Get a Free GIAC Certification Attempt or $350 Off with OnDemand and vLive Training!

Press

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Use of Cyber Threat Intelligence Evolving: Results of the 2019 SANS Cyber Threat Intelligence Survey

Cyber Threat Intelligence Evolving; Requirements Not Well-Defined; Automation Needed

  • Bethesda, MD
  • January 29, 2019

The use of cyber threat intelligence (CTI) is evolving, according to results of the 2019 CTI survey to be released by SANS Institute in a two-part webcast on February 5 and February 7.

“This year’s survey saw an increase in usage and interest in CTI, along with a diversification in how the intelligence is being used by organizations,” says SANS Analyst and threat intelligence expert Rebekah Brown. “While the use of CTI continues to grow, there is no one-size-fits-all approach. Organizations leverage different types of CTI to meet different needs.”

CTI is a resource for network defense at a majority of survey respondents’ organizations, with 72% either consuming or producing it. Perhaps more importantly, only 8% reported having no plans to begin using intelligence. Top use cases include security operations, detecting threats and attacks, blocking threats and security awareness. A diversification in use cases for CTI, along with a better understanding of how it’s used to benefit an organization’s security posture, means that CTI is being more widely utilized by both large and small organizations.

Although more are using CTI, organizations are not defining requirements for the CTI programs in any organized manner. Just 30% have documented their requirements, while 37% have ad hoc requirements, leaving 33% without defined requirements for their efforts.

“Arguably the most important part of the CTI process is identifying and defining good requirements to guide the entire intelligence life cycle and make the collection, analysis, processing and dissemination of intelligence much more focused,” adds Robert M. Lee, SANS analyst and threat intelligence expert. “Requirements enable organizations to properly operationalize intelligence work. That makes it all the more alarming, that so few have invested the time in defining their focus.”

Once the focus of a CTI program is determined in its requirements, it is important to process collected data to put the efforts to use. Some of these processes include deduplication of data; enrichment of data using public, commercial or internal data; reverse engineering of malware; and data standardization. Most respondents report that such processing is either a manual or semi-automated process, although 8–19% of respondents report fully automated processes for some of these tasks. Survey authors Lee and Brown agree that, “For teams to focus on the increasing use cases, organizations will first have to find ways to automate or streamline aspects such as collecting and processing data, which often take up the majority of an analyst’s time.”

Full results will be shared during a two-part webcast at 1 PM EST, sponsored by Anomali, DomainTools, IntSights, Recorded Future, and ThreatQuotient, and hosted by SANS. Register to attend the webcast on February 5 and February 7, 2019.

Those who register for the webcast will also receive access to the published results paper developed by SANS Analysts and cyber threat intelligence experts, Robert M. Lee and Rebekah Brown.

Tweet This:
Learn about CTI Requirements and Inhibitors: Register for Part 1 of the SANS 2019 CTI Survey results with SANS Analyst Robert M. Lee | 2/5 @ 1PM ET | www.sans.org/webcasts/108905

Explore CTI Tools and Usage and take a Look Ahead: Register for Part 2 of the SANS 2019 CTI Survey results with SANS Analyst Rebekah Brown | 2/7 @ 1PM ET | www.sans.org/webcasts/108910

Discover the results of the SANS 2019 CTI Survey in this two-part webcast | Part 1, 2/5 @ 1PM ET www.sans.org/webcasts/108905 | Part 2, 2/7 @ 1 PM ET www.sans.org/webcasts/108910

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner's qualifications via over 30 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (https://www.sans.org)