Cyber Threat Intelligence: Key Tool to Help SOCs, Incident Response Teams Make Critical Decisions
Security Operations Centers (SOCs) and Incident Response teams use cyber threat intelligence as a key tool to make critical decisions to fight off cyber attackers, according to a new study by CRA Business Intelligence. (Full disclosure: CRA is the parent company of MSSP Alert).
In a survey of roughly 180 security and IT leaders in the U.S., CRA found that threat intelligence helps SOCs make timely, informed decisions that prevent system downtime, thwart the theft of confidential data, and protect intellectual property. The results are important for managed security service providers (MSSPs) in that they show how threat intelligence can best be used to support their customers’ cyber defenses.
Cyber Threat Concerns Abound
Additional key takeaways from the study:
- About two-thirds (64%) said they are very or extremely concerned about cyberthreats in the next 12 months. Their main concerns are ransomware (70%), followed by expanding attack surfaces (55%). Accordingly, for most respondents (62%), a fear of ransomware attacks is the top strategic driver of their threat intelligence strategies, followed by regulatory requirements (49%) and recommendations from industry experts (39%).
- Respondents reported their top use cases for threat intelligence are vulnerability management (68%), security operations (66%), and incident response (62%). Technical (73%) and operational (71%) threat intelligence are more common than the more difficult strategic or more basic tactical use cases. Only 5% said they did not use any threat intelligence.
- Many respondents pointed out that having access to early and credible intelligence is a core requirement for their organization. About six in ten participants said they subscribe to up to 10 threat intelligence feeds while another quarter (26%) gather their intelligence from 11 to 50 feeds. The largest shares of respondents said they use threat data from malware analysis (75%) or indicators of compromise (IOC) (72%).
- Respondents indicated the importance of having an automated action and response capability as part of their chosen solution now and in the future. Nearly half (46%) said they already incorporate automation in their threat intelligence strategies, and almost just as many (41%) said they plan to add that capability, making this the top planned component of their threat intelligence strategies.
- Increased spending is also anticipated, as 66% of respondents expect their organizations to invest more on threat intelligence in the coming year. This specific trend bodes well for security operations centers hoping to boost defense capabilities through improved threat intelligence, particularly as it relates to patching security flaws in current software and responding more quickly to security events.
What We’ve Learned
Bill Brenner, vice president of Custom and Research Content Strategy in CRA’s Business Intelligence Unit, explained the message of the survey results:
“What’s striking about these survey responses is how threat intelligence has become such a powerful tool to communicate threats and needed solutions to executives. Respondents see the automation of detection and response as key to uncovering and stopping attacks quickly, but also in painting a picture executives can understand.”