UK firms have identified cyber threat intelligence as an investment priority for 2016 as they struggle to get a consistent view of their information security capabilities, according to analyst firm IDC.
Performance, skills and costs remain the biggest hurdles to true data-driven security, revealed an IDC study based on interviews with heads of IT and security at 300 large UK enterprises.
“Many security professionals are trying to get a single view of their security position, using threat intelligence to make sense of that,” said Duncan Brown, research director, European security, at IDC.
All companies polled said they intend to use threat intelligence products and services in the next 24 months, with 96% already using them, according to the study, which was commissioned by cyber security managed services provider SecureData.
Threat intelligence goes beyond Siem
However, the study found that 77% of those polled regard threat intelligence as security information and event management (Siem), 73% regard it as risk-based analysis of threats and recommended remediation, and 64% see it as data feeds on attacks and threats.
“Most large organisations have some sort of Siem product, but to think that this is the totality of threat intelligence is a bit worrying. Risk-based analysis of threats and recommended remediation is a bit more like the ideal and what we expect threat intelligence to be,” said Brown.
Some 61% of respondents include automated remediation of attacks and data feeds of vulnerabilities and other threats (64%) as a core element of threat intelligence , while the majority of firms regard threat intelligence as a combination of both products and services but, in some cases, are implementing threat intelligence exclusively as a service .
Most large organisations have some sort of Siem product, but to think that this is the totality of threat intelligence is a bit worrying Duncan Brown, IDC
“Most recognise that services are at least a part of threat intelligence. The reason is that most organisations struggle to digest threat intelligence data, but services enable companies to consume this data with a lot of support and the context of the organisation is taken into account by the service provider, so it typically means having an analyst on-site from a third-party provider,” said Brown.
In the past two years, he said, IDC has seen a massive uptake of services in all aspects of IT security, not just threat intelligence, driven by a lack of skills and the high cost of available skills.
Benefits and challenges of threat intelligence
Respondents identified the main benefits of threat intelligence as faster attack detection and response (55%), better understanding of threats and attacks (43%), and finding new or unknown threats (42%).
Major challenges include performance and response times (75%), training and expertise (59%), and the cost of tools, maintenance and personnel (52%) .
Analytics-based issues are also regarded as a significant hurdle, such as correlating events (49%) and reducing false positives/negatives (36%).
The survey found that while two-thirds of companies plan to invest in big data analytics engines, only a quarter are ready to invest in third-party intelligence products or services.
“Threat intelligence is not simply information. It is a service delivering a collated and correlated range of data feeds and sources to provide actionable advice to security operations,” said Brown.
“Getting this holistic view of security beyond IT is critical to understanding the full context of threat information, but our study suggests firms are taking a somewhat traditional view of intelligence that discounts more innovative developments,” he said.
Only a minority of those surveyed by IDC believe threat intelligence includes intrusion monitoring (33%) or the sharing of information in the security community (35%).
An even smaller group includes analytics either based on behaviour (6%) or correlation of security data (6%). Just 3% believe cloud-based intelligence sharing is part of threat intelligence.
IT leaders overlook data integration opportunities
“Cloud delivery of threat intelligence is actually a pretty good idea because you don’t have to adjust too much of your own organisation, but I think there is still a suspicion that cloud is a bad thing when it comes to security, although we are slowly getting past that,” said Brown.
The study found that although many organisations collect a substantial amount of information across their IT security infrastructure, they are failing to integrate this with their threat intelligence platform.
Organisations need to think more about overall security so that it becomes irrelevant whether potentially bad actors come through the front door or through the internet Duncan Brown, IDC
Less than 60% of respondents integrate data from their firewall or unified threat management (UTM) devices , while just under half (47%) of the 86% of organisations using mobile device management (MDM) systems integrate data from that with their threat intelligence platform, and only 34% of firms correlate external data such as threats or attacks on peers with their threat intelligence platform .
“IDC’s findings suggest chief information security officers [CISOs] are not considering the wider context in which their business operates, either from a physical security and application security perspective, or from a broader industry viewpoint,” said Etienne Greeff, chief executive of SecureData.
“Nevertheless, the fact they recognise the importance of increased context and intend to invest in such insight as a priority is encouraging as it will enable them to adopt an offensive security posture that mitigates the ever-expanding attack surface and better protects their infrastructure, applications and valuable information assets,” he said.
Although a minority of firms currently correlate all security-related data, the study found that 97% would do so if they were able.
“This points to a perception amongst the majority of respondents that they are unaware that holistic correlation is possible or affordably realistic,” said Greef.
Overall, Brown said the study shows that most organisations need to take a broader view of security to include physical perimeter information and contextual information like industry vertical.
“Organisations need to think more about overall security so that it becomes irrelevant whether potentially bad actors come through the front door or through the internet,” he said.