Cyber Threat Intelligence in Security Operations: Results of 2018 SANS Survey

Bethesda, Md. – Cyber threat intelligence (CTI) is becoming more useful overall, especially to security operations teams that are working hard to integrate intelligence into their prevention, detection and response actions, according to results of the CTI survey to be released by SANS Institute in a two-part webcast on Tuesday, February 6, 2018 and Wednesday, February 7, 2018.

"As the threat landscape continues to change, and with more advanced attackers than ever, security teams need all the help they can get to more effectively prevent, detect and respond to threats," says the survey's author, Dave Shackleford, SANS Analyst and Senior Instructor.

In one of the clearest trends SANS has seen over the past three years, respondents have increasingly stated that CTI is improving their prevention, detection and response capabilities:

  • In this new survey (2018), 81% of respondents affirmed that CTI is helping, compared to 78% in 2017 and 64% in 2016.
  • In addition, the number of respondents who answered "unknown" (in other words, they didn't feel they could answer the question confidently) has steadily decreased from 34% in 2016 to 21% in 2017, and now to only 15% in 2018.
  • Moreover, 73% of respondents reported improved visibility into threats and attack methodologies impacting their systems.

"Fortunately, many organizations are sharing details about attacks and attackers, and numerous open source and commercial options exist for collecting and integrating this valuable intelligence all of which have resulted in improvements in organizations' abilities to improve security operations and detect previously unknown attacks," Shackleford continues.

As a result of their CTI program efforts, respondents report better visibility and improved security operations. For example, 71% indicated overall satisfaction with visibility into threats and indicators of compromise (IoCs). When specifying improvements, 70% of participants reported improved security operations, while 66% cited improved ability to detect previously unknown threats.

Shackleford summarized the results this way: "These results reinforce the trends we're seeing that indicate CTI is being primarily aligned with the SOC and is tying into operational activities such as security monitoring, threat hunting and incident response."

Register to learn more about the full survey results during a two-part webcast. Part 1, on Tuesday, February 6 at 1 PM Eastern, will focus on the current state of CTI and its usefulness. Part 2, held on Wednesday, February 7 at 1 PM Eastern, will explore how the growing use of CTI impacts cyber security skills and best practices. Both webcasts, which are hosted by SANS, are sponsored by Anomali, DomainTools, IntSights, Rapid7 and ThreatConnect.

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst, Senior Instructor and CTI expert, Dave Shackleford.

Tweet This:

@daveshackleford presents SANS 2018 CTI Survey results on two-part webcast | Feb 6 | Feb 7

Integrating threat intelligence | SANS Survey results released | @daveshackleford presents Feb 6 webcast |

How does CTI improve cyber security tools and best practices? | Get @daveshackleford's thoughts in a Feb 7 live webcast| Register at

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (