One of the lessons children learn in kindergarten or preschool or even earlier at home is how to share with others. Security executives are learning that when it comes to threat information, sharing can indeed be a good thing.
The idea of threat intelligence is not just about the sharing of threat information within an enterprise and among different organizations—although that’s a big and growing part of modern information security programs. It’s also about security tools and services sharing information about potential threats, which can help companies to be more proactive in defending against attacks and protecting data resources.
Leveraging threat intelligence is so important these days because it is nearly impossible to protect data from all of the possible threat vectors out there. Bad guys are constantly finding new ways to attack, and many organizations have limited resources and expertise for stopping these attacks.
Fortunately for companies, there’s no shortage of threat intelligence services that provide feeds from credible sources about the latest threats. Enterprises can subscribe to any number of threat intelligence services, and through using these resources determine the best ways to prepare and defend their infrastructure against particular threats.
Such services accumulate and analyze threat data and deliver this data in formats that can be included in security appliances. Some of the services provide granular data such as which threats are aimed at particular types of companies or computing platforms.
It’s a growing market. Spending on worldwide threat intelligence security services is expected to rise from $905.5 million in 2014 to more than $1.4 billion in 2018, according to a 2014 research report from International Data Corp.
To determine the size of the market, the research firm included data feeds and publications, consulting security services and managed security services. Professional and managed security services will continue to see strong growth in the threat intelligence area, according to the report, and security services firms are forging alliances with universities and accreditation programs to educate security personnel.
Another report, “Who’s Using Cyber threat Intelligence and How?” released by the SANS Institute earlier this year, provides some good insights on how organizations are using threat intelligence.
For the study, the institute surveyed 326 qualified respondents and found that 69% are implementing cyber threat intelligence to some extent, with only 16% saying they have no plans to pursue threat intelligence in their environments. Nearly two thirds say they have a dedicated team, person or services organization assigned to implement and monitor intelligence.
Organizations are relying on multiple data feeds for aggregation and analysis that they’d like to consolidate in the next 12 months, according to the report. The most common elements of cyber threat intelligence that have been achieved by organizations include raw, unfiltered data feeds, tools to visualize and analyze intelligence data, and a variety of accurate and aggregated data integrated into the environment.
Those companies that have adopted cyber threat intelligence report improvements in the areas such as the ability to see attacks in context, and the accuracy and speed of detection and response. Organizations are accepting and consolidating feeds through their
security information and event management (SIEM) and intrusion monitoring platforms, while relying on threat intelligence feeds from a variety of sources including the security community and vendor-driven feeds from various tools.
As SANS Institute concludes in its report, cyber threat intelligence “is likely here to stay and is growing more mature and important.” More tools are integrating threat intelligence feeds and data, and security teams are looking for improvements in detection and response capabilities as a result.
The process of threat intelligence collection, consumption and utilization will continue to improve as adoption grows and becomes more thorough in enterprises, the report notes. As it does, providers of threat information will need to focus on accuracy, standardized methods of expressing indicators of compromise and more automated processes that link detection to response actions.
As noted earlier, a good part of threat intelligence involves multiple organizations sharing information with each other. This can involve managed service providers, business partners, consulting firms, law enforcement agencies and other public sector entities and even competitors.
The U.S. federal government has expressed a keen interest in exchanging cyber security information with the private sector, and many companies have also shown interest in this type of information sharing.
Expect the concept security “crowdsourcing” to become increasingly common as enterprises and government agencies look for more ways to stay ahead of the hackers and other nefarious actors. For channel partners, this represents yet another opportunity to offer value to customers looking for every edge they can get in providing strong security.