Home Articles The Struggle with Threat Intelligence

The Struggle with Threat Intelligence

by Kevin Swan

Driven by a vast majority of security professionals who consider cyber threat intelligence a valuable resource in finding and dealing with security threats, the adoption of threat intelligence services and capabilities continues to take off.

Yet, security analysts continue to slowly adopt the technology needed to make better use of threat data. In fact, “taking advantage of cyber threat intelligence” represented one of the top security challenges for nearly 30% of respondents according to the 2021 State of Security Operations Report published by CyberRes.

Source: 2021 State of Security Operations Report


Threat Intelligence Today

Almost every security professional considers threat intelligence to be valuable. A recent report by Dark Reading found that 94% of respondents—44% strongly agree and 50% somewhat agree —considered that threat intelligence services and feeds “will help their company get ready for and repulse malware attacks.” No respondent strongly disagreed with the statement.

Beyond those general sentiments, however, companies continue to have extremely varied approaches. The largest share of firms (40%) review their cyber threat intelligence needs on only an ad-hoc basis, while 16% conduct such reviews yearly, and 25% conduct reviews at least monthly, according to the SANS 2022 Cyber Threat Intelligence Survey.

Cyberthreat intelligence platforms are not yet among the top 3 tools used by Cyber threat intelligence (CTI) teams, according to the CyberRes report. Less than 60% of firms have a threat intelligence platform in place, behind other tools such as security information and event management (SIEM), security log management, and security orchestration, automation, and response (SOAR).

In fact, security analysts seem wary of threat intelligence platforms. Most still use spreadsheets and e-mail as their main tools for processing and managing threat data, according to the SANS report.

“[R]espondents reported emailed documents as the most common way they disseminate CTI, followed by reports,” the report stated. “Both of these indicate a narrative form of threat intelligence dissemination rather than just technical pieces of information such as IP addresses and domains.” More than half of practitioners used a homegrown approach to CTI analysis and reporting.


A Starting Point

CyberRes Galaxy was created to be used as a starting point for companies who want relevant and customized threat intelligence. Security professionals always have more work to do than time and resources allow, and Galaxy offers the tools to help. With Galaxy Online, users can see threats that have significance to the region or industry they are part of, so they can implement their protections accordingly. With CyberRes Galaxy Threat Acceleration Program Plus (GTAP+), ArcSight users can stop breaches before they occur by implementing a threat intelligence feed that’s always on, and always up to date.



Overall, the landscape of threat intelligence is wide open, allowing companies with the expertise to develop their own in-house fusion of data and tools, but also allowing less mature firms to subscribe to threat-intelligence brokering services. Even though the adoption of threat intelligence feeds has increased over the years, implementing threat intelligence remains a struggle. Security managers need to assess their current resources to make sure they’re extracting the full value of their intelligence, without putting undue stress on an overworked security team.


Connect with us

Join our Community. Have technical questions about Security Operations? Visit the ArcSight User Discussion Forum. Keep up with the latest Tips & Info about Security Operations. Do you have an Idea or Product Enhancement Request about ArcSight? Submit it in the Idea Exchange. We’d love to hear your thoughts on this blog. Log in or register to comment below.

You may also like

Leave a Comment