The SANS 2020 Cyber Threat Intelligence (CTI) Survey is now available and includes responses from a record 1,006 security professionals. More organizations than ever report they have CTI programs in place – quite an evolution from a handful of years ago when CTI was conducted on an ad-hoc basis. 

Now that CTI has matured into a standalone program with its own staff, tools and processes, this year the SANS survey asked specific questions about how organizations are setting up their CTI program for success and measuring effectiveness. Here are just three of the key takeaways:

1. Organizations are defining and documenting intelligence requirements up front to ensure they are focusing on the right intelligence, which now includes not only external threat feeds and vendor-provided threat intelligence but also data from internal tools and teams. 
2. They use automation selectively, primarily where tasks are truly administrative and repetitious.
3. Collaboration across internal teams, as well as with service provider partners and information-sharing groups, is critical to ensure a coordinated effort.

When you use ThreatQ as a threat intelligence platform, you can support each of these key enablers to successful CTI programs. Here’s how.

The right intelligence. The ThreatQ platform Threat Library allows you to aggregate external threat data from the multiple sources you subscribe to – commercial, open source, government, information-sharing groups and existing security vendors – and translate it into a useable format. It also provides the ability to augment and enrich that global threat data with internal threat and event data, for example from sources including your SIEM system, log management repository and case management systems. With an understanding of the who, what, where, when, why and how of an attack you gain context for automatic scoring and prioritization of threat intelligence. By removing the noise and reducing the risk of false positives, users can focus on the data that really matters to their organization.

Automation. ThreatQ supports automation when and where you need it, handling time-intensive, manual tasks so expert analysts can focus on high-value, analytical activities. ThreatQ uses automation to optimize data aggregation and normalization. It also accelerates threat intelligence scoring and prioritization. Once analysts set-up the scoring parameters based on their organization’s risk profile, ThreatQ automatically scores and prioritizes threat intelligence and reprioritizes as new data and learnings are added to the platform. These are tasks that can take two to three additional security analysts to do manually. ThreatQ can also immediately and automatically update your sensor grid with the right intelligence, freeing-up an additional one or two full-time employees.

Collaboration. Because the Threat Library contains all your global threat data, augmented and enriched with context from internal threat and event data, individual team members and different security teams can access the intelligence they need to do their jobs as part of their workflow. Additionally, ThreatQuotient offers ThreatQ Investigations, a virtual, cybersecurity situation room that fuses together threat data, evidence and analysts so that all team members involved in an investigation can collaborate. Rather than working in parallel, they can automatically see how the work of others impacts and further benefits their own work. This allows them to detect threats faster and even use that knowledge to pivot and accelerate parallel investigations that are separate but related. Security team managers can see the analysis unfolding, which allows them to act when and how they need to, coordinating tasks between teams and monitoring timelines and results. Embedding collaboration into the investigation process ensures that teams work together efficiently to take the right actions faster to more effectively mitigate risk. Organizations can also collaborate with service providers via the ThreatQ platform, from gaining assistance with turning data into actionable threat intelligence and integrating it into your infrastructure and operations, to support with risk assessments, threat hunting and incident response.

It’s exciting to see a record number of respondents to the SANS CTI survey this year and gain a broader perspective on the state of CTI programs.

How does your organization stack up?

Download your complimentary copy of the 2020 SANS CTI Survey for additional key learnings and details.