Time to Take a Different Threat Intelligence Approach
After it became apparent that malware despite the best efforts of cybersecurity teams was still finding its way into IT environments a lot of organizations placed a greater emphasis on threat hunting. The basic idea is to employ threat intelligence to discover and remove as much malware as possible before it gets activated.
A survey of 1,800 cyber security leaders and practitioners conducted by the Ponemon Institute on behalf of Team Cymru, a provider of threat intelligence tools, suggests those efforts are meeting with mixed success. Only just over a third of respondents (35%) said they were employing their security analysts effectively.
More troubling still, half of the attacks on organizations that caused severe business disruption were by repeat offenders. A full 61% of those victims said they were unable to remediate the vulnerabilities that led to these additional compromises.
Some of this issue simply comes down to available resources. On average, 19% of an IT operations budget is now allocated to IT security. Less than a quarter of that funding (22%) is allocated to analyst activities and threat intelligence, the survey finds.
Not surprisingly, 70% of respondents said it is very difficult to gain an attacker’s perspective on their organization, with 61% admitting threat intelligence can’t keep up with changes in how threat actors attack their organization. Less than a quarter (24%) said their threat hunting efforts included looking beyond the borders of their enterprise to identify threats.
On the plus side, 62% of organizations are increasing investment in analysts and threat intelligence. The top three intelligence data types that respondents said they have spans dark web data (47%), domain registration data (42%) and endpoint telemetry (42%). However, less a third (31%) said they view raw Internet traffic telemetry as being important in their ability to plan preventive measures, detect threats and resolve security incidents.
Most organizations are understandably focused on how they can respond to near and present dangers. The problem is a lack of longer-range threat intelligence means most organizations don’t have a lot of time to respond once an immediate threat is discovered. There’s a lot more intelligence concerning threats and vulnerabilities than ever. A lot of that intelligence, alas, is being disregarded. Most organizations simply don’t have the time and resources required to analyze those threats when they are daily confronted by more immediate threats.
In an ideal world the cost of developing threat intelligence should be shared. Threat intelligence, in general, doesn’t enable one organization to gain a sustainable competitive advantage over another. Cyberattacks are a menace to the global economy. Governments and industry should be working much more collaboratively to identify cybersecurity threats in a way the surfaces more actionable intelligence. Individual organizations making investments to develop the same threat intelligence just doesn’t make a lot of economic sense. Arguably, a concentration of the resources allocated to threat intelligence would create better results at a time when it’s clear most organizations don’t have the resources required to full fund a current level of effort that is clearly not enough to meet the challenges every organization now faces.
They say doing the same thing over again and expecting a different result is the definition of insanity. Perhaps the time has come to determine just how crazy the current approach to threat intelligence really is.