EDITOR’S QUESTION
IS CYBERTHREAT
INTELLIGENCE
BECOMING
INCREASINGLY
IMPORTANT IN THE
BATTLE AGAINST
CYBERCRIME?
//////////////////////////////////////////////////////////////////////////////////////////////////////////
Report reveals that 62% of people say lack of skilled
cyberthreat intelligence (CTI) professionals is a major
roadblock to implantation.
S
ANS, the largest and most trusted
provider of cybersecurity training
and certification to professionals
worldwide, has released the results of
its annual SANS 2018 Cyber Threat
Intelligence Survey. The study sheds light
on the evolution of Cyberthreat Intelligence
(CTI) in cybersecurity and shows that CTI is
maturing as a discipline.
In one of the clearest trends SANS has
seen in the last three years, respondents
have increasingly stated that CTI is
improving their prevention, detection
and response capabilities. In 2018, 81%
of respondents state their cyberthreat
intelligence implementations have resulted
in improvements, compared to 78% in
2017 and 64% in 2016. In addition, the
number of respondents who answered
‘unknown’ has more than halved since
2016, jumping from 34% in 2016 to 21%
in 2017 and now to only 15% in 2018. A
total of 68% of respondents say they have
implemented CTI this year and another
22% plan to introduce it in the future. Only
11% of companies have no plans to do so,
falling from 15% in the previous year. This
indicates that CTI is becoming more useful
overall, especially to security operations
teams that are working hard to integrate
intelligence into their prevention, detection
and response strategies.
28
INTELLIGENTCIO
“As the threat landscape continues to change,
and with more advanced attackers than ever,
security teams need all the help they can
get to more effectively prevent, detect and
respond to threats,” said Dave Shackleford,
SANS Analyst and Senior Instructor.
CTI skill set in demand
However, finding skilled staff to operate
CTI consoles is getting more difficult,
despite the trends showing that CTI can
play an important role in an organisation’s
security strategy. In this year’s survey, 62%
of respondents cite a lack of trained CTI
professionals and skills as a major roadblock,
an increase of nearly 10% points over
2017. This indicates that the more CTI is
used and consumed, the more this skill set
is in demand. It may therefore be much
more difficult to find staff members who
are experienced in setting up and operating
CTI programs. Similarly, 39% cite a lack of
technical ability to integrate CTI tools into
the organisational environment.
Better visibility and improved
security operations
As a result of their CTI programme efforts,
respondents report better visibility and
improved security operations. For example,
71% indicate overall satisfaction with
visibility into threats and indicators of
compromise (IoCs). When specifying
improvements, 70% of participants report
improved security operations, while 66%
cite improved ability to detect previously
unknown threats.
Responses to the 2018 survey reveal a
growing emphasis on CTI being used for
security operations tasks: detecting threats
(79%), incident response (71%), blocking
threats (70%) and threat hunting (62%).
The survey responses indicate that threat
intelligence is key in augmenting and
improving firewall rules, network access
control lists and reputation lists. Known sites
and indicators associated with ransomware
are then shared through threat intelligence,
allowing operations teams to quickly search
for existing compromise and proactively
block access from internal clients.
“Fortunately, many organisations are
sharing details about attacks and
attackers and numerous open source and
commercial options exist for collecting
and integrating this valuable intelligence,”
added Shackleford. “All of this has resulted
in improvements in organisations’ abilities
to improve security operations and detect
previously unknown attacks.
“These results reinforce the trends we’re
seeing that indicate CTI is being primarily
aligned with the SOC and is tying into
operational activities such as security
monitoring, threat hunting and
incident response.”
www.intelligentcio.com