Threat Intelligence Needed Quickly or Not at All, Ponemon Study Finds

Companies can prevent 40 percent of their losses if they use information on the current threats, but the value of the intelligence fades quickly.

Fresh information on the latest online threats can enable companies to respond more quickly to attacks and prevent compromises, but the intelligence grows stale quickly and becomes less useful within 4 to 12 minutes, according to a recent survey of security professionals.

The survey, conducted by the Ponemon Institute and funded by threat-intelligence provider Norse, found that 57 percent of the polled security professionals believe that the information on threats provided to their companies is too old to be useful, leading to $10 million in annual costs to mitigate exploits of their network. However, if data on threats is received within 60 seconds of a compromise, companies can save, on average, $4 million, the Ponemon study found.

"Whether intelligence is actionable is inextricably linked to time," Larry Ponemon, chairman of the Ponemon Institute, told eWEEK. "The make-or-break point—when you start to lose value—is measured in minutes, not in days or weeks."

The security industry has increasingly focused on gathering intelligence on the threats targeting companies to give businesses as much information as possible to prevent attacks. One major focus is synthesizing information from the variety of information produced during the daily operating of a large enterprise's network. This "big data" collection promises to allow companies to have better insight into the operations of the network and catch any attacker who starts impacting that operation.

Another focus, however, is delivering information on the changing global threat landscape so that companies can be warned if legitimate-looking traffic is communicating with a known bad part of the Internet.

Almost all malware communicates with actors outside of the victim's network, giving the vigilant businesses a chance to detect the attack. In addition, global threat intelligence can warn a company if its own Internet addresses start producing malicious traffic, said Sam Glines, CEO of Norse.

"By uploading your company's public-facing IP address, we instantly provide back the data on whether any of your IPs are behaving badly," he said.

Companies are notoriously in the dark about whether their own systems are compromised. In its annual report on trends in network breaches, Verizon found that the median time between a compromise and the exfiltration of data is hours, but that the median time to discovery is days. The group surveyed in the latest Ponemon report had a similar outlook, with a half of the respondents estimating that it would take weeks to months to recognize a compromise and only a quarter of the respondents estimating that it would take a day or less.

Technology is not seen to be the answer to the problem. On a 10-point scale, three-quarters of respondents rated traditional technologies—such as firewalls, security information and event monitoring (SIEM) and intrusion detection systems—a 6 or less.

The survey polled more than 700 people from 378 companies on their current use of threat information. More than three-quarters of respondents criticized current threat intelligence solutions for their high false-positive rates.