Sponsored by Norse – a company that provides cloud-based real-time attack data – the Ponemon Institute has researched the relationship between threat intelligence and attack mitigation. The study queried more than 700 security professionals in 378 enterprises in what Dr Larry Ponemon describes as "one of the first studies that reveals the facts behind the impact that weak threat intelligence is having on organizations."
For example, the study reveals that the average spend in resolving the impact of security incidents is $10 million per annum – but if actionable intelligence had been received within 60 seconds of a compromise, that spend could have been reduced by 40% to $6 million.
The study asked a series of straightforward questions – such as how much advance warning is needed to prevent a compromise. Ten percent of respondents couldn't answer, and 9% believe they only need a warning of 1 second. Two-thirds, however, believe they can prevent a compromise given just 60 seconds warning.
But more than half (55%) believe they receive threat intelligence too late for it to be actionable. Other problems include a high false positive rate in that intelligence (72%), and difficulty in getting threat data to key stakeholders in a timely fashion (69%).
Asked what savings could be achieved if actionable intelligence is received 60 seconds before an attack, the response ranged between nil (15%) and 76%-100% (21%). On average, the savings would be 40%.
One interesting response is that the biggest driver for security spend is legal and compliance requirements (31%). The frequency of attacks experienced (29%) comes second, with the severity of attacks experienced (26%) third. Since compliance doesn't legislate on the speed of discovery – and this report demonstrates that speed of threat intelligence is vital to preventing and mitigating compromise – it needs to be asked if compliance is actually diverting security spend away from what is potentially one of its greatest assets – real time threat intelligence.
Compliance does not get a mention in the seven security takeaways in the report's conclusion. These range from clear intelligence reports based on pre-detemined threat priorities; integrated intelligence and SIEM technologies and rapid response to intelligence; and the use of big data analytics.