2020 SANS CTI Survey Says Intelligence Is Critical to Security
About the 2020 SANS CTI Survey
2020 was a big year for the SANS CTI Survey, with a record number of respondents (1,006) and the highest ever totals of cyber threat intelligence programs within organizations reporting. Respondents represented companies of all sizes from a wide range of industries — the top four being government, banking and finance, cybersecurity service providers, and technology.
One of the most significant trends reflected in this year’s survey is that for many organizations, the role of intelligence has evolved beyond small, ad-hoc tasks performed disparately. Today, intelligence is depended upon for more robust, integrated programs that span across security teams, processes, and workflows to support the entire enterprise.
The survey illustrates how many organizations are embracing intelligence as a critical security function, and as the common thread in exposing unknown threats, informing better decisions, and ultimately, accelerating risk reduction across the organization.
It also notes that as the cyber threat intelligence field settles into this new maturity, understanding and improving the effectiveness of security programs will become even more critical. To that end, the survey outlines five key takeaways to help organizations as they progress on their intelligence journeys. Here’s a look at them, along with some observations:
1. Collaboration Is Key
Cyber threat intelligence involves analyzing information about threats and producing actionable guidance to determine what steps must be taken in response to those threats. Doing this effectively requires the right mix of people, processes, and tools. Without people to make critical decisions, there would be no intelligence. Likewise, without effective processes and tools, even the most seasoned analysts would quickly become overwhelmed trying to make sense of massive volumes of threat data flowing in from multiple sources.
This year, it was encouraging to see that nearly half of all respondents work within a dedicated team. This means that hard-working analysts are getting more of the critical support they need. As more people and teams work collaboratively across organizations, it is even more important to have the right processes and tools in place. To that end, 61% of respondents rely on external partners to support their intelligence efforts — an 11% increase from the previous 12 months.
2. Embrace Automation to Improve Efficiency
When it comes to intelligence, it’s essential to get the right data to the right places for analysis, at the right time. The right intelligence should empower teams to efficiently spend their time on things that require expert judgment, and automate or eliminate the manual work that doesn’t.
The survey indicates there is opportunity to further automate repeatable data collection and processing tasks, which would help organizations better allocate resources. One area that has shown automation improvement in the past year is data enrichment. Enrichment of information using external public data sources via semi-automated methods increased by 5%, while manual enrichment of information using internal data sources dipped 5%.
3. Your Needs Will Change as Your Intelligence Program Evolves
As more organizations begin to produce their own intelligence, the nature of information that analysts require is also shifting from primarily threat feed or vendor-provided information, to data from internal tools and teams. The survey indicates that while many of the same tools and processes can be used to handle this type of information, organizations evolving their programs must also determine how this changes their need for tools handling this data.
The most effective intelligence tools can help bridge this gap by collecting and analyzing vast amounts of data from internal and external data sources, along with threat feeds. The resulting rich, actionable intelligence can be integrated directly with existing security solutions and can empower teams to rapidly collaborate on analysis and response.
4. Document Requirements for Long-Term Success
The 2020 survey showed a dramatic improvement in organizations documenting intelligence requirements. In 2019, only 30% had taken this critical step. This year, nearly half of respondents said they had done so. This is a positive development, as requirements are a key part of the intelligence process, ensuring a focus on collection and analysis efforts by analysts, as well as proper production of intelligence. And more good news: Those contributing to intelligence requirements increased across the board, with respondents reporting more input from more teams including security operations and incident response.
As noted last year, defining good intelligence requirements requires input from a diverse range of people within an organization. Effective intelligence should be able to support a broad array of functions that deal with risk across the organization.
5. The Best Intelligence Is Both Produced and Consumed
According to the survey, more than 40% of respondents both produce and consume intelligence for a more accurate, real-time view of organizational risk. This is a great indicator of the growing maturity and professionalization of the cyber threat intelligence field as a whole.
The survey also revealed a heightened interest in open source threat intelligence in regard to both data and tools. There was an 8% increase in respondents reporting the use of open source threat feeds as a collection source, and a 14% increase in the use of open source threat intelligence management tools. Additionally, several respondents proactively shared that their organizations have had success with the MITRE ATT&CK framework, as it adds valuable context to alerts and helps prioritize response.
Download the full 2020 SANS CTI Survey to see how the world of cyber threat intelligence has changed in the last 12 months, and to dig deeper into these findings and more.