Anomali, today released the findings of its second annual Ponemon Institute study, revealing that organisations are still not actioning or sharing threat intelligence adequately, leaving them lagging behind cyber attackers.
A third (33 per cent) of UK organisations are not sharing information externally at all and 31 per cent have no plans to join an industry sharing group. This is in stark contrast to cybercriminal communities who often share strategies and tools on Darknet marketplaces and underground forums.
“The Value of Threat Intelligence: The Second Annual Study of North American and United Kingdom Companies”, surveyed over 1,000 IT and security practitioners (443 UK), also found that a lack of expertise in threat intelligence (56 per cent) and fear of revealing signs of a breach (51 per cent) were holding UK organisations back from sharing.
This is despite the availability of sector-based Information Sharing and Analysis Centers (ISACs), which enable businesses to share information in trusted communities to increase knowledge of physical and cyber security threats. Even for organisations that are currently involved in an ISAC, over a quarter (28 per cent) just receive community intelligence and do not contribute.
Jamie Stone, VP EMEA at Anomali said: “While we have seen that 86 percent of organisations believe threat intelligence is valuable to their security mission, it is clear there is still work to be done.
“Organisations must overcome their sharing concerns, fears of exposure, and train the entire business to understand and action upon malicious activity if they are to turn the tide on bad actors.”
The study also uncovered a disparity between UK organisations and their US counterparts in intelligence sharing:
- 43 per cent of US respondents are part of an ISAC, while just 33 per cent of UK businesses are, showing a potential lag in cyber security maturity
- 35 per cent of UK organisations share intelligence with government associations, versus 26 per cent US businesses, demonstrating a willingness to help with attribution of cyber attacks
- The US is much more concerned about liability 28 per cent versus 16 per cent UK organisations, but depending on the legal framework in place that facilitates intelligence sharing, ample protections around disclosure should already exist to ensure protection
Stone continued: “Sharing of intelligence improves visibility for better data analysis, delivers stronger defences that are optimised against observed and perceived threats, and coordinates intelligence collection and analysis.
“Pushing out cyber-attack details quickly could mean the difference in someone else being breached and being able to stop it quickly.
“As well as faster answers to incident response challenges thanks to the additional resources, adding skills and expertise to the event.”
However, organisations still struggle to maximise the value of threat intelligence and feel that they are only moderately effective in tapping into intelligence to combat cyber threats.
Voluminous data continues to be an issue, with 70 per cent overwhelmed and unable to extract actionable intelligence. Other top reasons for threat intelligence ineffectiveness include:
· Lack of staff expertise (69 percent of respondents)
· Lack of ownership (52 percent of respondents)
· Lack of suitable technologies (44 percent of respondents)
In order to maximise the effectiveness of threat intelligence, organisations must identify a variety of resources and techniques to help. Threat feeds themselves are not intelligence and not everything will be relevant to an organisation, therefore applying contextual details must be prioritised where possible.
Businesses must understand their own environment, the attacks they and their peers see, and extrapolate meaning from the data available. To aid in this, a threat intelligence platform (TIP) automates these processes, easily integrates into existing security stacks, weeds out false positives, adds context, and brings the most important observed threats in an organisation’s environment to the foreground.
Stone added: “From NotPetya to the Equifax breach, cybersecurity threats and attacks routinely making the front page. Organisations need rapid access to contextual and actionable threat intelligence to detect any malicious activity in their networks.
“Organisations must be able to quickly pinpoint active threats and mitigate them before material damage occurs. This requires a platform that is able to prioritise threat data, operationalise insights, and facilitate the sharing of intelligence.”