Anomali, today released the findings of its second annual Ponemon Institute study, revealing that organisations are still not actioning or sharing threat intelligence adequately, leaving them lagging behind cyber attackers. A third (33%) of UK organisations are not sharing information externally at all and 31% have no plans to join an industry sharing group. This is in stark contrast to cybercriminal communities who often share strategies and tools on Darknet marketplaces and underground forums.
“The Value of Threat Intelligence: The Second Annual Study of North American and United Kingdom Companies”, surveyed over 1,000 IT and security practitioners (443 UK), also found that a lack of expertise in threat intelligence (56%) and fear of revealing signs of a breach (51%) were holding UK organisations back from sharing. This is despite the availability of sector-based Information Sharing and Analysis Centers (ISACs), which enable businesses to share information in trusted communities to increase knowledge of physical and cyber security threats. Even for organisations that are currently involved in an ISAC, over a quarter (28%) just receive community intelligence and do not contribute.
“While we have seen that 86 percent of organisations believe threat intelligence is valuable to their security mission, it is clear there is still work to be done. Organisations must overcome their sharing concerns, fears of exposure, and train the entire business to understand and action upon malicious activity if they are to turn the tide on bad actors,” said Jamie Stone, VP EMEA at Anomali.
The study also uncovered a disparity between UK organisations and their US counterparts in intelligence sharing:
- 43% of US respondents are part of an ISAC, while just 33% of UK businesses are, showing a potential lag in cyber security maturity
- 35% UK organisations share intelligence with government associations, versus 26% US businesses, demonstrating a willingness to help with attribution of cyber attacks
- The US is much more concerned about liability 28% versus 16% UK organisations, but depending on the legal framework in place that facilitates intelligence sharing, ample protections around disclosure should already exist to ensure protection
“Sharing of intelligence improves visibility for better data analysis, delivers stronger defences that are optimised against observed and perceived threats, and coordinates intelligence collection and analysis. Pushing out cyber attack details quickly could mean the difference in someone else being breached and being able to stop it quickly. As well as faster answers to incident response challenges thanks to the additional resources, adding skills and expertise to the event,” continued Stone.
However, organisations still struggle to maximise the value of threat intelligence and feel that they are only moderately effective in tapping into intelligence to combat cyber threats. Voluminous data continues to be an issue, with 70% overwhelmed and unable to extract actionable intelligence. Other top reasons for threat intelligence ineffectiveness include:
- Lack of staff expertise (69 percent of respondents)
- Lack of ownership (52 percent of respondents)
- Lack of suitable technologies (44 percent of respondents)
In order to maximise the effectiveness of threat intelligence, organisations must identify a variety of resources and techniques to help. Threat feeds themselves are not intelligence and not everything will be relevant to an organisation, therefore applying contextual details must be prioritised where possible. Businesses must understand their own environment, the attacks they and their peers see, and extrapolate meaning from the data available. To aid in this, a threat intelligence platform (TIP) automates these processes, easily integrates into existing security stacks, weeds out false positives, adds context, and brings the most important observed threats in an organisation’s environment to the foreground.
“From NotPetya to the Equifax breach, cybersecurity threats and attacks routinely making the front page. Organisations need rapid access to contextual and actionable threat intelligence to detect any malicious activity in their networks,” added Stone. “Organisations must be able to quickly pinpoint active threats and mitigate them before material damage occurs. This requires a platform that is able to prioritise threat data, operationalise insights, and facilitate the sharing of intelligence.”
To download a copy of the report, “The Value of Threat Intelligence: The Second Annual Study of North American and United Kingdom Companies,” please visit: www.anomali.com/ponemon