What can we help you with?

Supercharged PAM

Combine the best of Session Management and Credential Management solutions at a new, incredible value!

Learn More Learn More

What is BeyondTrust?

Get a closer look inside the BeyondTrust identity & access security arsenal.

Learn More Learn More

Gartner Peer Insights

Find out how customers & analysts alike review BeyondTrust.

Learn More Learn More

Go Beyond Customer & Partner Conference

Our biggest customer conference of the year is happening in Miami and virtually on May 1-5, 2023.

Learn More Learn More

Watch Our Video

Find out more about our integrations.

Learn More Learn More

Leader in Intelligent Identity & Secure Access

Learn how BeyondTrust solutions protect companies from cyber threats.

Learn More Learn More

In the last several years, we’ve seen a disturbing trend—attackers are innovating much faster than defenders are. We’ve seen the “commercialization” of malware, with attack kits available on underground forums for anyone who wants to perpetrate a variety of attacks. Large botnets are available for rent, allowing attackers to send spam or launch DDoS attacks at will. Many attackers reuse malware and command and control protocols and methods, adapting their “products” over time to keep ahead of the antimalware industry and security professionals. As more and more attacks occur, however, the likelihood increases that some organization or group has seen the attack before.

The idea behind cyberthreat intelligence is to provide the ability to recognize and act upon indicators of attack and compromise scenarios in a timely manner. While bits of information about attacks abound, cyberthreat intelligence (CTI) recognizes indicators of attacks as they progress, in essence putting these pieces together with shared knowledge about attack methods and processes.

There’s a lot of confusion around what threat intelligence is and how it’s delivered and consumed, based on the SANS survey on Analytics and Intelligence published in October 2014.1 So, in an attempt to define CTI and best practices for using CTI, SANS conducted a new survey about the state of cyberthreat intelligence policies and practices, and whether CTI has improved organizations’ ability to detect and respond to attacks faster.

In this new survey, taken by 326 qualified respondents, 69% of respondents report implementing CTI to some extent, with only 16% saying they have no plans to pursue CTI in their environments. The commitment to working with CTI is evident, with 64% reporting they have a dedicated team, person or services organization assigned to implement and monitor intelligence.

The survey shows respondent organizations are relying on multiple data feeds for aggregation and analysis that they’d like to consolidate in the next 12 months. The most common elements of CTI that have been achieved by organizations include raw, unfiltered data feeds with CTI information, tools to visualize and analyze CTI, and a wide variety of accurate and aggregated data integrated into the environment. Those who’ve adopted CTI report improvements in the following areas:

  • Ability to see attacks in context
  • Accuracy of detection and response
  • Faster detection and response

They are accepting and consolidating feeds through their security information and event management (SIEM) and intrusion monitoring platforms, while relying on CTI feeds from a variety of sources, including the security community and vendor-driven feeds from the various tools they are using to secure their networks, systems and data. Respondents point to strong planning (selected by 57%), leveraging internal systems and intelligence (45%), and defining gaps and workarounds (43%) as key best practices contributing to successful CTI implementations. These best practices, along with adoption trends and definitions, are discussed in this paper.