Intelligent CIO Africa Issue 16 | Page 28

EDITOR’S QUESTION IS CYBERTHREAT INTELLIGENCE BECOMING INCREASINGLY IMPORTANT IN THE BATTLE AGAINST CYBERCRIME? ////////////////////////////////////////////////////////////////////////////////////////////////////////// Report reveals that 62% of people say lack of skilled cyberthreat intelligence (CTI) professionals is a major roadblock to implantation. S ANS, the largest and most trusted provider of cybersecurity training and certification to professionals worldwide, has released the results of its annual SANS 2018 Cyber Threat Intelligence Survey. The study sheds light on the evolution of Cyberthreat Intelligence (CTI) in cybersecurity and shows that CTI is maturing as a discipline. In one of the clearest trends SANS has seen in the last three years, respondents have increasingly stated that CTI is improving their prevention, detection and response capabilities. In 2018, 81% of respondents state their cyberthreat intelligence implementations have resulted in improvements, compared to 78% in 2017 and 64% in 2016. In addition, the number of respondents who answered ‘unknown’ has more than halved since 2016, jumping from 34% in 2016 to 21% in 2017 and now to only 15% in 2018. A total of 68% of respondents say they have implemented CTI this year and another 22% plan to introduce it in the future. Only 11% of companies have no plans to do so, falling from 15% in the previous year. This indicates that CTI is becoming more useful overall, especially to security operations teams that are working hard to integrate intelligence into their prevention, detection and response strategies. 28 INTELLIGENTCIO “As the threat landscape continues to change, and with more advanced attackers than ever, security teams need all the help they can get to more effectively prevent, detect and respond to threats,” said Dave Shackleford, SANS Analyst and Senior Instructor. CTI skill set in demand However, finding skilled staff to operate CTI consoles is getting more difficult, despite the trends showing that CTI can play an important role in an organisation’s security strategy. In this year’s survey, 62% of respondents cite a lack of trained CTI professionals and skills as a major roadblock, an increase of nearly 10% points over 2017. This indicates that the more CTI is used and consumed, the more this skill set is in demand. It may therefore be much more difficult to find staff members who are experienced in setting up and operating CTI programs. Similarly, 39% cite a lack of technical ability to integrate CTI tools into the organisational environment. Better visibility and improved security operations As a result of their CTI programme efforts, respondents report better visibility and improved security operations. For example, 71% indicate overall satisfaction with visibility into threats and indicators of compromise (IoCs). When specifying improvements, 70% of participants report improved security operations, while 66% cite improved ability to detect previously unknown threats. Responses to the 2018 survey reveal a growing emphasis on CTI being used for security operations tasks: detecting threats (79%), incident response (71%), blocking threats (70%) and threat hunting (62%). The survey responses indicate that threat intelligence is key in augmenting and improving firewall rules, network access control lists and reputation lists. Known sites and indicators associated with ransomware are then shared through threat intelligence, allowing operations teams to quickly search for existing compromise and proactively block access from internal clients. “Fortunately, many organisations are sharing details about attacks and attackers and numerous open source and commercial options exist for collecting and integrating this valuable intelligence,” added Shackleford. “All of this has resulted in improvements in organisations’ abilities to improve security operations and detect previously unknown attacks. “These results reinforce the trends we’re seeing that indicate CTI is being primarily aligned with the SOC and is tying into operational activities such as security monitoring, threat hunting and incident response.” www.intelligentcio.com