In my last CSO article, I detailed cybersecurity professionals’ opinions on the characteristics of a mature cyber-threat intelligence (CTI) program. According to ESG research, the top attributes of a mature CTI program include dissemination of reports to a broad audience, analysis of massive amounts of threat data, and CTI integration with lots of security technologies.
Alas, most CTI programs are far from mature, but this may change over the next few years as most enterprise organisations bolster CTI program investment. Sixty-three percent of enterprises plan to increase CTI program spending “significantly” over the next 12 to 18 months, while another 34% plan to increase CTI program spending “somewhat.”
Why all this spending? Because CTI can deliver technology and business benefits. The research reveals some of the biggest influences on CTI programs include the need to learn about threats to companies earmarked for MA, the threat of individual hackers or cyber-adversary groups planning targeted attacks, and the need to learn about adversary tactics, techniques, and procedures (TTPs) so organisations can reinforce their security defenses.
Why CISOs will spend more on threat intelligence
CISOs clearly believe that further investments in threat intelligence programs can mitigate cyber-risks while improving threat prevention and detection. Over the next 12 to 24 moths:
- Thirty percent of organisations will prioritise sharing threat intelligence reports more readily with internal groups. This is a step in the right direction as threat intelligence has value beyond the security operations center (SOC) for alert enrichment. CISOs can use CTI to prioritise investments and validate security controls, while business managers can balance digital transformation initiatives with more thorough risk management decisions. CTI dissemination and consumer feedback are key phases of a mature threat intelligence lifecycle.
- Twenty-seven percent of organisations will prioritise investing in digital risk protection (DRP) services. As organisations expand their digital footprints, they need a better understanding of the accompanying risks. DRP services provide this visibility by monitoring things like online data leakage, brand reputation, attack surface vulnerabilities, and deep/dark web chatter around attack planning.
- Twenty-seven percent of organisations will prioritise integration with other security technologies. Beyond endpoints, email, and network perimeters, CISOs want CTI integration with cloud security tools, security information and event management (SIEM) and extended detection and response (XDR) solutions, and security service edge (SSE) tools like secure web gateways and cloud access service brokers (CASBs). More integration equates to blocking more indicators of compromise (IoCs) and developing a more comprehensive threat-informed defense.
- Twenty-seven percent of organisations will prioritise acquiring a threat intelligence platform (TIP) for threat intelligence collection, processing, analysis, and sharing. Once the exclusive domain of the largest enterprises, TIPs are slowly moving down market. I anticipate a lot of this spending will end up with service providers like Flashpoint, Mandiant, Rapid7 (Intsights), Recorded Future, Reliaquest (Digital Shadows), SOCRadar, and ZeroFox. The big brands like Cisco, CrowdStrike, IBM, Microsoft, and Palo Alto Networks will also get a fair slice of the pie.
- Twenty-six percent of organisations will prioritise developing a more formal program. Organisations realise they can no longer skate by on some open-source threat intelligence feeds reviewed by part-time threat analysts. Rather, they need staffing and processes to execute a full CTI lifecycle. While CISOs get their internal houses in order, most will rely on service providers, like those mentioned above, to do much of the real work.
As the famous Sun Tzu quote states: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Organisations with mature CTI programs know themselves, know the enemy, and then use this knowledge to optimise cyber-risk mitigation and security defenses.