FireEye recently conducted online social media polls to gain insight into what threat intelligence means to people. We posed four simple questions on Twitter, LinkedIn and Facebook that asked about the use of threat intelligence, as well as the sources of threat intelligence.
Question 1: How are you using threat intelligence to assess and manage risk?
The results show that 84 percent of responders use threat intelligence for business decision-making, 67 percent use it to make decisions about resources and security tools, and 17 percent use it for risk assessment on new business initiatives. Meanwhile, 17 percent said they don’t use threat intelligence at all.
Risk management programs benefit from threat intelligence by providing leadership and executives with an understanding of actual threats to the business. Then they can assess their current security programs, technologies and staff and allocate budget and personnel to protect the most critical assets and business processes.
Question 2: How are you currently using threat intelligence in your security program?
This question focused on the operational use cases for threat intelligence. Half of the respondents said they use it to prioritize and validate incidents in order to determine what incidents to focus on, as well as to inform and strengthen security operations and aid in incident response. The other half indicated they use it for those reasons above, but also as executive communications on the company’s risk profile and to quickly determine which alerts to investigate first.
Applying threat intelligence is an important step for contextualizing alerts and incidents. This context allows security analysts to understand the type of threat or threat actor they are dealing with, so they can formulate an appropriate response plan.
Question 3: What are the sources of intelligence in your cyber security program?
This question revealed that 15 percent of respondents use vendor products, another 15 percent use public or open source feeds, and five percent rely solely on privately gathered, internal sources. 65 percent said they use all of those intelligence sources.
While combining quality threat intelligence gathered from the various sources can provide organizations with a more complete and actionable understanding of the specific cyber threat they are facing, it is important to focus on quality of intelligence over quantity.
Question 4: What does ‘cyber threat intelligence’ mean to you?
Less than 10 percent of respondents said it meant intelligence that was evaluated and interpreted by trained intelligence analysts. More than one-third said it is information that is accurate, timely, complete and assessed for relevancy. 46 percent provided write-in answers, which included answers regarding automation and orchestration to timely, relevant and contextualized cyber threat information used for a specific audience and organization.
We define true cyber threat intelligence as accurate, timely knowledge about adversaries and their motivations, intentions and methods that is collected, analyzed and disseminated to help security and business staff protect the critical assets of the enterprise. It is actionable and helps “shrink the problem” or “right size the problem” of too many alerts.
Ultimately, the integration of threat intelligence into an organization’s security program yields significant tactical, operational and strategic benefits. These benefits include removing invalid indicators so they don’t create false positives and prioritizing indicators so a security operations center (SOC) analyst can rapidly identify alerts that need to be escalated. Operational benefits include providing situational awareness and context for incident response teams so they can determine attacker intentions, methods and targets, allowing them to quickly remediate damage done and prevent future attacks. Strategic benefits include better understanding of risks for informed resource allocation and better ROI on security investments.
Learn how FireEye iSight Intelligence can benefit your business.