CTI Uses, Successes and Failures: SANS Survey Results Released

  • Bethesda, MD
  • March 8, 2017

Cyber threat intelligence (CTI) shows promise in making threats easier to detect and respond to, according to our most recent survey on cyber threat intelligence to be released by SANS Institute on March 15 and 16, 2017.

Survey results demonstrate that organizations are embracing CTI, with 60% of respondents reporting that they use CTI and another 25% planning to do so. Of those, 72% of respondents experienced improved visibility into threats and attack methodologies, while 63% report improving security operations, and the same percentage said CTI helped them detect unknown threats.

While CTI adherents find multiple improvements as a result of CTI, however, those benefits are often difficult to demonstrate to management.

“Each year more and more security teams find increasing value in CTI for security operations and response,” says SANS Analyst and survey report author Dave Shackleford. “But we need better metrics and reporting so that we demonstrate its value to management stakeholders.”

Lack of management buy-in was listed by one-third of respondents as an inhibitor to their CTI implementations. While that wasn’t the biggest inhibitor, the top inhibitors–lack of trained staff with skills to utilize CTI, lack of funding, lack of time to implement new processes and lack of technical capabilities–are all inhibitors that could be minimized if upper management understood the value of implementing CTI. Providing that information requires the use of understandable metrics.

“When we can demonstrate the value that CTI brings in preventing, detecting, and responding to today’s attacks,” Shackleford continues, “We are likely to see CTI implementations become more commonplace, more mature and more important to security programs than ever before.”

Full results will be shared during a two-part webcast at 1 PM Eastern on March 15 and March 16, sponsored by Anomali, Arbor Networks, DomainTools, LookingGlass Cyber Solutions, Rapid7, and ThreatConnect, and hosted by SANS. Register to attend the March 15 webcast at www.sans.org/webcasts/103432 and the March 16 webcast at www.sans.org/webcasts/103437

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst Dave Shackleford.