Cyber Threat Intelligence in Security Operations: 2018 SANS Survey

Dave Shackleford, SANS Analyst and Senior Instructor
Dave Shackleford, SANS Analyst and Senior Instructor
7 years ago

SANS has released the results of its annual SANS 2018 Cyber ​​Threat Intelligence Survey. The study sheds light on the evolution of Cyber ​​Threat Intelligence (CTI) in cyber security and shows that CTI is maturing as a discipline.

In one of the clearest trends SANS has seen in the last three years, respondents have increasingly stated that CTI is improving their prevention, detection and response capabilities. In 2018, 81 percent of respondents state their cyber threat intelligence implementations have resulted in improvements, compared to 78 percent in 2017 and 64 percent in 2016. In addition, the number of respondents who answered “unknown”, in other words, they didn’t feel they could answer the question confidently, has more than halved since 2016, jumping from 34 percent in 2016 to 21 percent in 2017, and now to only 15 percent in 2018.

What’s more, 68 percent of respondents say they have implemented CTI this year, and another 22 percent plan to introduce it in the future. Only 11 percent of companies have no plans to do so, falling from 15 percent in the previous year. This indicates that CTI is becoming more useful overall, especially to security operations teams that are working hard to integrate intelligence into their prevention, detection and response strategies.

“As the threat landscape continues to change, and with more advanced attackers than ever, security teams need all the help they can get to more effectively prevent, detect and respond to threats,” says the survey’s author, Dave Shackleford, SANS Analyst and Senior Instructor.

CTI skill set in demand

However, finding skilled staff to operate CTI consoles is getting more difficult, according to this year’s report, despite the trends showing that CTI can play an important role in an organisation’s security strategy. In this year’s survey, 62 percent of respondents cite a lack of trained CTI professionals and skills as a major roadblock, an increase of nearly 10 percentage points over 2017 (53 percent). This indicates that the more CTI is used and consumed, the more this skill set is in demand. It may therefore be much more difficult to find staff members who are experienced in setting up and operating CTI programs. Similarly, 39 percent cite a lack of technical ability to integrate CTI tools into the organizational environment.

Better visibility and improved security operations

As a result of their CTI program efforts, respondents report better visibility and improved security operations. For example, 71 percent indicate overall satisfaction with visibility into threats and indicators of compromise (IoCs). When specifying improvements, 70 percent of participants report improved security operations, while 66 percent cite improved ability to detect previously unknown threats.

Responses to the 2018 survey reveal a growing emphasis on CTI being used for security operations tasks: detecting threats (79 percent), incident response (71 percent), blocking threats (70 percent) and threat hunting (a little further down the list at 62 percent). The survey responses indicate that threat intelligence is key in augmenting and improving firewall rules, network access control lists and reputation lists. Known sites and indicators associated with ransomware are then being shared through threat intelligence, allowing operations teams to quickly search for existing compromise and proactively block access from internal clients.

“Fortunately, many organizations are sharing details about attacks and attackers, and numerous open source and commercial options exist for collecting and integrating this valuable intelligence. All of this has resulted in improvements in organizations’ abilities to improve security operations and detect previously unknown attacks,” Shackleford continues.

He summarises the results this way: “These results reinforce the trends we’re seeing that indicate CTI is being primarily aligned with the SOC and is tying into operational activities such as security monitoring, threat hunting and incident response.”