Cyber Threat Intelligence: Has to Be a Better Way

Similar documents
The Importance of Cyber Threat Intelligence to a Strong Security Posture

Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age

Risk & Innovation in Cybersecurity Investments. Sponsored by Lockheed Martin

Achieving Security in Workplace File Sharing. Sponsored by Axway Independently conducted by Ponemon Institute LLC Publication Date: January 2014

The State of Data Security Intelligence. Sponsored by Informatica. Independently conducted by Ponemon Institute LLC Publication Date: April 2015

Global Insights on Document Security

Perceptions About Network Security Survey of IT & IT security practitioners in the U.S.

The SQL Injection Threat Study

Exposing the Cybersecurity Cracks: A Global Perspective

Understanding Security Complexity in 21 st Century IT Environments:

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

The Cost of Web Application Attacks

A Study of Retail Banks & DDoS Attacks

Is Your Company Ready for a Big Data Breach?

Exposing the Cybersecurity Cracks: A Global Perspective

Understaffed and at Risk: Today s IT Security Department. Sponsored by HP Enterprise Security

The Security of Cloud Infrastructure Survey of U.S. IT and Compliance Practitioners

Data Security in Development & Testing

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T

2012 Application Security Gap Study: A Survey of IT Security & Developers

Data Breach: The Cloud Multiplier Effect

The State of Data Centric Security

The Unintentional Insider Risk in United States and German Organizations

Global Survey on Social Media Risks Survey of IT & IT Security Practitioners

The State of Mobile Application Insecurity

The Impact of Cybercrime on Business

2015 Global Study on IT Security Spending & Investments

Reputation Impact of a Data Breach U.S. Study of Executives & Managers

Aftermath of a Data Breach Study

Security of Paper Records & Document Shredding. Sponsored by Cintas. Independently conducted by Ponemon Institute LLC Publication Date: January 2014

Cyber Security on the Offense: A Study of IT Security Experts

The Security Impact of Mobile Device Use by Employees

State of Web Application Security U.S. Survey of IT & IT security practitioners

Defining the Gap: The Cybersecurity Governance Study

Challenges of Cloud Information

Efficacy of Emerging Network Security Technologies

Security of Cloud Computing Users Study

The State of USB Drive Security

Corporate Data: A Protected Asset or a Ticking Time Bomb?

Privileged User Abuse & The Insider Threat

Third Annual Study: Is Your Company Ready for a Big Data Breach?

The Role of Governance, Risk Management & Compliance in Organizations

National Survey on Data Center Outages

Cloud Security: Getting It Right

Breaking Bad: The Risk of Insecure File Sharing

The Importance of Senior Executive Involvement in Breach Response

Leading Practices in Behavioral Advertising & Consumer Privacy Study of Internet Marketers and Advertisers

Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations

Economic impact of privacy on online behavioral advertising

2015 Global Megatrends in Cybersecurity

The 2013 ecommerce Cyber Crime Report: Safeguarding Brand And Revenue This Holiday Season

State of SMB Cyber Security Readiness: UK Study

The Billion Dollar Lost Laptop Problem Benchmark study of U.S. organizations

LiveThreat Intelligence Impact Report 2013

How Much Is the Data on Your Mobile Device Worth?

Big Data Analytics in Cyber Defense

2014 State of Endpoint Risk. Sponsored by Lumension. Independently conducted by Ponemon Institute LLC Publication Date: December 2013

How Single Sign-On Is Changing Healthcare A Study of IT Practitioners in Acute Care Hospitals in the United States

The Post Breach Boom. Sponsored by Solera Networks. Independently conducted by Ponemon Institute LLC Publication Date: February 2013

Security of Cloud Computing Providers Study

Sponsored by Zimbra. The Open Source Collaboration Study: Viewpoints on Security & Privacy in the US & EMEA

The End Endorsed Devices pose a Large Security Risk to Your Organization

Enhancing Cybersecurity with Big Data: Challenges & Opportunities

IBM QRadar Security Intelligence: Evidence of Value

Survey on the Governance of Unstructured Data. Independently Conducted and Published by Ponemon Institute LLC. Sponsored by Varonis Systems, Inc.

State of Web Application Security

2015 State of the Endpoint Report: User-Centric Risk

The TCO of Software vs. Hardware-based Full Disk Encryption Summary

Data Loss Risks During Downsizing As Employees Exit, so does Corporate Data

First Annual Cost of Cyber Crime Study Benchmark Study of U.S. Companies

Privacy and Security in a Connected Life: A Study of European Consumers

The economics of IT risk and reputation

Transcription:

Exchanging Cyber Threat Intelligence: There Has to Be a Better Way Sponsored by IID Independently conducted by Ponemon Institute LLC Publication Date: April 2014 Ponemon Institute Research Report

Exchanging Cyber Threat Intelligence: There Has to Be a Better Way Ponemon Institute: April 2014 Part 1. Introduction We are pleased to present the findings of Exchanging Cyber Threat Intelligence: There Has to Be a Better Way study sponsored by IID. The purpose of this research is to focus on how organizations can improve the ability to exchange actionable cyber intelligence within and outside the organization. We surveyed 701 IT and IT security practitioners who are familiar and involved in their company s cyber threat intelligence activities or process. Seventy-eight percent of respondents say they are users of threat intelligence. Seventy-nine percent of organizations represented in this research either fully participate or partially participate in an initiative or program for exchanging threat intelligence with peers and/or industry groups. Why is the exchange of cyber threat intelligence important to organizations? In a world of increasingly stealthy and sophisticated cyber criminals it is difficult, costly and ineffective to fight online attacks alone. Having the ability to connect and share information about existing and emerging threats could improve an organization s cyber defenses. As a result of such collaboration, organizations can benefit from information that identifies patterns and trends that reveal ongoing attacks and future hazards. Participants in the study agree with this assessment and say that the ability to share threat intelligence is important to improving their organizations security posture as well as the nation s infrastructure. However, 71 percent of respondents say there has to be a better way to exchange threat intelligence than what exists today. According to the research presented in this report, current approaches are slow, insecure and unreliable. The following are recommendations uncovered in our survey about how the exchange of threat intelligence can be improved: Establish a trusted intermediary for the exchange of threat intelligence. Address liability concerns that may result from the exchange of threat intelligence among organizations. Speed up the process of sharing threat intelligence. Threat intelligence is considered to go stale within seconds or minutes. Present intelligence in a format that prioritizes threats and categorizes the threat type or attacker. Simplify the communication of intelligence to ensure ease and speed of use. Create a collaborative environment for the sharing of threat intelligence within organizations by eliminating silos and deploying technologies that streamline the dissemination of intelligence throughout the organization. Encourage the use of technologies to integrate shared threat intelligence into IT cyber defenses. These include: UTM and next generation firewalls followed by SIEM and other network intelligence tools. 1

Part 2. Key findings In this section we provide an analysis of the key findings. The complete audited findings are presented in the appendix of this report. We have organized the results of the research according to the following themes: Perceptions about exchanging cyber threat intelligence Current state of cyber threat intelligence sharing How cyber threat intelligence sharing can be improved Perceptions about the exchange of cyber threat intelligence The exchange of cyber threat intelligence improves an organization s security posture. As shown in Figure 1, the top three reasons for participating are: improves the security posture of their organization and the nation s critical infrastructure as well as enhances situational awareness. At this time, respondents do not see the threat information as being actionable and timely as an incentive to participate (24 percent and 16 percent of respondents, respectively). As evidence of the value of exchanging threat intelligence, 61 percent of respondents say such information could have prevented their organization from experiencing a cyber attack in the past 24 months. Only 19 percent of respondents say it would not have prevented an attack and 20 percent are unsure. Figure 1. Main reasons for participating in an initiative for exchanging threat intelligence Three choices permitted Improves the security posture of my organization Improves the security posture of the nation s critical infrastructure 64% 71% Improves situational awareness Fosters collaboration among peers and industry groups 54% 51% Makes threat data more actionable Reduces the cost of detecting and preventing cyber attacks Enhances the timeliness of threat data 16% 24% 21% 0% 10% 20% 30% 40% 50% 60% 70% 80% 2

Worries about potential liability and the trustworthiness of intelligence providers keep some organizations from participating. Figure 2 reveals the reasons why some organizations do not participate in the exchange of threat intelligence. The 21 percent of respondents who say their organizations do not participate is because they see no perceived benefit to their organization (65 percent), do not trust the sources of intelligence (53 percent of respondents) and fear the potential liability of sharing (50 percent). Figure 2. Main reasons for not participating in an initiative for exchanging threat intelligence with peers and/or industry groups Three choices permitted No perceived benefit to my organization 65% Lack of trust in the sources of intelligence Potential liability of sharing 50% 53% Lack of resources 42% Anti-competitive concerns Cost Slow, manual sharing processes 26% 25% 24% Lack of incentives 15% 0% 10% 20% 30% 40% 50% 60% 70% 3

Despite its perceived value by many respondents, current approaches are not satisfactory. As a result of the current state of cyber threat intelligence sharing, only 30 percent say they are very satisfied or satisfied in the way their organization is able to obtain threat intelligence. According to Figure 3, the primary reasons for dissatisfaction include the information is not timely, it is not categorized according to threat type or attacker and is too complicated to ensure ease and speed of use. Figure 3. Reasons for being dissatisfied with the way threat intelligence is obtained Three choices permitted Information is not timely 66% Information is not categorized according to threat type or attacker Information is too complicated to ensure ease and speed of use Information does not provide enough context to make it actionable 45% 43% 50% Uncertainty about the trustworthiness of data sources Uncertainty about the accuracy of the threat intelligence 30% 35% Information does not provide a comprehensive picture of the threat Information does not provide adequate guidance on what to do 16% 15% 0% 10% 20% 30% 40% 50% 60% 70% 4

Current state of cyber threat intelligence sharing Who manages the exchange of cyber threat intelligence internally? Thirty-five percent of respondents say the management of threat intelligence exchange is a shared responsibility between IT and other areas of the organization. This is followed by the CISO. As shown in Figure 4, the majority of respondents say the exchange of threat intelligence is mostly centralized within IT (30 percent) or by a dedicated team (28 percent). Thirty percent say it is decentralized within the line of business or by a dedicated team. Figure 4. How threat intelligence is exchanged within the organization Centralized control within IT Centralized control by a dedicated team 28% 30% Decentralized control within the line of business 21% Centralized control within non-it business function Decentralized control by a dedicated team 9% 11% Other 1% Organizations rely on peers and security vendors for threat intelligence. Most often intelligence is shared through informal peer-to-peer exchanges or through a vendor threat exchange service. Respondents say peers in other companies (58 percent) and IT security vendors (55 percent) are the main sources of threat intelligence received by their organizations. Government officials and industry associations are not as frequently relied upon as a source (15 percent and 26 percent, respectively), as revealed in Figure 5. Figure 5. Main sources of threat intelligence More than one response permitted 0% 5% 10% 15% 20% 25% 30% 35% Peers in other companies 58% IT security vendors 55% Law enforcement 33% Industry associations 26% Government officials 15% Other 2% 0% 10% 20% 30% 40% 50% 60% 70% 5

As shown in Figure 6, 42 percent say they mostly receive intelligence data and 36 percent say they use and provide intelligence in nearly equal proportion. Only 22 percent say they mostly provide intelligence data. Figure 6. What best describes your organization s role in receiving and providing threat intelligence? We mostly receive intelligence data 42% We use and provide in nearly equal proportion 36% We mostly provide intelligence data 22% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Peers and security vendors provide the most actionable intelligence. As discussed, peer-topeer and vendor threat exchange services are the primary sources of intelligence. Figure 7 reveals they are also considered to provide the most actionable threat intelligence. Government officials are ranked the lowest. Figure 7. Most actionable sources of threat intelligence 5 = most actionable to 1 = least actionable IT security vendors 4.45 Peers in other companies 4.02 Industry associations 2.90 Law enforcement 1.98 Government officials 1.55 1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50 5.00 Average rank 6

Current methods for sharing intelligence are slow, unreliable and insecure. Many organizations rely on email or phones to exchange threat intelligence. As shown in Figure 8, organizations are most likely to receive cyber intelligence through data feeds or by discussing with peer groups by phone, email or in-person. Figure 8. How is threat intelligence received by your organization? More than one response permitted Data feeds 57% Peer group discussion via phone, email or inperson 54% Threat advisories 49% Intelligence briefs 33% Other 4% 0% 10% 20% 30% 40% 50% 60% The majority of respondents say threat intelligence is disseminated internally through automated feeds to security infrastructure (54 percent of respondents) as revealed in Figure 9. Forty-seven percent say it is a manual process and 39 percent say they use automated alerts through email or text messages. Figure 9. How is threat intelligence disseminated throughout the organization? More than one response permitted Automated feed to security infrastructure 54% Manual distribution or process 47% Automated alerts through email or text messages 39% Ad hoc (no formal system or process in-place) 32% Automated posting to web portal 26% 0% 10% 20% 30% 40% 50% 60% 7

Generally, the information contained in intelligence reports includes threat indicators such as suspicious phishing or malware IP addresses or software vulnerability patch updates, as shown in Figure 10. Information less likely to be included are incident response information and results of investigations and prosecutions regarding cybercrimes. As evidence of their disappointment in current threat intelligence reports, only one-third of respondents say the information enables them to prioritize threats. Only 5 percent say they receive threat intelligence in real time. Most likely it is weekly (29 percent) or on an irregular basis (26 percent). Figure 10. Information contained in threat intelligence reports More than one response permitted Threat indicators such as suspicious phishing or malware IP addresses 55% Software vulnerability patch updates 48% Incident response information 36% Results of cybercrime investigations and prosecutions 22% Other 3% 0% 10% 20% 30% 40% 50% 60% Figure 11 reveals 34 percent of respondents say the amount of intelligence data they are receiving is increasing. However, 42 percent say it has stayed the same in the past 12 months. Figure 11. Trends in the amount of intelligence data received over the past 12 months 45% 40% 35% 30% 25% 20% 34% 42% 15% 10% 5% 11% 13% 0% Increasing Staying the same Decreasing Unable to determine 8

Most common transport mechanisms and data formats used to exchange threat intelligence data. According to Figure 12, more than half of respondents (51 percent) say intelligence is transported by email followed by TAXII (45 percent of respondents). Unstructured text is the most common data format (42 percent of respondents) followed by signatures (IDS) and IOC (Mandiant) according to 40 percent of respondents. Figure 12. Transport mechanisms to exchange threat intelligence data More than one response permitted Email 51% Taxii 45% (S)FTP 39% API (custom programming) Manual submission to portal/systems RSS Https/ssl Nmsg (protocol buffers) Rsync 32% 28% 26% 23% 22% 19% How cyber threat intelligence sharing can be improved 0% 10% 20% 30% 40% 50% 60% There has to be a better way to exchange cyber threat intelligence, according to 71 percent of respondents. The majority believe current methods are cumbersome, time consuming, resource draining and usually ineffective, as shown in Figure 13. Moreover, the exchange of intelligence does not scale or provide enough reach. Figure 13. Perceptions about the exchange of threat intelligence Strongly agree and agree response The exchange of threat intelligence provides benefits that outweigh cost 21% 33% Methods to exchange threat intelligence are cumbersome, time consuming, resource draining and are usually ineffective 27% 26% Methods to exchange threat intelligence do not scale, provide enough reach and are usually inefficient 27% 24% 0% 10% 20% 30% 40% 50% 60% Strongly agree Agree 9

Collaboration in the exchange of cyber intelligence needs improvement. Only about onethird of respondents say the collaboration between their organization and other companies is either very effective or effective. As shown in Figure 14, the main reasons for not being effective are silos among IT departments and function and a lack of technologies or tools. Other barriers to more effective collaboration are concerns about trust and insufficient resources. Figure 14. Why is the collaboration not effective? More than one response permitted Silos among IT departments and functions 68% Lack of technologies or tools 55% Concerns about trust 50% Insufficient resources 49% No leadership 29% Other 2% How to improve the exchange of threat intelligence? Respondents believe solutions to improve the exchange of threat intelligence involve technology, collaboration and the elimination of silos. Sixty-seven percent of respondents approve of a real-time, machine-to-machine way to exchange intelligence, as revealed in Figure 15. Sixty-two percent say improved collaboration and elimination of silos such as by industry, geography or community would improve sharing. Fifty-eight percent would like to have in place a trusted way to exchange such intelligence. The majority of respondents are positive about the IT vendor model for exchanging threat intelligence. Figure 15. Improving the exchange of threat intelligence Strongly agree and agree response 0% 10% 20% 30% 40% 50% 60% 70% 80% Organizations need a real-time, machine-tomachine way to exchange intelligence 34% 33% Current methods to exchange threat intelligence operate in a silo Organizations need a trusted way to exchange threat intelligence 23% 23% 39% 35% The current vendor model of threat intelligence exchange does not work 11% 23% 0% 10% 20% 30% 40% 50% 60% 70% 80% Strongly agree Agree 10

Real-time intelligence is critical. Sixty-nine percent of respondents say threat intelligence becomes stale within seconds or minutes. To be actionable it must be timely with the ability to prioritize the threats and implement, as shown in Figure 16. Figure 16. Features make threat intelligence actionable 7 = most important to 1 = least important Timely Ability to prioritize 6.26 6.67 Ability to implement the intelligence Trustworthiness of the source 5.13 4.99 Relevance to my industry 3.44 Clear guidance on how to resolve the threat Sufficient context 2.52 2.87 1.00 2.00 3.00 4.00 5.00 6.00 7.00 Average rank Current tools used to integrate threat intelligence into IT cyber defenses are not considered the most effective. Anti-virus/anti-malware solutions, human analysis and DNS firewalls are the tools most often used. However, when asked to rate their effectiveness, Figure 17 reveals UTM and next generation firewalls followed by SIEM and other network intelligence tools are considered the most effective. Least effective is human analysis and anti-virus/antimalware solutions. Figure 17. Tools most effective in integrating threat intelligence into cyber defenses 7 = most important to 1 = least important UTM and/or next generation firewalls SIEM and other network intelligence tools Reputation feeds to intrusion detection or prevention systems Big data analytics 6.14 6.02 5.70 5.36 DNS firewall 4.17 Anti-virus/anti-malware solutions 3.65 Human analysis 2.95 1.00 2.00 3.00 4.00 5.00 6.00 7.00 Average rank 11

Trusted intermediaries involved in the sharing of threat intelligence would improve current approaches to sharing threat intelligence. According to Figure 18, the best two ways to exchange threat intelligence are with a trusted intermediary that shares with other organizations and with a threat intelligence exchange service. Least popular are directly with other organizations or with a government entity that shares with other organizations. Figure 18. The best way to exchange threat intelligence Trusted intermediary that shares with other organizations 34% Threat intelligence exchange service 25% Industry organization that distributes to others 19% Government entity that shares with other organizations Directly with other organizations 9% 8% No preference 5% 0% 5% 10% 15% 20% 25% 30% 35% 40% Part 3. Conclusion The exchange of cyber threat intelligence is critical to helping organizations mitigate the security threats they face. In a world of increasingly stealthy and sophisticated cyber criminals it is difficult, costly and ineffective to fight online attacks alone. Having the ability to connect and share information about existing and emerging threats could measurably improve an organization s cyber defenses. As shown in this study, many organizations are either fully or partially participating in the exchange of cyber threat intelligence. However, there is much that needs to be done to improve collaboration and benefit from information that identifies patterns and trends that reveal ongoing attacks and future hazards. Some recommendations that emerged from the research include establishing a trusted intermediary for the exchange of threat intelligence, improving processes for the exchange of intelligence and adopting technologies that integrate intelligence with an organization s cyber defenses. These steps will help organizations realize the full potential of exchanging intelligence and encourage others to participate. 12

Part 4. Methods A sampling frame of 19,915 experienced IT and IT security practitioners located in all regions of the United States were selected as participants to this survey. To ensure knowledgeable responses, all participants in this research are familiar and involved in their company s cyber threat intelligence activities or process. Table 1 shows 808 total returns. Screening and reliability checks required the removal of 107 surveys. Our final sample consisted of 701 surveys (3.5 percent response rate). Table 1. Sample response Freq Total sampling frame 19,915 100.0% Total returns 808 4.1% Rejected or screened surveys 107 0.5% Final sample 701 3.5% Pie Chart 1 reports the respondent s organizational level within participating organizations. By design, 58 percent of respondents are at or above the supervisory levels. Pie Chart 1. Current position within the organization 2% 2% 1% 35% 5% 16% 16% 23% Senior Executive Vice President Director Manager Supervisor Technician Staff Contractor Pie Chart 2 reports that 56 percent of respondents reported their job function is located within corporate IT. Twenty percent are located within the line of business. Pie Chart 2. Department or function that best describes where respondents are located 2% 2% 5% 15% 20% 56% Corporate IT Line of business Security Risk management General management Legal & compliance 13

Pie Chart 3 reports the industry segments of respondents organizations. This chart identifies financial services (20 percent) as the largest segment, followed by public sector (14 percent), health & pharmaceutical (11 percent), and retail (9 percent). Pie Chart 3. Industry distribution of respondents organizations 3% 3% 3% 4% 5% 6% 7% 2% 2% 3% 8% 9% 20% 11% 14% Financial services Public sector Health & pharmaceuticals Retail Services Industrial Technology & Software Energy & utilities Consumer products Communications Hospitality Transportation Education & research Entertainment & media Other As shown in Pie Chart 4, 53 percent of respondents are from organizations with a global headcount of 1,000 or more employees. Pie Chart 4. Worldwide headcount of the organization 3% 5% 11% Less than 250 8% 250 to 500 15% 501 to 1,000 15% 1,001 to 5,000 22% 21% 5,001 to 25,000 25,001 to 50,000 50,001 to 75,000 More than 75,000 14

Part 5. Caveats to this study There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a web-based collection method, it is possible that non-web responses by mailed survey or telephone call would result in a different pattern of findings. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses. 15

Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in February 2014. Survey response Freq Total sampling frame 19,915 100.0% Total returns 808 4.1% Rejected or screened surveys 107 0.5% Final sample 701 3.5% Screening S1. How familiar are you with threat intelligence collected and used by your company? Very familiar 29% Familiar 38% Somewhat familiar 33% Not familiar (stop) 0% S2. How are you involved in your company s cyber threat intelligence activities or process? Please select all that apply. User of threat intelligence 78% Gatherer of threat intelligence 44% Analyzer of threat intelligence 59% Executive or manager in-charge of threat intelligence activities 20% We do not use threat intelligence (stop) 0% Total 201% Part 1. Questions Q1a. Does your organization participate in an initiative or program for exchanging threat intelligence with peers and/or industry groups? Yes, fully participate (Proceed to Q.1b) 32% Yes, partially participate (Proceed to Q.1c) 47% Do not participate (Proceed to Q.1d) 21% Q1b. If your organization fully participates, what are the main reasons? Please select only three choices. Improves the security posture of my organization 71% Improves the security posture of the nation s critical infrastructure 64% Reduces the cost of detecting and preventing cyber attacks 21% Improves situational awareness 54% Fosters collaboration among peers and industry groups 51% Enhances the timeliness of threat data 16% Makes threat data more actionable 24% Other (please specify) 0% Total 300% 16

Q1c. If your organization only partially participates in such an initiative, what are the main reasons keeping you from full participation? Please select only three choices. Cost 12% Potential liability of sharing 55% Anti-competitive concerns 30% Lack of resources 51% Lack of incentives 18% No perceived benefit to my organization 40% Slow, manual sharing processes 39% Lack of trust in the sources of intelligence 53% Other (please specify) 2% Total 300% Q1d. If your organization does not participate, what are the main reasons? Please select only three choices. Cost 25% Potential liability of sharing 50% Anti-competitive concerns 26% Lack of resources 42% Lack of incentives 15% No perceived benefit to my organization 65% Slow, manual sharing processes 24% Lack of trust in the sources of intelligence 53% Other (please specify) 0% Total 300% (Proceed to Part 2) Q2. How does your organization exchange threat intelligence? Please select all that apply. Through an industry group 28% Through a vendor threat exchange service 53% Informal peer-to-peer exchange of information 57% Total 138% Q3. In the past 24 months, has your organization ever suffered a cyber attack that threat intelligence could have prevented? Yes 61% No 19% Unsure 20% Q4. What best describes your organization s role in receiving and providing threat intelligence? We mostly receive intelligence data 42% We mostly provide intelligence data 22% We use and provide in nearly equal proportion 36% Q5a. How effective is the collaboration between your organization and other companies in the sharing of threat intelligence? Very effective 15% Effective 18% Somewhat effective 35% Not effective 32% 17

Q5b. Why is the collaboration not effective? Please select all that apply. Insufficient resources 49% Lack of technologies or tools 55% Concerns about trust 50% No leadership 29% Silos among IT departments and functions 68% Other (please specify) 2% Total 253% Q6. What are the main sources of threat intelligence received by your organization? Please select all that apply. Peers in other companies 58% IT security vendors 55% Law enforcement 33% Government officials 15% Industry associations 26% Other (please specify) 2% Total 189% Q7. In your opinion, which of the following sources of threat intelligence are considered the most actionable? Please rank the following list from 1 = most actionable to 5 = least actionable. Average rank Rank order Peers in other companies 1.98 2 IT security vendors 1.55 1 Law enforcement 4.02 4 Government officials 4.45 5 Industry associations 3.10 3 Average 3.02 Q8. Typically, how is threat intelligence received by your organization? Please select all that apply. Data feeds 57% Threat advisories 49% Intelligence briefs 33% Peer group discussion via phone, email or in-person 54% Other (please specify) 4% Total 197% Q9. Typically, what information is contained in threat intelligence reports? Please select all that apply. Threat indicators such as suspicious phishing or malware IP addresses 55% Software vulnerability patch updates 48% Incident response information 36% Results of cybercrime investigations and prosecutions 22% Other (please specify) 3% Total 164% Q10. Typically, how frequently does your organization receive threat intelligence? Real time or near real time 5% Hourly 9% Daily 15% Weekly 29% Bi-weekly 5% Monthly 11% Other or irregular intervals 26% 18

Q11. Does the information you receive enable your organization to prioritize threats? Yes, most of the time 10% Yes, some of the time 23% No, rarely 46% No, never 21% Q12. What are the transport mechanisms currently used by your organization to exchange threat intelligence data? Please select all that apply. Https/ssl 23% Rsync 19% Email 51% (S)FTP 39% Manual submission to portal/systems 28% API (custom programming) 32% Taxii 45% RSS 26% Nmsg (protocol buffers) 22% Other 0% Total 286% Q13. What are the data formats currently used by your organization to exchange threat intelligence data? Please select all that apply. csv/tsv 24% json 25% xml 30% unstructured text 42% Pcaps 18% Signatures IDS 40% Arcsight (CEF) 19% IODEF 32% Stix 26% IDMEF 34% Arf 17% IOC (Mandiant) 40% CIF 12% Other 0% Total 359% Q14a. How satisfied are you in the way your organization is able to obtain threat intelligence? Very satisfied 12% Satisfied 18% Somewhat satisfied 31% Not satisfied 39% 19

Q14b. What the main reasons why you are not satisfied? Please select the top three. Information is not timely 66% Information is not categorized according to threat type or attacker 50% Information does not provide enough context to make it actionable 43% Information does not provide adequate guidance on what to do 15% Uncertainty about the accuracy of the threat intelligence 30% Uncertainty about the trustworthiness of data sources 35% Information does not provide a comprehensive picture of the threat 16% Information is too complicated to ensure ease and speed of use 45% Other (please specify) 0% Total 300% Q15. What best describes how you disseminate threat intelligence throughout your organization? Please select all that apply. Automated alerts through email or text messages 39% Automated feed to security infrastructure 54% Automated posting to web portal 26% Manual distribution or process 47% Ad hoc (no formal system or process in-place) 32% Other (please specify) 0% Total 198% Q16. What tools does your organization currently use to integrate threat intelligence into IT cyber defenses? Please select all that apply. Human analysis 65% DNS firewall 51% Anti-virus/anti-malware solutions 80% UTM and/or next generation firewalls 44% Reputation feeds to intrusion detection or prevention systems 48% SIEM and other network intelligence tools 39% Big data analytics 22% Other (please specify) 2% Total 351% Q17. What tools do you believe are most effective in integrating threat intelligence into its cyber defenses? Please rank the following list from 1 = most effective to 7 = least effective. Average rank Rank order Human analysis 5.05 7 DNS firewall 3.83 5 Anti-virus/anti-malware solutions 4.35 6 UTM and/or next generation firewalls 1.86 1 Reputation feeds to intrusion detection or prevention systems 2.30 3 SIEM and other network intelligence tools 1.98 2 Big data analytics 2.64 4 Average 3.14 Q18. In your opinion, what is the best way to exchange threat intelligence? Directly with other organizations 8% With a threat intelligence exchange service 25% With an industry organization that distributes to others 19% With a trusted intermediary that shares with other organizations 34% With a government entity that shares with other organizations 9% No preference 5% 20

Q19. Over the past 12 months, how many cyber attacks that eluded traditional defenses have you been able to thwart because of advance threat intelligence? None 5% 1 to 25 13% 25 to 50 24% 51 to 100 15% More than 100 11% Unable to determine 32% Q20. How would you describe the trend in the amount of intelligence data your organization has received over the past 12 months? Increasing 34% Decreasing 11% Staying the same 42% Unable to determine 13% Q21. How important is the sharing of threat intelligence to your organization s cyber defenses? Please use the following scale from 1 = not important to 10 = essential. 1 to 2 2% 3 to 4 11% 5 to 6 24% 7 to 8 33% 9 to 10 30% 7.1 Q22. How important is the reliability of the threat intelligence data exchanged with peers and/or industry groups? Please use the following scale from 1 = not important to 10 = essential. 1 to 2 2% 3 to 4 10% 5 to 6 12% 7 to 8 32% 9 to 10 44% 7.6 Q23. How important is the confidentiality of threat intelligence communications? Please use the following scale from 1 = not important to 10 = essential. 1 to 2 5% 3 to 4 21% 5 to 6 30% 7 to 8 23% 9 to 10 21% 6.2 Q24. How reliable is the intelligence received by your organization? Please use the following scale from 1 = unreliable to 10 = very reliable. 1 to 2 16% 3 to 4 25% 5 to 6 29% 7 to 8 21% 9 to 10 9% 5.1 21

Q25. How actionable is the intelligence received by your organization? Please use the following scale from 1 = not actionable to 10 = very actionable. 1 to 2 21% 3 to 4 27% 5 to 6 24% 7 to 8 20% 9 to 10 8% 4.8 Q26. Who is most responsible for managing the exchange of your organization s threat intelligence? Chief information officer 17% Chief technology officer 3% Chief financial officer 2% Chief information security officer 21% Chief risk officer 5% Line of business senior management 17% Shared responsibility 35% Other (please specify) 0% Q27. Please check one statement that best describes how threat intelligence is exchanged within your organization. Centralized control within IT 30% Centralized control within non-it business function 11% Centralized control by a dedicated team 28% Decentralized control by a dedicated team 9% Decentralized control within the line of business 21% Other (please specify) 1% Q28. What features make threat intelligence actionable? Please rank the following features from 1 = most important to 7 = least important. Average rank Rank order Timely 1.33 1 Trustworthiness of the source 3.01 4 Relevance to my industry 4.56 5 Ability to prioritize 1.74 2 Clear guidance on how to resolve the threat 5.13 6 Sufficient context 5.48 7 Ability to implement the intelligence 2.87 3 Average 3.45 Q29. In general, when does threat intelligence become stale or not fresh? Within seconds 16% Within minutes 53% Within hours 13% Within days 11% Within weeks 5% Within months 2% Other (please specify) 0% 22

Part 2. Attributions Please rate each of the following statements using the agreement scale. Strongly agree Agree Q30. The exchange of threat intelligence will help secure the Internet. 19% 23% Q31. The exchange of threat intelligence provides benefits that outweigh cost. 21% 33% Q32. There has to be a better way to exchange threat intelligence than exists today. 33% 38% Q33. The current vendor model of threat intelligence exchange does not work. 11% 23% Q34. Organizations need a trusted way to exchange threat intelligence. 23% 35% Q35. Organizations need a real-time, machine-to-machine way to exchange intelligence. 34% 33% Q36. Current methods to exchange threat intelligence operate in a silo (such as by industry, geography or community). 23% 39% Q37. Current methods to exchange threat intelligence are cumbersome, time consuming, resource draining and are usually ineffective. 27% 26% Q38. Current methods to exchange threat intelligence do not scale, provide enough reach and are usually inefficient. 27% 24% Part 3. Role and organizational characteristics D1. What organizational level best describes your current position? Senior Executive 2% Vice President 1% Director 16% Manager 23% Supervisor 16% Technician 35% Staff 5% Contractor 2% D2. Check the department or function that best describes where you are located in your organization. General management 2% Finance & accounting 0% Legal & compliance 2% Corporate IT 56% Line of business 20% Human resources 0% Risk management 5% Security 15% 23

D3. What industry best describes your organization s industry focus? Agriculture & food service 1% Communications 3% Consumer products 4% Defense & aerospace 1% Education & research 2% Energy & utilities 5% Entertainment & media 2% Financial services 20% Health & pharmaceuticals 11% Hospitality 3% Industrial 7% Public sector 14% Retail 9% Services 8% Technology & Software 6% Transportation 3% Other 1% D4. Where are your employees located? Please choose all that apply. United States 100% Canada 87% Europe 78% Middle east & Africa 56% Asia-Pacific 69% Latin America (including Mexico) 65% D5. What is the worldwide headcount of your organization? Less than 250 11% 250 to 500 15% 501 to 1,000 21% 1,001 to 5,000 22% 5,001 to 25,000 15% 25,001 to 50,000 8% 50,001 to 75,000 3% More than 75,000 5% 12,021 Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information