Cyber Threat Intelligence in Security Operations: Results of 2018 SANS Survey

Bethesda, MD., January 24, 2018 – Cyber threat intelligence (CTI) is becoming more useful overall, especially to security operations teams that are working hard to integrate intelligence into their prevention, detection and response actions, according to results of the CTI survey to be released by SANS Institute in a two-part webcast on Tuesday, February 6, 2018 and Wednesday, February 7, 2018.

“As the threat landscape continues to change, and with more advanced attackers than ever, security teams need all the help they can get to more effectively prevent, detect and respond to threats,” says the survey’s author, Dave Shackleford, SANS Analyst and Senior Instructor.

In one of the clearest trends SANS has seen over the past three years, respondents have increasingly stated that CTI is improving their prevention, detection and response capabilities:

  • In this new survey (2018), 81% of respondents affirmed that CTI is helping, compared to 78% in 2017 and 64% in 2016.
  • In addition, the number of respondents who answered “unknown” (in other words, they didn’t feel they could answer the question confidently) has steadily decreased from 34% in 2016 to 21% in 2017, and now to only 15% in 2018.
  • Moreover, 73% of respondents reported improved visibility into threats and attack methodologies impacting their systems.

“Fortunately, many organizations are sharing details about attacks and attackers, and numerous open source and commercial options exist for collecting and integrating this valuable intelligence all of which have resulted in improvements in organizations’ abilities to improve security operations and detect previously unknown attacks,” Shackleford continues.

As a result of their CTI program efforts, respondents report better visibility and improved security operations. For example, 71% indicated overall satisfaction with visibility into threats and indicators of compromise (IoCs). When specifying improvements, 70% of participants reported improved security operations, while 66% cited improved ability to detect previously unknown threats.

Shackleford summarized the results this way: “These results reinforce the trends we’re seeing that indicate CTI is being primarily aligned with the SOC and is tying into operational activities such as security monitoring, threat hunting and incident response.”

Register to learn more about the full survey results during a two-part webcast. Part 1, on Tuesday, February 6 at 1 PM Eastern, will focus on the current state of CTI and its usefulness. Part 2, held on Wednesday, February 7 at 1 PM Eastern, will explore how the growing use of CTI impacts cyber security skills and best practices. Both webcasts, which are hosted by SANS, are sponsored by AnomaliDomainToolsIntSightsRapid7 and ThreatConnect.

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst, Senior Instructor and CTI expert, Dave Shackleford.