According to a survey conducted by Forrester Consulting on behalf of Kaspersky, IT security leaders seeking to boost internal threat intelligence (TI) programs would prefer to delegate five out of eight major TI aspects to external vendors rather than develop them in-house. For most respondents, quicker threat detection, remediation and response are the main advantages of using external solutions.
Threat intelligence has become a must-have for incidents’ prevention and an important area for organizations to invest in. At the same time, this new specialty remains challenging for IT security teams because it requires constant tracking, analyzing and interpreting of large amounts of fragmented data in addition to regular reevaluation and adjusting of appropriate skills, sources and tools.
The new study, evaluating threat intelligence practices among firms with mature cyber security functions, revealed that although 83% of decision-makers recognize the crucial role of threat intelligence in building a resilient cybersecurity program and plan to invest in the area, TI remains a challenging specialty for all firms.
Close to two-thirds of IT security leaders (64%) said their firm struggles to align their threat intelligence program with their risk management program, and 62% face difficulties implementing measurement procedures to track threat intelligence effectiveness. Other major concerns include improving knowledge of the threat landscape, prioritizing multiple stakeholder requirements for information, and identifying gaps in data.
To tackle these challenges and improve their threat intelligence program, IT security decision-makers plan to implement a range of measures internally and leverage vendors’ offerings. Respondents believe it is more efficient to lean on external vendors for the majority of TI needs. Six in ten (61%) would put support in place for processing raw intelligence information, 60% for collecting human intelligence and 59% for integrating data feeds with other security tools. However, firms still prioritize developing in-house capabilities for choosing and aggregating data sources.
The top two benefits of using vendors’ support are quicker threat detection, remediation and response (56%) and improved efficiency with automated reporting processes (52%). About half of respondents also said external solutions can reduce the number of breaches and lower associated costs.
“Threat intelligence program strengthens a company’s defense, contributing to visibility over the threat landscape by providing relevant and applicable insights. Facilitating threat intelligence processing and analysis it enables companies to make timely and fully-informed decisions. However, evaluating TI services and choosing among the innumerable available market options is another challenge that confronts IT security teams,” comments Artem Karasev, product marketing lead for corporate product marketing at Kaspersky. “Our experience in threat research suggests that while there are virtually no criteria perfectly applicable for all organizations, the guiding principle for choosing external threat intelligence sources should be quality over quantity.”
Kaspersky suggests paying special attention to the following points when evaluating external threat intelligence solutions:
- Information sources the vendor uses: vendors that aggregate information from around the world can provide more visibility over actual threats and efficiently correlate fragmented activities.
- Capability to provide context: contextual data helps reveal the ‘bigger picture’, further validating and supporting the wide-ranging uses of the data. Relationship context, such as domains associated with the detected IP addresses or URLs for where the file was downloaded from etc., boosts incident investigation and supports better incident ‘scoping’ by uncovering newly acquired related Indicators of Compromise in the network.
- Compatibility with existing solutions: an examination of vendor’s delivery methods and integrations systems ensures smooth integration of threat intelligence into existing security operations.
- Vendor’s experience: proven track record of threats investigation ensures efficacy of proposed solutions.