While the majority of enterprise IT security managers rely on threat intelligence to reduce cybersecurity risk, many still lack the necessary skills and resources to carry out these initiatives fully, according to a Vulcan Cyber report on threat intelligence adoption trends and challenges.
The survey of 100 information security, vulnerability management, and threat intelligence executives and practitioners found threat intelligence adoption is on the rise, with a growing percentage of companies putting dedicated teams (75%) and budgets (66%) in place.
However, nearly three-quarters (73%) of respondents indicated that a lack of skills to leverage threat intelligence is a key problem, and the majority (55%) said their threat intelligence data is not predictive enough.
Despite challenges with prediction, 56% of respondents said they currently use or plan to use predictive models including the Exploit Prediction Scoring System (EPSS).
The open, data-driven EPSS was designed to help organizations estimate the probability that a software vulnerability would be exploited in the wild.
Melissa Bischoping, director of Tanium’s endpoint security research team, said threat intelligence goes so far beyond just indicators of compromise (IOCs) and “known-knowns”.
“Threat intelligence can be a powerful source of data to help prioritize what to fix first,” she explained. “Every organization must make strategic choices about which vulnerabilities to patch first; which solutions to modernize and at what cost.”
She added that threat intelligence is a critical factor in making those decisions in the context of both your organization’s unique environment and the changing pace of the cybersecurity threat landscape.
“It’s as much a science as an art and blurs the lines between humans and the technology—both on the defensive and the offensive side,” Bischoping said.
She pointed out that effective use of threat intelligence also gives an organization confidence in understanding how emerging threats impact the environment.
“Understanding the exploitability of a vulnerability and its ease of use, coupled with complete asset management and visibility to understand your exposure, is the key to reliably answering the question ‘How worried should we be about this new headline?’”
The survey also revealed that organizations are using threat intelligence on an ongoing and frequent basis, with 75% of respondents using it at least weekly.
The most common use cases are blocking bad IPs (64%), integrating feeds with other security products (63%) and analyzing root cause to determine scope (54%).
John Steven, CTO at ThreatModeler, an automated threat modeling provider, explained that what differentiates an organizational capability from a vendor’s threat intelligence tool or feed is the people and process used to operationalize it.
He said when leaders feel they lack the team (or expertise) to leverage threat intelligence, the benefit they receive from it is confined to what can be automated: Delivered content and enriched reporting or continual updates to endpoint protection and network/infrastructure security control configuration.
“CISOs have long complained that they don’t see the value of threat intelligence to the preventative security activities within their delivery life cycles,” Steven says. “They’ve been unable to marry the data and insight from feeds with the kind of vulnerability and exposure that threat modeling and defect discovery activity provide.”
Threat modeling marries intelligence feed and insight data with depicted (“modeled”) architectures so that application and cloud security practitioners can design controls not only around business risk, but around insights about adversarial behavior.
From Steven’s perspective, it’s about connecting dots: Organizations will gain more from the practice when they combine its data about motivation, activity and behavior with the telemetry their defect discovery activities find throughout development and delivery.
“Then, as organizations threat model, they can design purpose-built detective controls to track and prevent what threat intelligence directs them to fear,” he said.
John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company, noted the entire point of intelligence in the national security world is to figure out what is coming next, not what has already happened.
He adds that while the practice has borrowed techniques from the intelligence community, the community has lagged in creating products that are forward-looking.
“Unfortunately, much of the entire cybersecurity ecosystem is designed around giving information about a fire after the house has already burned down,” he said.