Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/3/2016
01:25 PM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Surveys: Security Pros Overwhelmed, Not Communicating, Threat Intel Data

Two new studies underscore the challenges of making threat intelligence part of the enterprise arsenal.

Two new surveys released in the last week revealed troubling but telling trends in enterprise security: 70 percent of infosec professionals are overwhelmed by the volume and complexity of threat intelligence data, according to a report from security vendor Anomali and the Ponemon Institute; a separate survey from consultancy BDO USA found that only 27% of respondents share security information externally, with an almost equal number (24%) saying they don't share information at all.

The Anomali survey also identified information sharing challenges. Barely one-third (31%) of organizations share threat intel with board and C-level leaders.

The two surveys' datasets feed off each other. The more overwhelmed that security pros are by data volumes, the less likely they are to share what they're seeing; the less they share, the more data that floods their desktops and management consoles.

Unraveling this knot is widely viewed as critical to helping enterprises and government get ahead of the constant stream of threats they face. That means improving the way threat intel is used and managed on a day-to-day basis, whether through devoting personnel to the tasks or automating more of the functions. It also means opening up the channels of communication around threat intel, both internally and externally, according to the surveys. 

Anomali further uncovered that 56% don't use standardized communication protocols; more alarming, 43% said the data isn’t used to drive decisions within the security operations center. And just to pound the nail in, 49% reported their IT security team doesn’t receive or read threat intelligence reports.

The Anomali survey also pointed up a pitfall with threat intelligence. Many organizations think they can set up intelligence feeds and essentially ignore them until trouble starts. But threat intelligence requires someone devoted to monitoring feeds, and more importantly, analyzing and watching for patterns, according to Travis Farral, director of security strategy at Anomali. Correlating disparate data, applying analytics, and reporting out the insights will keep at least one infosec pro busy, added Farral, who handled threat intelligence for ExxonMobil prior to joining Anomali a month ago.

There's also a security evolution as institutions go from broad-based protection to detection, understanding breaches, and handling remediation, said Michael Stiglianese, managing director in BDO Consulting’s technology advisory services practice. "The next step is how to bring in threat intelligence," he told Dark Reading. Analytics tools can help organizations sift through all that raw data and find what's relative and useful to the organization, he added.

BDO also reported that 74 percent of respondents said their board is more involved with security than they were a year ago. While that's an uptick from the previous year, Stiglianese said there would be more alarm and calls for action if similar results emerged about boards' attention to other essentials like credit-worthiness, for example. "We're moving in the right direction. But when you consider how important security is to organizations, it's disappointing," he said.

Other key points from the BDO survey:

--Among the respondents who do share security information, 88% are sharing with federal agencies, followed by 28% with Information Sharing and Analysis Centers (ISACs). Only 19% share with competitors.

 --88% of directors get briefed on security at least once a year, including 34% that are briefed quarterly and 37% that are briefed annually; 9% are briefed twice a year and 8% more often than quarterly (8%).  Some 12% get no security briefings at all.

--Almost half (45%) of directors have documented their business’s critical digital assets along with solutions to protect them, up from 34% in 2015 had completed this task. Another 25% have identified critical digital assets but still lack a protection strategy.

--43% have initiated cyber-risk requirements that their third-party vendors must meet, up from 35% last year.

Related Content:

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
T Sweeney
100%
0%
T Sweeney,
User Rank: Moderator
11/7/2016 | 2:11:11 PM
Re: Overwhelmed
Thanks for weighing in, Kiarko. We hear some version of your story regularly among the businesses and government organizations we talk to about infosec. I imagine there's only so much comfort in the fact you're not alone.

If there were a better way, what would that be? Hire more people? Automate the monitoring and prioritization? Go to the cloud? Something else?
Kiarko
50%
50%
Kiarko,
User Rank: Strategist
11/7/2016 | 1:49:53 PM
Overwhelmed
I couldnt agree more. my organization recently signed up for the FS-ISAC alerts, i get about 70 emails a day total from them and it is just too much to go through. I scroll through them looking at the threat type. It is too much to go through and to still do my other tasks.
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10101
PUBLISHED: 2019-07-23
ServiceStack ServiceStack Framework 4.5.14 is affected by: Cross Site Scripting (XSS). The impact is: JavaScrpit is reflected in the server response, hence executed by the browser. The component is: the query used in the GET request is prone. The attack vector is: Since there is no server-side valid...
CVE-2019-10102
PUBLISHED: 2019-07-23
Voice Builder Prior to commit c145d4604df67e6fc625992412eef0bf9a85e26b and f6660e6d8f0d1d931359d591dbdec580fef36d36 is affected by: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The impact is: Remote code execution with the same privileges as the...
CVE-2019-10102
PUBLISHED: 2019-07-23
Jeesite 1.2.7 is affected by: SQL Injection. The impact is: sensitive information disclosure. The component is: updateProcInsIdByBusinessId() function in src/main/java/com.thinkgem.jeesite/modules/act/ActDao.java has SQL Injection vulnerability. The attack vector is: network connectivity,authenticat...
CVE-2018-18670
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "Extra Contents" parameter, aka the adm/config_form_update.php cf_1~10 parameter.
CVE-2018-18672
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board head contents" parameter, aka the adm/board_form_update.php bo_content_head parameter.