As the IT industry works with federal lawmakers to respond to a spate of sophisticated attacks against the U.S., a report from the Ponemon Institute shows nearly 80% of security professionals consider threat data essential to maintaining a strong cybersecurity posture.
More than 70% of security professionals said threat data helps generate unique data to improve security, while 63% said the data helps block potential threats, according to the report, which surveyed 1,025 security professionals in the U.S. and U.K. However, 56% of respondents said threat data is often too voluminous and complex to offer timely and actionable intelligence.
Each organization surveyed by Ponemon faced an average of 28 cyberattacks over the last two years. About 38% of the attacks were not stopped because the organizations lacked timely and actionable intelligence.
The report follows two historic nation-state attacks, including the SolarWinds attack that impacted thousands of U.S. companies and at least nine federal agencies in 2020 and the subsequent attack on Microsoft Exchange Server.
Top industry executives from Microsoft, SolarWinds, FireEye and other firms have been working with lawmakers, following high-profile Congressional hearings, on how the IT and cybersecurity industry can help facilitate more intelligence sharing and public-private collaboration in order to mitigate the next nation-state level attack against the U.S.
The report confirmed that while threat intelligence often enhances the ability to detect potential incidents, many threat feeds are far too voluminous to create timely and actionable intelligence, according to Michael Kaczmarek, vice president of security product management at Neustar, which sponsored the study.
"For intelligence to be of value, it has to be either contextual, actionable or both," he said. "It has to be relevant to the need and to the organization."
Intelligence sharing currently takes place within various cybersecurity organizations called Information Sharing and Analysis Centers, including the Financial Service Information Sharing and Analysis Center [FS-ISAC], the Media + Entertainment ISAC [ME-ISAC] and others.
However the SolarWinds hearings uncovered a lack of information sharing that critics say was not immediately conveyed to other companies in the industry, who later found out they had been impacted by SolarWinds threat actors.
"If you're looking at threat feeds you get a ton of noise," said Bob Maley, chief security officer at Black Kite. "Understanding what signal inside that noise deserves your attention . . . that's the challenging part."
One of the goals of the intelligence sharing effort is to get information to companies before they've been compromised.
"There is little debate that verified, quality threat intelligence is extremely powerful in real time and retrospective analysis," Charles Herring, co-founder and CTO at WitFoo said via email. "The problem is you have to go over a lot of string to find these pearls."
Many vendors fear legal and brand damage if they share information in real time, Herring said, and further concerns about law enforcement subpoenas that would compel additional data sharing that could open up further legal risk.