Get unparalleled cyber security training from real-world practitioners in Boston. Save $200 thru 6/26.


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

CTI Uses, Successes and Failures: SANS Survey Results Released

CTI Use Expanding; Security Improvements Attributed to CTI, Inhibitors May Be Combatted with Metrics

  • Bethesda, MD
  • March 8, 2017

Cyber threat intelligence (CTI) shows promise in making threats easier to detect and respond to, according to our most recent survey on cyber threat intelligence to be released by SANS Institute on March 15 and 16, 2017.

Survey results demonstrate that organizations are embracing CTI, with 60% of respondents reporting that they use CTI and another 25% planning to do so. Of those, 72% of respondents experienced improved visibility into threats and attack methodologies, while 63% report improving security operations, and the same percentage said CTI helped them detect unknown threats.

While CTI adherents find multiple improvements as a result of CTI, however, those benefits are often difficult to demonstrate to management.

"Each year more and more security teams find increasing value in CTI for security operations and response," says SANS Analyst and survey report author Dave Shackleford. "But we need better metrics and reporting so that we demonstrate its value to management stakeholders."

Lack of management buy-in was listed by one-third of respondents as an inhibitor to their CTI implementations. While that wasn't the biggest inhibitor, the top inhibitors--lack of trained staff with skills to utilize CTI, lack of funding, lack of time to implement new processes and lack of technical capabilities--are all inhibitors that could be minimized if upper management understood the value of implementing CTI. Providing that information requires the use of understandable metrics.

"When we can demonstrate the value that CTI brings in preventing, detecting, and responding to today's attacks," Shackleford continues, "We are likely to see CTI implementations become more commonplace, more mature and more important to security programs than ever before."

Full results will be shared during a two-part webcast at 1 PM Eastern on March 15 and March 16, sponsored by Anomali, Arbor Networks, DomainTools, LookingGlass Cyber Solutions, Rapid7, and ThreatConnect, and hosted by SANS. Register to attend the March 15 webcast at and the March 16 webcast at

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst Dave Shackleford.

Tweet This:

Of the 60% using Cyberthreat Intelligence today, 72% improved their visibility; SANS survey Webcast | March 15 and 16 |

Staffing and lack of management buy-in inhibitors to Cyberthreat Intelligence implementations; SANS survey Webcast | March 15 and 16 |

Cyberthreat Intelligence in Action -- report by Dave Shackleford released in two-part presentation | March 15 and 16 |

Explore CTI staffing and deployment issues | March 15 |

Learn about the effectiveness of CTI and future needs | March 16 |

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner's qualifications via over 30 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (