How businesses interpret and use threat intelligence
A new IDC study of 300 large UK companies found that:
- 96% of UK firms already use threat intelligence products and services; all of those surveyed intend to do so within the next 24 months
- Faster attack detection and response (55%), better understanding of threats and attacks (43%), and finding new or unknown threats (42%) were the main benefits identified
- Major challenges include performance and response times (75%), training and expertise (59%), and the costs of tools, maintenance and personnel (52%).
Analytics-based issues are also regarded as a significant hurdle. Correlating events (49%) and reducing false positives / negatives (36%) scored surprisingly high, while two thirds of organisations (66%) plan to invest in Big Data analytics engines, but only a quarter are ready to invest in third-party intelligence products or services.
“Threat intelligence is not simply information,” states Duncan Brown, Research Director, IDC. “It is a service delivering a collated and correlated range of data feeds and sources to provide actionable advice to security operations. Getting this holistic view of security beyond IT is critical to understanding the full context of threat information, but our study suggests firms are taking a somewhat traditional view of intelligence that discounts more innovative developments.”
Only a minority of those surveyed by IDC believe that threat intelligence includes intrusion monitoring (33%), or the sharing of information within the security community (35%). An even smaller group includes analytics either based on behaviour (6%) or correlation of security data (6%). Just 3% believe cloud-based intelligence sharing is part of threat intelligence.
Crucially, although many organisations collect a substantial amount of information across their IT security infrastructure, they are failing to integrate this with their threat intelligence platform:
- Less than 60% of respondents integrate data from their firewall or UTM devices
- Just under half (47%) of the 86% of organisations using an MDM to manage mobile devices integrate data from their system with their threat intelligence platform
- Only 34% of firms correlate external data such as threats or attacks on peer companies with their threat intelligence platform.
IDC’s study was conducted between September and October 2015. IDC interviewed 300 heads of IT and security at UK-based organisations with at least 500 employees across a broad range of industries including: technology, media and telecoms; financial services; professional services; manufacturing and construction; transport, travel and leisure; and retail.