The 2019 SANS Cyber Threat Intelligence Survey is now available and includes responses from 585 security professionals across a wide variety of industries. This year’s survey focuses on how and why CTI is being used, how it is helping defenders, what data sources are being leveraged, and how data is converted into usable intelligence.

The report is full of interesting insights that reflect much of what we hear from our clients and prospects. Here are just a few key findings from the report that I wanted to highlight:

The more specific CTI is, the better. We completely agree. Generic threat data that includes the signature updates you get from the defenses you use every day as well as Open Source Intelligence (OSINT) sources are valuable in providing protection against the “known bad” or background noise every organization faces. However, as Marc Solomon wrote in an article for SecurityWeek, you need to make sure to consider other sources that increase the level of personalization, including:

• Geographic and industry-specific data provided by national/governmental Computer Emergency Response Teams (CERTs) and Information Sharing and Analysis Centers (ISACs) organized by industry.
• Commercially available threat feeds that provide more details on adversaries, their targets and their tools, techniques and procedures (TTPs).
• Threat data based on your supply chain and other third parties in your ecosystem, that adversaries may be actively targeting and can potentially use as stepping-stones to infiltrate your organization.

Internal threat intelligence sources are not prioritized. An often-overlooked source for threat intelligence is internal threat and event data that is spread across an organization and housed in various systems and tools. Sources like security information and event management (SIEM) systems, log management repositories and case management systems contain events and associated indicators from inside your environment. Unfortunately, these systems aren’t being fully utilized. One reason may be that they can be difficult to access because they are usually “owned” by different security teams that exist in silos – the Security Operations Center, incident response, risk management, vulnerability management, malware, network and more.

A threat intelligence platform enables integration. More than half of respondents (56%) told SANS that they use a threat intelligence platform or other intelligence service provider (53%) for integration and response. A threat intelligence platform allows you to aggregate and normalize external data on indicators, adversaries and their methods, and correlate it with events and associated indicators from inside your environment. This provides context to understand the who, what, where, when, why and how of an attack so you can focus on what is relevant, prioritize high-risk threats, and take action.

Download the full report to read about all the key findings, get more details and see how your experience and views stack up again your peers.