How can organisations improve threat intelligence collaboration?

Among the various factors that contribute to an effective security strategy, threat intelligence collaboration and information sharing play a crucial role. However, according to recent industry research, even though the overwhelming majority of organisations recognise the importance of these issues, most struggle to effectively combine threat intelligence insights across teams and security platforms.

More specifically, 91% of respondents said collaboration and information sharing are very important or absolutely crucial for cybersecurity, while 70% believe their organisation could improve threat intelligence sharing (19% said they could share significantly more). The problem is that over half of the research respondents (53%) said their organisation does not currently utilise an Information Sharing and Analysis Centre (ISAC), underlining the shortcomings of the way most security teams approach threat intelligence.

Also of concern is that over a quarter (28%) said they were unaware of the existence and role of ISACs altogether – despite the widely recognised value they offer in enabling organisations to manage risk.  

Digging deeper into the underlying issues, when asked to identify the weakest link in their approach to cybersecurity information sharing and collaboration, over half (51%) said people are the main barrier to improvement, followed by processes (21%) and technologies (11%). Taking all these factors into account, nearly half of respondents (49%) said that their organisations struggle to combine and derive actionable insights across multiple security tools, such as threat intelligence platforms, SIEM, asset management, and vulnerability management platforms.

Dealing with the disconnect

So where does that leave the significant majority of organisations who understand the need to improve threat intelligence sharing and collaboration but struggle to deliver improvements?

Across the board, there are a variety of factors that are leading to this disconnect and they will vary from one organisation to another. But in general terms, it’s well understood that team, technology and data siloscan stifle effective communication and collaboration. In this context, threat intelligence is no exception, with the result that the ability to detect and respond to cyber threats can be significantly impaired.

Looking at what the data reveals; asked which teams are least likely to share threat intelligence with other departments, DevOps (31%) emerged as the top answer, followed by Security Ops (17%), Threat Intelligence (16%) and IT Ops (15%). Only 23% of teams share threat intelligence on a daily basis, 21% in real-time, 17% weekly and 14% monthly.  

In addressing these challenges, an important starting point is to build an effective collaboration culture within each organisation that clearly focuses on the collection, analysis and dissemination of actionable threat information – backed by methods for mitigating their impact. All of this work should be geared towards improving proactive protection and resilience and should focus on creating processes that foster good communication and the elimination of information silos.

This approach works even more effectively when security teams find the right ISAC to work with. These can vary significantly in nature and can be internationally focused, country or sector-specific and operate according to different governance structures and collaboration styles and may be supported by a variety of funding models.

In addition, they can include stakeholders from across the public and private sectors, while the core objectives of each ISAC will depend on the type of organisations involved and whether it has broad or niche priorities and areas of interest. What almost all have in common, however, is a desire to improve predictive cyber defence, share threat mitigation intel on sector-specific threats and secure member infrastructure and assets. The most effective drive better security outcomes by eliminating manual processes, improving analyst efficiency and by augmenting overall security collaboration.

The role of AI and automation

In addressing the challenges presented by inadequate threat intelligence collaboration, AI is already playing an important and growing role. Central to this is the automated identification, processing and dissemination of large volumes of threat data and remediation insight. 

AI is also being integrated into detection and response technologies, while at the same time, predictive security solutions are giving teams the game-changing, proactive capabilities they need to address the volume and sophistication of cyber threats, including real-time threat and behavioural analysis. The key point here is that AI can act as a huge catalyst, not just for improving the quality and timeliness of threat intelligence information but also in relation to boosting communication and collaboration processes. In doing so, it can help accelerate the pace of change, especially given only one-fifth of organisations currently share threat intel in real-time.

At present, the disconnect between teams and the siloed approach taken around the use of security tools poses a serious threat to the delivery of threat intelligence. What’s required instead is a unified and proactive approach where traditionally siloed security functions are scalable and integrated, combining high-fidelity threat intelligence with threat operations for rapid threat response. For example, using a Virtual Cyber Fusion Centre (vCFC) platform breaks down security siloes by bringing disparate security functions together to help them proactively defend organisations from cyber threats. A vCFC platform integrates intelligence and response, orchestration and situational awareness capabilities, so irrespective of where teams are located, they can then collaborate and share information freely while eliminating the need for duplication of tools, data collection and effort. 

Armed with these capabilities, security teams can engage in more proactive threat response and contain incidents more quickly when they arise, and deliver the collaboration and information-sharing efficiency they need.