Threat intelligence programs poised for growth

In my last CSO article, I detailed cybersecurity professionals’ opinions on the characteristics of a mature cyber-threat intelligence (CTI) program. According to ESG research, the top attributes of a mature CTI program include dissemination of reports to a broad audience, analysis of massive amounts of threat data, and CTI integration with lots of security technologies.

Alas, most CTI programs are far from mature, but this may change over the next few years as most enterprise organizations bolster CTI program investment. Sixty-three percent of enterprises plan to increase CTI program spending “significantly” over the next 12 to 18 months, while another 34% plan to increase CTI program spending “somewhat.”

Why all this spending? Because CTI can deliver technology and business benefits. The research reveals some of the biggest influences on CTI programs include the need to learn about threats to companies earmarked for M&A, the threat of individual hackers or cyber-adversary groups planning targeted attacks, and the need to learn about adversary tactics, techniques, and procedures (TTPs) so organizations can reinforce their security defenses.

Why CISOs will spend more on threat intelligence

CISOs clearly believe that further investments in threat intelligence programs can mitigate cyber-risks while improving threat prevention and detection. Over the next 12 to 24 moths:

• Thirty percent of organizations will prioritize sharing threat intelligence reports more readily with internal groups. This is a step in the right direction as threat intelligence has value beyond the security operations center (SOC) for alert enrichment. CISOs can use CTI to prioritize investments and validate security controls, while business managers can balance digital transformation initiatives with more thorough risk management decisions. CTI dissemination and consumer feedback are key phases of a mature threat intelligence lifecycle.
• Twenty-seven percent of organizations will prioritize investing in digital risk protection (DRP) services. As organizations expand their digital footprints, they need a better understanding of the accompanying risks. DRP services provide this visibility by monitoring things like online data leakage, brand reputation, attack surface vulnerabilities, and deep/dark web chatter around attack planning.
• Twenty-seven percent of organizations will prioritize integration with other security technologies. Beyond endpoints, email, and network perimeters, CISOs want CTI integration with cloud security tools, security information and event management (SIEM) and extended detection and response (XDR) solutions, and security service edge (SSE) tools like secure web gateways and cloud access service brokers (CASBs). More integration equates to blocking more indicators of compromise (IoCs) and developing a more comprehensive threat-informed defense.
• Twenty-seven percent of organizations will prioritize acquiring a threat intelligence platform (TIP) for threat intelligence collection, processing, analysis, and sharing. Once the exclusive domain of the largest enterprises, TIPs are slowly moving down market. I anticipate a lot of this spending will end up with service providers like Flashpoint, Mandiant, Rapid7 (Intsights), Recorded Future, Reliaquest (Digital Shadows), SOCRadar, and ZeroFox. The big brands like Cisco, CrowdStrike, IBM, Microsoft, and Palo Alto Networks will also get a fair slice of the pie.
• Twenty-six percent of organizations will prioritize developing a more formal program. Organizations realize they can no longer skate by on some open-source threat intelligence feeds reviewed by part-time threat analysts. Rather, they need staffing and processes to execute a full CTI lifecycle. While CISOs get their internal houses in order, most will rely on service providers, like those mentioned above, to do much of the real work.

As the famous Sun Tzu quote states: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Organizations with mature CTI programs know themselves, know the enemy, and then use this knowledge to optimize cyber-risk mitigation and security defenses.