New data from the 2021 SANS Cyber Threat Intelligence survey, sponsored by ThreatQuotient, reveals how cyber threat intelligence (CTI) has grown and matured in the past year, highlighting a clear uplift in CTI’s adoption and perceived value in organisations both big and small.
Due to the increased likelihood of cyber attacks, organisations of all sizes with operations in Australia and New Zealand, and Asia, are increasingly looking to implement CTI programmes to build a proactive defence posture and for their response teams to stay one step ahead of adversaries.
Respondents of this global survey of leading security professionals were predominantly made up of those holding Security Analysts & Response (60.5%%) and CISO/CSO/C-Suite roles (7.9%). With 40.1% sharing their organisation had operations in Asia and 25.1% in Australia & New Zealand, in industries including: Cybersecurity (17.4%), Banking & Finance (16.7%), the Government (12.6%), Technology (12.2%), and Manufacturing (6.4%).
Four key findings from the 2021 SANS Cyber Threat Intelligence Survey:
- The pandemic changed how organisations implement CTI programs:
- Impact of WFH: 20% of respondents said the mass move to WFH and sharp rise in COVID-related phishing and ransomware attacks forced their organisation to get proactive in their cyber response as adversaries took advantage of the disruption and increased attack surface.
- Increased attack surface: Respondents identified WFH threats such as phishing, lost or stolen devices, home networking equipment, malware, accidental release of sensitive data information, and employees having unauthorised access to business assets, as playing a big part in how their implementation of CTI changed. This effectively expanded the attack surface of organisations, with employees leaving the confines of their organisations’ cyber protections.
- Impact of working remotely: Responses revealed that remote working helped teams be more focused and collaborative, while the use of text-based platforms helped facilitate communication between teams. Some respondents identified the loss of face-to-face conversations inhibited sharing between teams. Organisations also reported an increase in awareness of how the pandemic impacted their employees, fostering an understanding that while many enjoyed working from home, CTI analysts found it difficult to “shut down” and take breaks when the “office” is your home.
- Small to medium-sized enterprises increasingly see value in CTI:
- CTI no longer for the top 1% of organisations: 24% of respondents work in organisations with under 500 employees and 47% in companies of less than 5,000 employees across Cybersecurity, Banking & Finance, Government and Technology the leading industries.
- CTI provides relevant threat intel: When asked about the usefulness of CTI, 63% of respondents said CTI provided them with timely and relevant threat information about adversary groups in their industry and location, while 50.7% said CTI provided them with information about who the threat actors are or who performed the attach (true attribution), up 2.7% from the previous years’ survey.
- CTI Improves response capabilities: 77% said CTI improved their detection and response capabilities, 78% labelled CTI data and information as being leveraged to detect threats and attacks, with 70% using CTI in helping to block threats and 66% for supporting their incident response.
- Measuring CTI effectiveness becomes more important: 38% of respondents said they measured effectiveness, up from 4% in 2020, showing how the value of CTI functions is continuing in organisations of all sizes.
- ISACs and Government Intel sharing provides significant value:
- Community-focused intel sharing: Almost 50% of respondents said they are a part of an ISAC or other government intel sharing group since last year. Security practitioners see the value in interacting with ISACs with 48.3% of respondents saying they interact and/or their organisation is a member of one.
- Government intel sharing sees value: 61% of respondents reported they utilised government CTI, almost half of those respondents (49%) said they find this intel valuable providing insight they do not get from other open source or commercial sources.
- ISAC membership provides value: The survey revealed increases in three specific areas in intel sharing: advocacy in the community for security (50%), member meetups and events (50%), and training & conferences (47%). This shows the role of ISACs and government intel sharing has become more widespread, increasing the necessity for organisations to utilise a threat intelligence platform (TIP) like ThreatQuotient to manage and make sense of these intel feeds.
- Automation continues to free up analyst time and resources:
- Automation increases efficiency: 65% of respondents reported they were overall satisfied with the automation and integration of CTI information with detection and response systems, an increase on the 2020 survey’s 62%.
- Lack of trained personnel inhibits effective CTI implementation: The importance of automation is further compounded by the shortage in trained staff, which continues to be one of the biggest obstacles to the implementation of CTI, according to 53% of respondents.
- In-house cyber response teams increase: The trend toward hybrid-model teams over the past 5 years has shifted back, with organisations taking charge in the management of their CTI functions, with in-house teams growing 5% from 2020 to 37%, and hybrid models decreasing 5% from 2020, to 56% in 2020.
Anthony Stitt, APJC Regional Director, ThreatQuotient, comments: “The 2021 SANS Cyber Threat Intelligence survey offers strong evidence that CTI is increasing in adoption and is proving its value to a greater number of organisations of all sizes. When threat intelligence is effectively collected, integrated, automated, prioritised and shared between analysts and wider stakeholders, organisations become more agile and effective at addressing the threats they face. Now, more than ever, the uncertain cyber and physical environment and new threats emerging out of the disruption of COVID-19 pandemic mean that intelligence analysts need to share best practice data and strategies to overcome threats.”
If you would like to read the full report, you can access it here.