GCP – Too many threats, too much data, say security and IT leaders. Here’s how to fix that

An overwhelming volume of threats and data combined with the shortage of skilled threat analysts has left many security and IT leaders believing that their organizations are vulnerable to cyberattacks and stuck in a reactive state.

That’s according to the new Threat Intelligence Benchmark, a commissioned study conducted by Forrester Consulting on behalf of Google Cloud, on the threat intelligence practices of more than 1,500 IT and cybersecurity leaders from eight countries and across 12 industries. 

Operationalizing threat intelligence remains a major challenge, said a majority of the survey’s respondents.  

“Rather than aiding efficiency, myriad [threat intelligence] feeds inundate security teams with data, making it hard to extract useful insights or prioritize and respond to threats. Security teams need visibility into relevant threats, AI-powered correlation at scale, and skilled defenders to use actionable insights, enabling a shift from a reactive to a proactive security posture,” said the study.

Organizations today face a multifaceted, compound problem: They have too few analysts who can effectively interpret and act on threat intelligence, who are facing too many data feeds supplying that raw intelligence. This has led many security and IT leaders to worry that they are missing critical needles in the haystack, ultimately making it harder to take action against legitimate cyberattacks.

We believe the key is to embed threat intelligence directly into security workflows and tools, so it can be accessed and analyzed quickly and effectively. AI has a vital role in this integration, helping to synthesize the raw data, manage repetitive tasks, and reduce toil to free human analysts to focus their efforts on critical decision-making.

Key takeaways from the survey

• Organizations value threat intelligence: More than 80% of organizations already use threat intelligence or are planning to across eight major use-cases.

• Improving threat intelligence capabilities is challenging: Too many feeds (61%), too few analysts (60%), hard to derive clear action from threat intelligence data (59%), and difficulty determining which threats are valid (59%) were cited as the top challenges to actioning threat intelligence. All told, 82% are concerned about missing threats due to the volume of alerts and data.

• Organizational blind spots: 80% of respondents said their senior leadership team underestimates threats to the organization, and 66% state that they struggle to share threat intelligence with relevant teams. 

• Stuck in reactive mode: Too much data leaves security teams struggling to prioritize threats, creating significant security gaps. As a result, 86% of respondents said that their organization needs to improve its understanding of the threat landscape, 85% of respondents say that their organization could focus more time and energy on emerging critical threats, and 72% of respondents said they are mostly reactive to threats.   

• Helping defenders with AI: 86% of respondents agreed that they “must” use AI to improve their ability to operationalize threat intelligence. When asked about the benefits of using AI in threat intelligence, improving efficiency by generating easy-to-read summaries was cited most frequently (69%).

The Threat Intelligence Benchmark study underscores how complex the problem is, but we also see a path forward for even under-resourced organizations to get the most out of their threat intelligence. Through our engagements with customers and the broader threat intelligence community, we’ve developed suggestions on how organizations can maximize the resources they’ve already dedicated to threat intelligence.

How to operationalize threat intelligence more effectively

At Google Cloud, we’re strong advocates for security and IT leaders to integrate threat intelligence into their security environments as part of a comprehensive layered defense. The raw data of threat intelligence can be used to prevent, detect, and respond to attacks — as well as to inform broader strategic decision-making across the organization. 

Here are four tactical steps to help you get started.

Step 1: Identify high-stakes intelligence needs

Security teams should use threat intelligence as a strategic tool to focus on the threats that are most relevant to their organization. It can be crucial in shaping the organization’s cyber threat profile (a structured way to identify, analyze, and prioritize potential cyber threats,) and help to better protect against the threats that matter most.

1. Define your crown jewels: Identify your most critical assets, data, and business functions, and calculate the impact if they’re compromised. This directly informs your Priority Intelligence Requirements (PIR).

2. Know your adversaries: Pinpoint the threat actors most likely to target your IT environment and the industry that your organization operates in. Study their common tactics, techniques, and procedures (TTPs). Focus on intelligence related to these groups and their methods of intrusion.

3. Establish a feedback loop: Regularly ask your incident response (IR) and security operations center (SOC) teams about the threat intelligence that could have helped them prevent, detect, and respond faster to recent incidents. Their answers can be used to refine PIRs.

4. Understand how security enables the organization: Developing robust threat intelligence analysis is all about supporting smarter, faster decisions. Security should be a close partner to leadership and other teams, focused on enabling the organization to achieve its goals while minimizing risk. 

Step 2: Build a tactical threat intelligence pipeline

In cybersecurity, efficiency is key. The goal is to get threat intelligence from source to action as quickly as possible.

• Centralized aggregation: Implement a Threat Intelligence Platform (TIP) and use existing security information and event management (SIEM) capabilities to ingest, normalize, and de-duplicate threat intelligence from all sources (OSINT, commercial feeds, ISACs, dark web monitoring).

• Automated enrichment: Automatically enrich incoming indicators (IPs, domains, hashes) with context such as geolocation, reputation scores, and associated threat actors. Tools should do the heavy lifting.

• Prioritization engine: Instead of letting analysts manually triage thousands of alerts, develop rules in your TIP and SIEM to automatically score and prioritize intelligence based on its relevance to PIRs and its severity.

• Direct integration with controls: Push relevant, high-fidelity indicators and detection rules directly to firewalls and proxies, endpoint and extended detection and response (EDR and XDR), Intrusion detection and prevention systems (IDS and IPS), and SIEM systems.

Step 3: Empower security teams

Two important ways that IT and security professionals can feel that the threat intelligence they’re using is helpful are freeing analysts from toil, and focusing on training and tooling.

• Analyst focus: Free up your SOC and IR analysts from data ingestion and basic correlation. Their time is better spent on proactive threat hunting, contextualizing alerts, developing custom detections, and augmenting incident response.

• Training and expertise: 79% of survey respondents said that external threat intelligence providers should help “uplevel junior staff or embed a threat intelligence (CTI) analyst” into their team. Give analysts focused training on shifting to a more intelligence-led approach  and providing threat intel expertise tailored to your organization.

Step 4: Measure and adapt continuously

Threat intelligence operationalization is an ongoing cycle, not a one-time project.

• Key metrics: Track these key threat intelligence metrics and ask the following questions for each:

• Mean time to detect (MTTD) and mean time to respond (MTTR) reduction: Does threat intelligence help us detect and respond to threats faster?

• Alert fidelity: Are we seeing fewer false positives due to better-contextualized alerts from threat intelligence?

• Blocked threats: How many threats were proactively blocked by systems fed with threat intelligence?

• Hunting success: How many new threats were identified through intelligence-led hunting?

How Google Threat Intelligence can help

Despite concerns about data overload, 80% of survey respondents said that threat intelligence providers should offer information sources that are both broad and deep. Security teams should feel confident that they have a holistic view of available intelligence. 

Augmented by advanced AI, Google Threat Intelligence provides unparalleled visibility into threats, enabling us to deliver detailed and timely threat intelligence to security teams around the world. It combines Mandiant frontline expertise, the global reach of the VirusTotal community, and the breadth of visibility only Google can deliver. 

Our Advanced Intelligence Access (AIA) and Essential Intelligence Access (EIA) programs provide organizations with access to embedded and targeted intelligence experts, as well as early access to threat data. Mandiant Academy offers training courses for security professionals, including many focused on how to best consume and apply threat intelligence to improve tactical defenses and overall security posture.

To learn more about the state of threat intelligence and how your organization can use threat intelligence more effectively, you can download Threat Intelligence Benchmark: Stop Reacting; Start Anticipating here.