State of the market: Threat Intel in 2019

Lifting the veil

The threat intelligence market is growing rapidly but there is still some haziness in organizations’ understanding of the segment. Many consider threat intelligence the answer to thwarting the increasingly complex and devastating cyberattacks that plague organizations and individuals, but few understand exactly what it means beyond being a catch-all term for an array of different technologies and methodologies. 

This blog post seeks to lift the veil and take a look at what threat intelligence is, the state of the market and trends for the future.

The base level definition of threat intelligence is the knowledge that allows organizations or individuals to prevent or mitigate cyberattacks. Rooted in data, threat intelligence provides context that helps inform decisions about security by answering questions like “who is attacking”, “what are their motivations and capabilities” and “are there indicators of compromise within the systems in question.”

Here’s how Gartner defines threat intelligence:

“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications, and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.”

Forrester packages up threat intelligence as a framework constructed around high-quality information sources and skilled analysts, not a single product or service.

The recently released 2019 SANS CTI Survey focused on how and why cyberthreat intelligence (CTI) is being used, how it’s aiding defenders, what data sources are being leveraged and how data is converted into usable intelligence. When intelligence is understood and utilized properly, there is no limit to the value organizations can extract from it. The key is well defined goals and targets.  

This is even more relevant considering today’s threat landscape. Cybercriminals are using increasingly sophisticated techniques to breach organizations from enterprise-sized businesses to smaller shops. Attackers are constantly innovating and finding workarounds that sidestep even the most sophisticated barriers, so defending organizations against cyberthreats these days has become much more complicated.

Any organization that operates online has data waiting to be snatched up by cybercriminals, from financial transaction records to customer PII (personally identifying information), not to mention confidential company assets. A breach means catastrophe on multiple fronts. So, how can threat intelligence help organizations navigate the current threat landscape? And, taking a look at the broader threat intelligence market, what are the major industry trends and dynamics driving developments?

Market growth

The good news is that the market is already responding to growing threats and industry fluctuations. Threat intelligence is fast maturing as a discipline, and its value across security is being more widely recognized by organizations of all sizes.

SANS reports that the threat intelligence community is growing and diversifying. In fact, the threat intelligence market size is estimated to grow from USD 5.3 billion in 2018 to USD 12.9 billion by 2023, at a Compound Annual Growth Rate (CAGR) of 19.7%, according to a research report published by MarketsandMarkets. 

SANS surveys from 2018 and 2019 show that most organizations are adopting threat intelligence practices and are integrating them into security operations for detection and response, rather than trying to wing it with their own APIs and collectors. 

Based on the survey results, threat intelligence appears to be seriously upping respondents’ prevention, detection and response games. In 2018 and 2019, 81% of respondents affirmed that it is indeed helping, compared to 78% in 2017 and 64% in 2016.

“More organizations are consuming threat intelligence (especially in the form of finalized intelligence reports), and integrating them into their defensive mechanisms,” SANS statesSpecifically, respondents of the 2019 survey reported that threat intelligence is improving:

  • Visibility into threats and attack methodologies
  • Visibility into vulnerabilities and where to implement new security measures
  • Ability to prioritize efforts and resource utilization
  • More accurate risk analysis

Consolidation is key

As a result of this growth, there has been a flurry of high-value mergers and acquisitions across the security sector. This new wave of M&A activity signals the start of a consolidation trend that has been increasingly gaining momentum, and will likely result in the existence of far fewer companies within a short period of time.

A few recent examples, as reported by Fortune, showcase this significant shift:

  • CrowdStrike recently went public, valuing the company at $6.7 billion 
  • Elastic, maker of a Splunk-like data trawling product, just acquired Endgame, a CrowdStrike competitor, for $234 million 
  • Cisco, Palo Alto Networks, FireEye, and Imperva have all made cybersecurity-oriented acquisitions over the past few months

These sizeable cybersecurity deals shine a light on the rapid consolidation of a sector that is expected to more than double in value over the next five years.

Why the sudden surge? Again, the cybercriminal ecosystem is to blame here. 

Take a look at any of the high-profile data breaches in recent years and you have your answer. These attacks have caused some of the world’s largest businesses to beef up their cybersecurity practices and systems, and they are expanding budgets to ensure their data is not compromised. With thousands of cybersecurity companies elbowing each other for a share of the market, consolidation is inevitable.

One thing is for certain: M&A activity in the threat intelligence market is on the rise and shows no signs of slowing down.

Integration and collaboration

There are other important components to highlight here concerning the evolution of threat intelligence. 

Integration with other security vendors is crucial. Many organizations rely on specific vendor integrations to support response operations. In an ideal world, customers would integrate threat intelligence as part of a suite of other security products, improving the whole value chain. 

Another key component moving forward is collaborative security. Cooperation and collaboration – the sharing of knowledge and best practices – is essential for all threat intelligence suppliers. 

More and more initiatives and collaborative approaches are cropping up. For example, Blueliv’s Threat Exchange Network is designed to protect enterprises and the community against the latest threats. The network is a global community of thousands of cybersecurity experts, IT professionals and academics, who each month publish the latest news, threat data, IOCs and more in order to improve resilience and accelerate incident response.

“For teams to focus on the increasing use cases for threat intelligence, including attack surface awareness and strategic analysis, they will first have to find ways to automate or streamline aspects such as collecting and processing, which often take up the majority of an analyst’s time,” states the SANS 2019 Cyber Threat Intelligence (CTI) Survey Results report. “Continued growth and development in this area will likely increase organizations’ abilities to operationalize intelligence and result in greater satisfaction with CTI.” 

Looking ahead

There are, of course, areas that still need work. There are gaps in knowledge and education, clunky user friendliness, lack of automation and machine learning capabilities and resources are desperately needed for report-based intelligence.

However, the threat intelligence market has changed dramatically in a very short span of time. It is no longer synonymous with Indicators of Compromise (IOCs), but is growing to encompass Tactics, Techniques, and Procedures (TTPs), threat behaviors, attack surface awareness and strategic assessments. Threat intelligence itself is becoming even more intuitive. For example, our Threat Context enrichment module includes advanced search capabilities to find and map Indicators of Actor activity. This means users are able to hunt for campaigns and malware distributed by an actor, even if the attack pattern is not well-known. Saving meta-datasets such PDB path, network information or registry keys mean that it can later be correlated to discover new attack patterns belonging to ‘unknown actors.’ This helps teams enhance incident triage and post-incident forensics by approaching investigations from any point on the kill-chain. This delivers value well beyond ‘basic’ threat intelligence – and most importantly is accessible to any level, from CISO to analyst, who necessarily approach investigations with varying levels of detail.

So much has already been accomplished, with so many organizations developing intelligence requirements, producing and consuming intelligence and “leveraging it in ways that are specific and unique,” as the SANS 2019 report puts it. “Information sharing—with an emphasis on sharing best practices, use cases and lessons learned as well as timely, actionable and relevant intelligence—remains a key way to move forward as a community.”

Blueliv provides fresh, actionable and targeted threat intelligence to its customers so they can be aware of existing or potential cyberthreats impacting their assets, employees, customers and reputation. With this intelligence, organizations can be more efficient in responding to such threats and mitigate them very quickly, preventing data breaches, business disruption, loss of IP, compliance problems and more. Click here to speak with an expert today to discuss you can build individual threat intelligence modules into your security setup.

Click here to download our free Buyer’s Guide to Threat Intelligence.

What is Threat Intelligence and why is it important?

Learn more
Demo Free Trial MSSP