The Value of Threat Intelligence for All Security Functions
May 29, 2019 • Zane Pokorny
Cybersecurity as a practice faces numerous challenges today. Although around $124 billion will be spent on cybersecurity products and services in 2019, highlighting the growing recognition of its importance, it won’t be enough to just spend more. Right now, three-quarters of organizations are experiencing skills shortages, and 44% of alerts go uninvestigated. On top of that, 66% of companies are breached.
What this all amounts to is that regardless of how much money they spend, companies that rely on manual processes are fighting a losing battle. What’s needed is real-time, automated threat intelligence that supplements the human resources you have and provides the context you need to take informed action, regardless of your security role.
The value that you’ll get out of threat intelligence varies depending on what security function you work in. But no matter your role, it’s proven to save time and money. An independent study by research firm IDC showed how:
Here, we’ll look at some of the problems that different security functions face, and how threat intelligence provides cost-effective solutions in each case.
Security Operations and Incident Response
Security operations centers (SOCs) deal with countless daily alerts that are difficult to triage without additional context. SOCs that rely mainly on internal data have limited visibility into real-world threats. At the next step, raw, basic threat intelligence (like threat feeds) integrated into solutions lacks context and sometimes produces false positives, often adding to the burden, rather than eliminating it. And analysts that rely on manual processes will never have enough time to do due diligence on every alert that comes in.
Security teams that use Recorded Future identify threats 10 times faster and find 22% more of them before they have an impact. And real threats are resolved 63% faster.
True threat intelligence goes well beyond what threat feeds provide. With real-time updates, vast and transparent sourcing, and deep integrations with other security solutions like SIEMs, true threat intelligence provides external context that enriches alerts. This kind of threat intelligence helps SOCs and incident response teams quickly triage alerts and discover unknown threats based on external data that correlates with internal data.
Risk Reduction and Vulnerability Management
Any efforts at risk reduction, including vulnerability management, will suffer from a lack of awareness of the threat landscape — and anyway, no vulnerability management team of any size can patch every vulnerability they come across.
But limited contextual information makes prioritizing patching difficult. Vulnerability databases update more slowly than vulnerabilities are typically exploited in the real world, resulting in delayed notifications and increased risk, and many risk models are vague or do not update quickly enough to be actionable.
Not patching the right vulnerabilities at the right time can result in significant unplanned downtime, and time is money. Organizations that use Recorded Future’s threat intelligence see an 86% reduction in unplanned downtime on average.
The context provided by real-time threat intelligence helps vulnerability management teams identify which vulnerabilities are actively being exploited by threat actors and which can be safely ignored.
Security staff that use Recorded Future also spend 34% less time compiling security reports, and see an average of $1 million in fines avoided per breach.
Security-focused executives face a number of challenges when communicating their goals and priorities to other executives who may not have as much of a technical background. CISOs and other security leaders who rely mainly on internal network data will have a restricted view of the real threat landscape, making it difficult to quantify overall risk exposure and the impact of risk reduction methods. And limited budgets can make it hard to justify investments in new security solutions or process improvements without the data to back them up.
Threat intelligence provides a significantly broader view of the real threat landscape external to an organization, allowing security leaders to measure overall relevant risk exposure, such as risks in the supply chain. With this context, they can more effectively prioritize how to spend their budgets, and justify those costs to other executives.
From a strictly financial perspective, investing in threat intelligence is an easy decision — organizations that use Recorded Future saw their investment paid off in just four months, and saw a three-year return on investment of 284%.
For a closer look at the results of IDC’s study, read our e-book, “5 Ways to Reduce Your Risk Profile and Maximize Security Team Efficiency With Recorded Future.” It more deeply explores how your organization can reduce risk while saving time and money with threat intelligence.