Threat intelligence vendor Anomali says too much data is overwhelming security teams. This claim is based on a Ponemon Institute report entitled: “The Value of Threat Intelligence: A Study of North American and United Kingdom Companies.” The report can be downloaded here (registration required).
The number of security teams who are struggling to deal with threat intelligence data is worrying. It is not all bad news. Almost 80% believe that threat intelligence is valuable and helps their security posture. Unfortunately more than 70% report that they are swamped by the volume of cyber threat data they have. This is making it impossible for them to identify threats and act upon them in a timely fashion.
According to Hugh Njemanze, CEO, Anomali: “Too much data that is not delivered in the right way can be just as bad as not enough. This is the situation that many companies find themselves in. We call it threat overload. The number of threat indicators is skyrocketing and organizations simply cannot cope with the volume of threat intelligence data coming their way. It’s clear that what businesses need is a system that pinpoints the threats they must take notice of and that gives them actionable and relevant insights.”
What does Anomali see as the main problems?
Anomali calls out three main causes of the problem from the Ponemon Institute report. These are:
- Lack of staff expertise (69%): Much of the focus on cyber security staff shortages has been around security skills especially coding. There has been little focus on forensic skills and even less on the need for better analytic skills. The latter is something that most companies could begin to resolve.
- Lack of ownership (58%): This is a real surprise. Threat intelligence is part of the IT security function and under the control of the Chief Information Security Officer (CISO). This assumes that every company has a CISO. If they don’t the problem is who does own it? The Company security, Risk or IT departments are all possibilities. Ownership of the business data belongs to the organisation. Using one to create the other should not create confusion over ownership.
- Lack of suitable technologies (52%): There are plenty of vendors offering Threat Intelligence solutions. Many of these are built on pre-existing analytic tools. They are not necessarily capable of importing the wide range of data formats and then analysing that data. One big weakness is the ability to do analytics in real-time and at the edge of the network.
What can be done to improve this?
There is a disconnect between staff training and the courses on offer. The last five years have seen a lot of big data and analytic courses appear. Some of these, such as the courses developed by Dr Mark Whitehorn at Dundee University are postgraduate and have been very successful. There is now a need for new courses aimed at teaching data analysts and scientists how to work with cyber threat data. This could happen as a result of yesterday’s big cyber security announcement from the UK Government.
It is worrying that the report highlights problems with organisations disseminating threat data properly. This is a process issue and one that can be readily solved. One reason why this lack of ownership occurs is weak leadership in the cyber security function. This is often created by a lack of support from the C-Suite. There is a better understanding of the risks of cyber security and many organisations are beginning to realise the need for C-Suite buy-in. This has to be matched by the power to change systems and processes. Inclusion of the audit teams is also something that will help to improve this.
Real-time analytics and in-memory analytics solutions are becoming mainstream. The excuse of a lack of processing power has gone away with the emergence of cloud-based analytics. Where there is a need to do more is in the edge analytics. Deploying applications to the new generation of accelerators on network cards is a solution. This is something that vendors like Mellanox are working on. It will certainly improve the speed of detection and response to cyber threats.
It has taken a lot of work to make companies take threat intelligence seriously. Many are now moving away from the point solutions that only dealt with known attacks. The use of threat intelligence allows companies to be proactive and spot the signs of an attack earlier. This is where companies want to be but they need the right staff, tools and leadership to get there.