Use of Cyber Threat Intelligence Evolving: Results of the 2019 SANS Cyber Threat Intelligence Survey

Bethesda, Md. – The use of cyber threat intelligence (CTI) is evolving, according to results of the 2019 CTI survey to be released by SANS Institute in a two-part webcast on February 5 and February 7.

“This year’s survey saw an increase in usage and interest in CTI, along with a diversification in how the intelligence is being used by organizations,” says SANS Analyst and threat intelligence expert Rebekah Brown. “While the use of CTI continues to grow, there is no one-size-fits-all approach. Organizations leverage different types of CTI to meet different needs.”

CTI is a resource for network defense at a majority of survey respondents’ organizations, with 72% either consuming or producing it. Perhaps more importantly, only 8% reported having no plans to begin using intelligence. Top use cases include security operations, detecting threats and attacks, blocking threats and security awareness. A diversification in use cases for CTI, along with a better understanding of how it’s used to benefit an organization’s security posture, means that CTI is being more widely utilized by both large and small organizations.

Although more are using CTI, organizations are not defining requirements for the CTI programs in any organized manner. Just 30% have documented their requirements, while 37% have ad hoc requirements, leaving 33% without defined requirements for their efforts.

“Arguably the most important part of the CTI process is identifying and defining good requirements to guide the entire intelligence life cycle and make the collection, analysis, processing and dissemination of intelligence much more focused,” adds Robert M. Lee, SANS analyst and threat intelligence expert. “Requirements enable organizations to properly operationalize intelligence work. That makes it all the more alarming, that so few have invested the time in defining their focus.”

Once the focus of a CTI program is determined in its requirements, it is important to process collected data to put the efforts to use. Some of these processes include deduplication of data; enrichment of data using public, commercial or internal data; reverse engineering of malware; and data standardization. Most respondents report that such processing is either a manual or semi-automated process, although 8–19% of respondents report fully automated processes for some of these tasks. Survey authors Lee and Brown agree that, “For teams to focus on the increasing use cases, organizations will first have to find ways to automate or streamline aspects such as collecting and processing data, which often take up the majority of an analyst’s time.”

Full results will be shared during a two-part webcast at 1 PM EST, sponsored by Anomali, DomainTools, IntSights, Recorded Future, and ThreatQuotient, and hosted by SANS. Register to attend the webcast on February 5 and February 7, 2019.

Those who register for the webcast will also receive access to the published results paper developed by SANS Analysts and cyber threat intelligence experts, Robert M. Lee and Rebekah Brown.

Tweet This:
Learn about CTI Requirements and Inhibitors: Register for Part 1 of the SANS 2019 CTI Survey results with SANS Analyst Robert M. Lee | 2/5 @ 1PM ET |

Explore CTI Tools and Usage and take a Look Ahead: Register for Part 2 of the SANS 2019 CTI Survey results with SANS Analyst Rebekah Brown | 2/7 @ 1PM ET |

Discover the results of the SANS 2019 CTI Survey in this two-part webcast | Part 1, 2/5 @ 1PM ET | Part 2, 2/7 @ 1 PM ET

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (