A recent study conducted by ESG research has shed light on the characteristics of a mature cyber threat intelligence (CTI) program. According to the study, the top attributes of a mature CTI program include the dissemination of reports to a broad audience, analysis of massive amounts of threat data, and integration with various security technologies. Unfortunately, most CTI programs are currently lacking in these areas. However, there is hope for improvement in the coming years as enterprise organizations are increasingly investing in CTI programs.
The research shows that 63% of enterprises plan to significantly increase their CTI program spending in the next 12 to 18 months, while another 34% plan to increase their spending somewhat. This surge in investment can be attributed to the benefits that CTI can deliver in both technology and business domains. Some of the major influences driving this spending include the need to learn about threats to companies earmarked for mergers and acquisitions, the growing threat of targeted attacks by individual hackers or cyber-adversary groups, and the importance of understanding adversary tactics, techniques, and procedures (TTPs) to strengthen security defenses.
Chief Information Security Officers (CISOs) are particularly enthusiastic about further investments in threat intelligence programs. They believe that these investments can help mitigate cyber risks and improve threat prevention and detection. Over the next 12 to 24 months, several key priorities have emerged for organizations in terms of their CTI programs.
Firstly, 30% of organizations plan to prioritize sharing threat intelligence reports more readily with internal groups. This is seen as a step in the right direction as threat intelligence has value beyond the security operations center (SOC). CISOs can use CTI to prioritize investments and validate security controls, while business managers can balance digital transformation initiatives with more thorough risk management decisions. The dissemination and consumer feedback phases are critical components of a mature threat intelligence lifecycle.
Secondly, 27% of organizations will prioritize investing in digital risk protection (DRP) services. As organizations expand their digital footprints, they need a better understanding of the accompanying risks. DRP services provide this visibility by monitoring factors such as online data leakage, brand reputation, attack surface vulnerabilities, and deep/dark web chatter related to attack planning.
Thirdly, 27% of organizations will prioritize integrating CTI with other security technologies. Besides endpoints, email, and network perimeters, CISOs see the need for CTI integration with cloud security tools, security information, and event management (SIEM) and extended detection and response (XDR) solutions, as well as security service edge (SSE) tools like secure web gateways and cloud access service brokers (CASBs). Increased integration would enhance the capability to block indicators of compromise (IoCs) and develop a more comprehensive threat-informed defense.
Additionally, 27% of organizations aim to acquire a threat intelligence platform (TIP) for collection, processing, analysis, and sharing of threat intelligence. While TIPs were previously exclusive to larger enterprises, they are now becoming more accessible to organizations of all sizes. Service providers such as Flashpoint, Mandiant, Rapid7 (Intsights), Recorded Future, Reliaquest (Digital Shadows), SOCRadar, and ZeroFox are likely to benefit from this increased spending. Established brands like Cisco, CrowdStrike, IBM, Microsoft, and Palo Alto Networks are also expected to receive a significant portion of the investment.
Finally, 26% of organizations are prioritizing the development of a more formal CTI program. They acknowledge that relying on open-source threat intelligence feeds reviewed by part-time threat analysts is no longer sufficient. To execute a complete CTI lifecycle, organizations need dedicated staffing and well-defined processes. While CISOs work on establishing their internal capabilities, many will rely on service providers mentioned earlier to handle the substantial workload.
In conclusion, organizations with mature CTI programs are well-positioned to optimize cyber risk mitigation and strengthen their security defenses. By investing in the dissemination of threat intelligence reports, digital risk protection services, integration with other security technologies, threat intelligence platforms, and well-structured CTI programs, enterprises can stay ahead of evolving cyber threats. With increased spending in these areas, organizations can better understand the enemy and themselves, enabling them to fearlessly navigate the ever-changing cybersecurity landscape.