The 2019 SANS CTI Survey Reveals the Evolution of Threat Intelligence Best Practices
Once an industry buzzword, Cyber Threat Intelligence (CTI) is now a critical resource for enterprise security. With each passing year, security professionals are becoming increasingly sophisticated in how they generate, collect, share, and use this information. For the fifth consecutive year, SANS Institute has surveyed the industry for insights into trends and best practices around CTI as a mechanism for detection, prevention, and response.
This year’s survey was clear that CTI is on an upward trajectory both in the number of organizations using it and the sophistication with which it is applied, including the evolution from a focus on raw threat data to strategic-level reports. This year’s survey found that 86% of respondent organizations are leveraging cyber threat intelligence for threat detection, or response, or both in their organizations. And an increasing variety of information – including indicators of compromise, threat behaviors, adversary tactics, attack surface identification and strategic analysis of the adversary – is being used.
A few areas of improvement also emerged. Collaboration and threat information sharing, are critical to unlocking the value of CTI. Information-sharing programs were recognized as valuable in a number of areas, including providing timely and relevant threat information, yet only 51% said they are collaborating in this way. Also, there is work to be done in better identifying and defining requirements, as only 30% of survey participants noted that they have their CTI requirements documented.
The SANS report details additional insights around how to staff a CTI function, improve collaboration, continue to build best practices, and identify knowledge gaps. The authors also recommend that security professionals embrace new applications and methods for utilizing CTI. Suggestions included strategic-level reports that provide threat details relevant to a specific organization, intelligence-driven hunting based on industry, and road mapping for user education. Organizations that continue to evolve their CTI practices in these ways will be in a strong position to drive measurable improvement in visibility over threat and attack methodologies, existing vulnerabilities, and areas of potential risk.
Worth noting is that another recent study, EMA Megatrends in Cybersecurity, reported that threat intelligence is an important area of focus for security professionals in the coming year. In the EMA survey, when asked “which of the following broad security initiatives are driving current priorities in your overall security program?,” respondents ranked improving threat intelligence among highest in the ‘expanding’ bucket, at 57%, with only 8% of companies not prioritizing threat intelligence in some way.
An infographic illustrating the 2019 SANS CTI Survey key findings can be found below. Tell us what you think, and how your organization is utilizing CTI and building toward better practices in the coming year.