2019 Cyberthreat Defense Report: The Year of Threat Intelligence Powered by Machine Learning

Security analytics and machine learning processes are fueling the next generation of cyber defenses, helping to address persistent problems in the industry like a skills shortage and an overwhelming number of alerts.

Those are some of the major findings from CyberEdge’s “2019 Cyberthreat Defense Report,” the sixth yearly report summarizing the trends in cybersecurity on both the offensive and defensive sides.

The report is a tome, but one worth perusing, for those who have the time. Here, we’ll focus on what the report says about the state of threat intelligence in 2019 — how it’s being used and what the best practices are these days.

Machine Learning a Major Trend for 2019

CyberEdge polled respondents about why their security teams are choosing to incorporate threat intelligence platforms into their existing security infrastructure. The top three responses were to improve the ability to detect cyber threats, validate security alerts, and prioritize responses to security alerts. To understand why, we’ll break down those three categories a little further and see how threat intelligence helps.

But first, it’s worth noting the trends that CyberEdge found around the adoption of solutions driven by machine learning. Not every threat intelligence solution relies on machine learning to collect, process, and analyze data, but for the ones that do, their usefulness has been nearly universally recognized. As of 2019, more than 90 percent of organizations have invested in security solutions that use machine learning or artificial intelligence, and of those, more than 80 percent generally agree that these technologies are helping them stop advanced cyber threats.

Improving the Ability to Detect Cyber Threats With Threat Intelligence

Improving threat detection was the most important reason why respondents said they were using threat intelligence, with 53.7 percent of respondents choosing it.

This is no surprise, since threat detection is one of the things threat intelligence helps the most with. That’s because effective threat detection usually takes a lot of research, and the right threat intelligence solution does most of the legwork for security teams when it comes to doing that research.

As CyberEdge puts it in the report:

Think of it this way: a TIP not only provides the enterprise security team with a richer body of intelligence on which to draw (e.g., for threat detection, blocking, and investigation purposes), but also a bunch of automation capabilities for processing that intelligence and actually putting it to use. That’s how we see it, at least.

This might go without saying, but most cyberattackers don’t want to be detected — at least, not until it’s too late. Being able to detect an attack before it’s too late means being able to detect suspicious activity both inside and outside of your network. But that’s an effort that can take a lot of data, even with simpler efforts like maintaining an up-to-date blacklist of suspicious IP addresses.

Threat intelligence can provide the heads up needed to detect an attack before it’s even launched. With data automatically gathered from across the internet, a threat intelligence platform can provide alerts on typosquatted domains, for example, which may indicate an oncoming phishing attack targeting your organization. With this kind of context, security practitioners are able to resolve threats 63 percent quicker.

Improving the Ability to Validate Security Alerts

Close behind threat detection was improving the ability to validate security alerts, with 52.9 percent of respondents saying they relied on threat intelligence in this capacity.

Validating security alerts — for example, sorting the real alerts from false positives — is essential when the sheer number of alerts that security staff must deal with daily threatens to overwhelm them. Alert fatigue is a major issue in the security industry, with some studies showing that security staff ignore around 44 percent of the alerts they receive daily, and remediate less than half of the legitimate threats they do identify. There’s just too much to deal with.

Using automated threat intelligence to validate security alerts and weed out false positives or irrelevant alerts before they get in front of human eyes is one way to reduce alert fatigue. By correlating incoming alerts with the massive amounts of data that threat intelligence platforms can gather from across the web (as well as internal network data, in some cases), security practitioners get context that helps them detect threats up to 10 times faster and identify 22 percent more threats before they have an impact.

CyberEdge also mentions the value of threat intelligence gateways (TIGs):

This closely related component/technology focuses on the immediate application of threat intelligence. By automatically blocking traffic from millions of known-bad IP addresses and domains, TIGs inherently weed out countless threats while greatly reducing the load on downstream networking and security devices alike.

Improving the Ability to Prioritize Responses to Security Alerts

The next most common response, with 43.3 percent, was using threat intelligence to improve alert prioritization. This is an issue closely related to validating security alerts — in a sense, it’s the next step, where after security alerts have been verified to be legitimate, security practitioners must then decide which alerts are the most urgent.

Doing this kind of triage takes context, too — again, the kind of context that threat intelligence provides. Threat intelligence platforms that provide automated risk scoring for threats, as well as the reasons behind those scores (like the sources of information and an explanation of the algorithms that determine them) help security professionals quickly evaluate what alerts they need to prioritize, which they can get to a little later, and which they can safely ignore. It’s one of the reasons why threat intelligence makes security teams work 32 percent more efficiently.

Read the Report for More Threat Intelligence Use Cases

CyberEdge also named a few other threat intelligence use cases that extend beyond the security operations center: “threat hunting, threat predictions based on in-depth correlation and analysis, and executive-level reporting and data sharing for both incident management and security planning purposes.”

To dive more deeply into the extensive research that CyberEdge did to produce this report, download your full copy here.