According to a recent report by ESG, enterprise organizations are struggling to establish a mature cyber threat intelligence (CTI) program. The report surveyed 380 cybersecurity professionals working at enterprise organizations and found that 80% have basic threat intelligence programs, while 20% are more advanced. However, even within the 20% category, few organizations have a well-designed threat intelligence lifecycle with established processes and metrics that they consistently follow best practices.
One reason for this lag in establishment is the misconception of threat intelligence as indicators of compromise (IoCs) like known malicious files, IP addresses and web domains used for reference and alert enrichment. Fewer have automated IoC discovery into blocking rules, fewer still align their threat intelligence programs with the MITRE ATT&CK framework so they can track adversary tactics, techniques, and procedures (TTPs) to create detection rules, build a threat-informed defense, and validate their security controls.
The research also identified the most-cited mature cyber threat intelligence attributes. Thirty-one percent of security professionals believe that a mature CTI program must include information dissemination with reports customized for specific individuals and groups. A mature CTI program collects, processes, and analyzes the right data – not necessarily the most data. Twenty-seven percent of security professionals believe that a mature CTI program must include integration with other security technologies.
ESG’s research also revealed that organizations are quickly buried by threat intelligence volume and struggle to find the useful needles in the haystack. Thus, a mature CTI program collects, processes, and analyzes the right data. Twenty-three percent of security professionals believe that a mature CTI program must include the ability to continuously test security controls against new threats and adversaries. When this process is continuous and well managed, it is certainly a sign of maturity.
Similarly, twenty-three percent of security professionals believe that a mature CTI program must include well-defined goals, objectives, and metrics in pursuit of continuous program improvement. When the CTI program team defines metrics for success, constantly measuring their performance, and reporting these metrics to their managers, it ensures a mature CTI program. Lastly, twenty-one percent of security professionals believe that a mature CTI program must include automated processes for blocking newly discovered IoCs. However, doing this does not make a CTI program mature.
The research reinforces that most organizations do not have a mature CTI program and many security professionals do not know what a mature CTI program looks like. A strong CTI program can certainly bolster security defenses when done correctly. However, many organizations would benefit most by finding managed service providers to help them bridge this gap rather than muddling through on their own.