Security News

Use of Cyber Threat Intelligence Evolving: SANS Survey

The use of cyber threat intelligence (CTI) is evolving, as per the  results of the 2019 CTI survey to be released by SANS Institute.

CTI is a resource for network defense at a majority of survey respondents’ organizations, with 72% either consuming or producing it. Perhaps more importantly, only 8% reported having no plans to begin using intelligence. Top use cases include security operations, detecting threats and attacks, blocking threats and security awareness. A diversification in use cases for CTI, along with a better understanding of how it’s used to benefit an organization’s security posture, means that CTI is being more widely utilized by both large and small organizations.

“This year’s survey saw an increase in usage and interest in CTI, along with a diversification in how the intelligence is being used by organizations,” says SANS Analyst and threat intelligence expert Rebekah Brown. “While the use of CTI continues to grow, there is no one-size-fits-all approach. Organizations leverage different types of CTI to meet different needs.”

Organizations are using CTI more, but not defining requirements for the CTI programs in any organized manner. The survey says that  30% have documented their requirements, while 37% have ad hoc requirements, leaving 33% without defined requirements for their efforts.

“Arguably the most important part of the CTI process is identifying and defining good requirements to guide the entire intelligence life cycle and make the collection, analysis, processing and dissemination of intelligence much more focused,” adds Robert M. Lee, SANS analyst and threat intelligence expert. “Requirements enable organizations to properly operationalize intelligence work. That makes it all the more alarming, that so few have invested the time in defining their focus.”

Once the focus of a CTI program is determined in its requirements, it is important to process collected data to put the efforts to use. Some of these processes include deduplication of data; enrichment of data using public, commercial or internal data; reverse engineering of malware; and data standardization. Most respondents report that such processing is either a manual or semi-automated process, although 8–19% of respondents report fully automated processes for some of these tasks.

Survey authors Lee and Brown agree that, “For teams to focus on the increasing use cases, organizations will first have to find ways to automate or streamline aspects such as collecting and processing data, which often take up the majority of an analyst’s time.”

(Image Courtesy:

Leave a Comment

Your email address will not be published.

You may also like