- While 84 percent of organizations consider threat intelligence “essential to a strong security posture,” entities admit that the large amount of threat data and a lack of staff expertise lower their threat program effectiveness, according to a recent Anomali and Ponemon study.
Over 1,000 IT and security practitioners were surveyed, working in various industries such as financial, industrial/manufacturing, and health and pharmaceutical.
"It's abundantly clear that organizations now understand the benefits provided by threat intelligence, but the overwhelming volume of threat data continues to pose a hurdle to truly effective adoption," Ponemon Institute Chairman and Founder Dr. Larry Ponemon, said in a statement. "Threat intelligence programs are often challenging to implement, but when done right, they are a critical element in an organization's security program.”
“The significant growth in adoption over the past year is encouraging as it indicates widespread recognition of the value threat intelligence provides."
The survey also found that 80 percent of North American organizations currently use threat intelligence as part of their cybersecurity program, an increase from the reported 65 percent in 2016.
However, organizations struggle with making the most of their threat intelligence programs. Sixty-nine percent of respondents said threat intelligence is often too voluminous and/or complex to provide actionable intelligence.
Difficulty in the integration of a threat intelligence platform with other security technologies and tools was cited by 64 percent of those surveyed, while just over half – 52 percent – said a lack of alignment between analyst activities and operational security events was the top issue.
A lack of staff expertise, a lack of ownership, and a lack of suitable technologies were also listed as top reasons for threat intelligence ineffectiveness.
Even so, the survey showed that organizations are more effective in using data than they were the previous year. Forty-one percent of respondents in 2017 rated their organizations as highly effective, an increase from the 27 percent of respondents who felt the same in 2016.
Information sharing will also be critical to improving threat intelligence programs, according to the survey.
Sixty-two percent of respondents report that their organizations share intelligence, with 43 percent saying they share with trusted peer groups (through a platform, email list, etc.).
Seventy percent of those surveyed said their entity either participates in some way with ISAC/ISAO or plans to. However, only 20 percent of respondents said their organizations do both outbound sharing and inbound ingestion of shared intelligence.
Thirty percent of respondents reported to only ingesting shared intelligence and said they do not do outbound sharing, with 21 percent planning to join an industry-specific sharing community.
Information sharing can be especially beneficial in the healthcare industry, and has been lauded by stakeholders as an important way for organizations to improve their cybersecurity measures.
Healthcare information sharing can involve data on insider threat incidents and cyber threat incidents, including incidents stemming from a cyber attack, HIMSS Director of Privacy and Security Lee Kim, JD, CISSP, CIPP/US, FHIMSS wrote in a July 2017 blog post.
“Information sharing is useful for all types of incidents and threats,” Kim wrote. “Whether there is a threat of something actually occurring or an incident has actually occurred, both threats and incidents have indicators to help determine what has occurred (in the case of an incident) or what may occur (in the case of a threat).”
OCR has also stressed the need for better collaboration and information sharing for stronger healthcare cybersecurity.
The government, private sector, and international network defense communities all need to work together to combat the increasing amount of healthcare cybersecurity threats, OCR wrote in its February Cybersecurity Newsletter.
For example, the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) could be a critical asset for healthcare as it operates “at the intersection of government, private sector, and international network defense communities.”
Covered entities and business associates should monitor the United States Computer Emergency Readiness Team (US-CERT) website for any cybersecurity reports or vulnerabilities.
“Covered entities and business associates can leverage this information as part of their Security Management Process 1 under HIPAA (see 45 CFR § 164.308(a)(1)) to help ensure the confidentiality, integrity and availability of electronic protected health information,” OCR said.