conducted the first study on threat intelligence sharing in 2014, organizations that use and exchange threat intelligence are improving their security posture and the ability to prevent and mitigate the consequences of a cyberattack. As revealed in The Fourth Annual Study on Exchanging Cyber Threat Intelligence: There Has to Be a Better Way, Some 74 percent of respondents that had a cyberattack believe that the availability of timely and accurate threat intelligence could have prevented or mitigated the consequences of such an attack.
According to the 1,432 IT and IT security practitioners surveyed in North America, EMEA and Asia Pacific , the consumption and exchange of threat intelligence continues to increase, as shown in Figure 1. Despite the increase in the exchange and use of threat intelligence, more work needs to be done to improve the timeliness and actionability of the threat intelligence.
Following are 11 trends that describe the current state of threat intelligence sharing.
1. Satisfaction with the ability to obtain threat intelligence decreases slightly. This year, 40 percent of respondents say they are very satisfied or satisfied with the way their organizations obtain threat intelligence. This is a slight decrease from 41 percent of respondents in 2017. To increase satisfaction, threat intelligence needs to be more timely, less complex and more actionable.
2. Organizations do not have confidence in free sources of threat intelligence. Reasons for paying for threat intelligence is because it has proven effective in stopping security incidents and a lack of confidence in free sources of intelligence.
3. On a positive note, the accuracy of threat intelligence is increasing. However, the majority of organizations believe the timeliness and the actionability of threat intelligence is low.
4. The two main metrics are the ability to prioritize threat intelligence and its timely delivery. Other metrics are the ability to implement the threat intelligence and the number of false positives.
5. When it comes to measuring the ROI of their threat intelligence, 39 percent of respondents say their organizations calculate the ROI. The top ROI metrics organizations look at include the following factors: reduction in the dwell time of a breach, reduction in the number of successful breaches and faster, more effective incident response.
6. Timeliness of threat intelligence is critical but not achieved. Only 11 percent of respondents say threat intelligence is provided real time and only 13 percent of respondents say threat intelligence is provided hourly
7. Threat indicators provide valuable intelligence. Eighty-five percent of respondents say they use threat indicators. The most valuable types of indicators are malicious IP addresses and indicators of malicious URLs.
8. Most organizations either currently or plan to consolidate threat intelligence data from multiple solutions. However, 53 percent of respondents say their organizations mainly use manual processes to accomplish the consolidation.
9. With regards to how threat intelligence is used through the network, the majority of organizations are using it in IDS. United Threat Management (UTM) is usually a single security appliance that provides multiple security functions as a single point on the network. The use of UTMs has increased significantly since 2017.
10. Internal silos prevent more effective collaboration and the exchange of threat intelligence with other organizations. Only 40 percent of respondents say the collaboration between their organization and other companies in the exchange of threat intelligence is either very effective or effective.
11. The use of automated processes to investigate threats is gaining traction. Fifty-four percent of respondents, an increase from 47 percent of respondents, are using automated processes to investigate threats. There also has been a significant increase in the use of machine learning and AI since 2017.
To read the full report visit the Infoblox website.