Threat Intelligence Strategies Suffer from Data Overload

While 86% of organizations believe threat intelligence is valuable to their security mission, many of them struggle with an overwhelming amount of threat data and a lack of staff expertise to make the most of their threat intelligence programs.

That’s according to Ponemon Institute, which found in a recent report that a full 80% of North American organizations surveyed are using threat intelligence as part of their cybersecurity program, up a healthy 15% from 2016. Also, 84% of respondents identified threat intelligence as essential, an increase of 6% from the previous year.

However, less than half (41%) of the 1,000 IT and IT security practitioners surveyed rated their organizations as highly effective in the use of threat intelligence.

Granted, that’s up from 27% of respondents in 2016, but it still shows that organizations struggle to maximize the value of the knowledge they’re collecting.

A prime culprit is threat data overload: 69% of respondents indicated that threat intelligence data is too voluminous and complex to provide actionable intelligence.

“It’s abundantly clear that organizations now understand the benefits provided by threat intelligence, but the overwhelming volume of threat data continues to pose a hurdle to truly effective adoption,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Threat intelligence programs are often challenging to implement, but when done right, they are a critical element in an organization’s security program. The significant growth in adoption over the past year is encouraging as it indicates widespread recognition of the value threat intelligence provides.”

Other respondents cited difficulty in the integration of threat intelligence platforms with other security technologies and tools (64%), and a lack of alignment between analyst activities and operational security events (52%). Additionally, 71% of organizations fail to keep more than three months of historical event logs online, posing a significant challenge in identifying existing threats within the organization.

Other top reasons for threat intelligence ineffectiveness include: Lack of staff expertise (71% of respondents); lack of ownership (52% of respondents); and lack of suitable technologies (48% of respondents).

Further, external threat-sharing remains limited. Only 50% of respondents participate in industry-centric sharing initiatives like the IT-Information Sharing & Analysis Center (ISAC), which provide benefits like industry relevant intelligence, collaboration with industry peers and networking with other security teams in the industry. Of those organizations, the majority (60%) only receive threat intelligence through ISACs but do not share it. The biggest hurdles to outbound intelligence sharing include a lack of expertise (54%) followed by fear of revealing a breach (45%).

In response to these challenges, many organizations have successfully identified a variety of resources and techniques to help maximize the effectiveness of their threat intelligence. Deploying a threat intelligence platform to help automate things was a good idea to 80% of respondents, while 65% advocated integrating SIEM with a threat intelligence platform. Also, 54% of respondents said that having a qualified threat analyst on staff was a key to unlocking threat intelligence’s potential.

“We all see the growing cybersecurity threats, with attacks routinely making the front page. Every day cyber researchers discover thousands of new threats,” said Hugh Njemanze, CEO of Anomali, which sponsored the report. “Organizations need rapid access to the latest threat intelligence to detect any malicious activity in their networks “In the face of unprecedented volumes of cyber threats, organizations must be able to quickly pinpoint active threats and mitigate them before material damage occurs. This requires a system that is able to prioritize threat data and turn it into actionable insights.”

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit

What’s Hot on Infosecurity Magazine?