A new study by the Ponemon Institute highlights the difficulties in taking advantage of threat intelligence. The study of over a thousand IT security practitioners in North America and the United Kingdom notes particular difficulties in consuming threat intelligence due to the extensive amount and complexity of threat data. Seventy percent of respondents reported this to be a barrier to effective use of threat intelligence.

This is understandable when you consider the facts around threat intelligence data. First, there is a lot of threat data to consume. Examples include: open source feeds, threat reports, commercial feeds, internally generated threat data (from malware sandboxes and other platforms), and ad hoc sources. Second, there is a general need to compare all of this threat data with internal log data to determine which threats have surfaced in an organization’s network. This concern was also reflected in the report as sixty-two percent of respondents noted that SIEM integration was necessary to maximize the value of threat intelligence but sixty-four percent of respondents reported that integration with a SIEM and other security tools is difficult and time-consuming.

One of the other key messages that came from the report is that there is a lack of trained or experienced analysts in the field of threat intelligence. Fifty-two percent of respondents reflected a need for a qualified threat analyst to maximize the value of threat intelligence data and saw this as a barrier to the effective use of threat intelligence overall. Lack of staff expertise was shown as a barrier to deploying a threat intelligence platform (fifty-six percent of respondents) and also noted lack of staff expertise as a reason for not effectively using threat intelligence data (sixty-nine percent of respondents).

As an industry, developing more expertise around threat intelligence is a crucial issue. Taking advantage of training and conferences geared towards threat intelligence is part of the answer. The most benefit can be gained by just getting more analysts exposed to threat intelligence and working with threat data on a daily basis. Interacting with other, more experienced analysts can also be a supplement. Collaboration with other threat analysts in other organizations can provide a significant source of collective threat intelligence experience.

There were also other challenges that came out in the report. These include the fact that threat intelligence may not be reaching senior management. Only thirty-two percent of respondents said that threat intelligence is used to brief senior executives and only thirty percent said threat intelligence information reached the board of directors. Despite the energy around threat intelligence sharing, standardized protocols are still not the predominant method of sharing threat intelligence. Fifty-six percent of respondents said they don’t used standardized protocols to share threat intelligence.

Despite the challenges, respondents saw threat intelligence as valuable to a strong security posture (seventy-eight percent of respondents). Many of the issues highlighted in the report can be addressed either directly or indirectly by having a ca threat intelligence platform.



Download a copy of the report, “The Value of Threat Intelligence: A Study of North American and United Kingdom Companies"