In the world of cybersecurity, the grim reality is that most of our personally identifiable information has already fallen into the wrong hands. The relentless cycle of cybercriminal activities has led to the expansion of databases containing personal data, painting a bleak picture of data security. Simply put, the battle to protect our personal information has been lost.
This alarming situation extends beyond individuals; it poses an even greater threat on a corporate level. While individual data certainly holds value for cybercriminals, the real prize lies in compromising networks containing personal data of thousands of employees, end users, or even citizens, as seen in some government departments. Such breaches enable threat actors to engage in large-scale malicious activities.
Organizations are acutely aware of this danger and are responding to an increasingly sophisticated cybercriminal landscape. According to Mimecast’s State of Email Security Report 2023, 59% of 1700 Chief Information Security Officers (CISOs) surveyed reported that cyberattacks are becoming more sophisticated and alarmingly frequent. Two-thirds of these CISOs stated that their organizations had fallen victim to ransomware attacks, while a staggering 97% had encountered email-based phishing attacks.
The inevitable consequence of these attacks is data exfiltration, resulting in the unnecessary loss of valuable data. Surprisingly, Gartner warned back in 2016 that “99% of vulnerabilities exploited will be known by security and IT professionals by 2020.” This essentially means that threat intelligence, which should be the guardian of cybersecurity, has been falling short of its core mission.
Where Threat Intelligence Has Gone Wrong Threat intelligence, characterized by its discovery, analysis, and cataloging of valuable cyber threat information, is undoubtedly a goldmine of knowledge. It contains the “cheat codes” to counter offensive cyber activities, capable of thwarting attackers effectively.
However, the problem lies not in the technology itself but in its structure. The threat intelligence landscape is crowded with hundreds of providers, each striving to identify and categorize threats for their clients. Many of these providers excel in their efforts.
The issue arises from the fragmented nature of these databases, which remain isolated based on the provider-client relationship. This fragmentation forces organizations to make a choice: either continue using threat intelligence providers they are affiliated with and respond to a limited number of alerts, an inefficient approach that inevitably leaves some threats undetected, or allocate substantial resources to expand their security toolset in hopes of capturing more threats. The latter approach risks inflating security budgets and creates unrealistic expectations of resilience, potentially damaging the reputation of the security team if it fails.
Although it is expected to miss unknown attack vectors (by definition, they are unknown), the tragedy of the current relationship between threat intelligence and defensive security is the unnecessary escape of known threats. These known threats should be entirely preventable.
A Broken Internet and the Path to Repair The current threat intelligence ecosystem leaves us with an internet that predominantly serves two groups: security providers, who charge exorbitant fees for access to their threat intelligence tools, knowing they offer incomplete threat coverage, and threat actors who exploit the existing, unworkable system with impunity.
To regain control of threat intelligence data, organizations must adopt a new approach. Instead of security teams perpetually justifying increased tooling and funding to tackle the problem, a radical shift in mindset is needed.
The necessary change involves working with providers capable of analyzing and quantifying threat intelligence data from multiple sources for proactive defense before it reaches an organization. This approach not only reduces the number of alerts requiring action but also minimizes man-hours spent on response efforts. It effectively lowers operational costs and simplifies the challenge of cybersecurity.
Encouragingly, CISOs are already recognizing the urgency of this change. In Mimecast’s report, 92% of CISOs either use or plan to implement artificial intelligence (AI) and machine learning to enhance their cybersecurity threat response capabilities. The key for CISOs and the wider security community is to understand that this transformation is not about adding new tools to a cybersecurity stack but rather a profound intellectual shift in how threats are detected and addressed, ultimately safeguarding organizations and the broader internet.