Companies should turn to AI to speed delivery of threat intelligence

Intelligence sharing hasn't improved since 2015 and is being slowed down by the use of manual processes

In a world in which cyber criminals are becoming increasingly stealthy and using increasingly sophisticated techniques, from ransomware to DNS hijacking, it is becoming more difficult, more expensive and less effective for businesses alone to defend themselves against threats.

According to new research by the Ponemon Institute, on behalf of Infoblox, more organisations than ever are reaching out to sources including their peers, industry groups, IT vendors and government bodies for threat intelligence data. This increase could be attributed to the fact that two thirds of the IT security practitioners surveyed said they now realised that threat intelligence could have prevented or minimised the consequences of a cyberattack or data breach.

Despite this exchange and use of threat intelligence, however, the majority of respondents to the survey claimed not to be satisfied with the current quality of the data.

A question of trust

The most important objectives of a successful threat intelligence programme are to enhance an organisation's overall security posture; improve its incident response; and quickly detect attacks. However, less than a third of respondents rated their company's defence against cyberattacks as highly effective, and only a quarter thought the same about their company's process of using internal sources such as configuration log activities.

Although IT security practitioners are increasingly satisfied with their ability to obtain threat intelligence, concerns remain about how the information is obtained: that it's not timely, for example, or that it's too complicated to ensure speed and ease of use. Much of this dissatisfaction may be due to the way in which the data is actually sourced.

While two fifths of companies consolidate their threat intelligence data from a number of different sources, most engage in an informal peer-to-peer exchange, rather than taking a more formal approach like using a threat intelligence exchange service or joining a consortium. What's more, a similar number reported using manual methods to consolidate their data, often due to a lack of qualified staff.

Regardless of the approach used, however, around three in five respondents claimed not to trust the sources of intelligence they used. It's not surprising, therefore, that companies will often use fee-based threat intelligence because they think it's better quality; that it's more effective in stopping security incidents; and because they don't have confidence in free sources.

Trust is an issue when it comes to giving, as well as receiving. While around three quarters of organisations provide threat intelligence - in addition to using data from other sources - around half claim that the potential liability of sharing meant they would only partially participate in a threat intelligence exchange programme. It's for this reason, perhaps, that organisations prefer sharing with a neutral party or a trusted intermediary rather than with organisations directly.

Automation and efficiencies

Security personnel in around two thirds of organisations are spending more than 50 hours a week responding to automated threat intelligence alerts, when their time could be better spent pro-actively hunting for signs of criminal activity.

Currently, only half of the companies surveyed use automated solutions to investigate threats, with one in five claiming to use advanced technology such as AI and machine learning. Interestingly, the use of slow manual sharing processes were also cited by over a third of businesses as a reason for not participating in the exchange of threat intelligence information.

The most important objective of an organisation's threat intelligence activities is to quickly detect attacks and improve incident response. For the intelligence to be actionable it needs to be received in a timely manager, immediately prioritising the threats contained. However, as shown above, a large number of organisations aren't satisfied with the timeliness of the intelligence, believing that it becomes stale within a matter of minutes.

With so many inefficient manual processes in place both in compiling and responding to threat intelligence, it's clearly time for businesses to embrace more automation or, at the very least, consider a hybrid approach.

Taking measurements

More than anything, the survey reveals a real need for actionable, timely and effective threat intelligence sharing. What's more, many respondents to the survey said their organisations are using threat intelligence in a non-security platform, such as DNS, indicating that we're now seeing a blurring of lines between what are considered security tools and what are considered pure networking tools. Securing today's networks means using threat intelligence for defence-in-depth, plugging all gaps, and covering all products.