Mandiant: 79 Percent Of Cybersecurity Decisions Ignore Threat Intelligence

Too often, organizations are crafting cyber defense strategies and making purchasing decisions based on concerns about attackers that ‘don‘t actually have any interest whatsoever’ in them, Mandiant’s John Hultquist tells CRN.


While most business leaders are satisfied with the cyber threat intelligence they’re consuming, insights about attackers are mostly being ignored when the time comes for cybersecurity decision-making, according to a survey commissioned by Mandiant.

The result of not factoring in threat intelligence has a number of ramifications for an organization’s cyber defense, such as causing both a weaker cybersecurity strategy and sub-optimal purchasing decisions for security tools, said John Hultquist, vice president of intelligence analysis at Mandiant.

[Related: VMware ESXi Ransomware Attacks: 5 Things To Know]

Sponsored post

Hultquist said that he’s had countless conversations with security leaders where he’s been asked for his opinion on certain tools, seemingly because they were associated with a current trend in cybersecurity. “And I’ve had to say, ‘Well, we look at that threat actor or threat pretty closely — and what I know is that they don’t actually have any interest whatsoever in your sector.’”

The survey of 1,350 IT and business leaders, representing organizations with 1,000 or more employees across 13 countries, was released Monday by Mandiant, a prominent provider of threat intelligence, incident response and cybersecurity solutions that’s owned by Google Cloud.

Almost all of the surveyed leaders — 96 percent — reported they were “satisfied with the quality of threat intelligence their organization is using.”

However, 79 percent of the surveyed leaders said that “the majority of the time, they make decisions without adversary insights.”

A major cause of the issue, Hultquist told CRN, is that organizations feel they have too much threat intelligence information coming in through their feeds — and they aren’t able to sift through it effectively enough to have it influence their decisions. He pointed to one of the other key findings of the survey: 47 percent of surveyed leaders reported that “applying threat intelligence throughout the security organization” is among their biggest challenges.

A prime example of the problem is the tendency for many companies to believe that advanced persistent threat (APT) actors are a danger to them, Hultquist said. APTs are generally a part of, or backed by, nation states — but using threat intelligence that is tailored to the specifics of your organization and industry can reveal whether they’re actually something to worry about, he said.

And for many organizations, APTs are rarely going to be a concern. For example, while Russia’s state-aligned groups receive copious amounts of attention, “the incident that’s going to bring your organization down is going to be a ransomware attack,” Hultquist said. “And the reason I know that is that I have a ton of insight into these actors.”

Another example is the massive quantity of vulnerabilities in software. Organizations are advised to prioritize patching for the highest-risk vulnerabilities, but threat intelligence can be essential determining which issues actually pose a major risk.

“New vulnerabilities are dropping all the time, and organizations have to decide how far they want to go to respond to those,” Hultquist said.

“I think a lot of organizations make decisions based solely on their environment — but fail to take into account the adversary, and whether or not they can even make use of these vulnerabilities, or whether or not there’s proof-of-concept code, or how broad the distribution of exploits is,” he said. “That information should be there in your risk calculus — especially when you are trying to use a limited budget to make the best decisions.”

Relevant Threats

The issue with information overload when it comes to threat intelligence is no different for smaller organizations, said Hector Kearns, founder and CTO at Toronto-based Kearns Technology Inc.

Making sense of the data and being able to take actionable steps from it is certainly an ongoing challenge, Kearns said. Still, working with customers to proactively develop a cybersecurity strategy that addresses the actual threats they face is pivotal — and is often a “neglected step,” he said.

Ultimately, security service providers can do a lot to help customers with “focusing and narrowing the efforts onto what’s truly relevant,” Kearns said.

In terms of the threat information overload itself, it’s likely that continued advances in automation should help somewhat going forward, Hultquist said. AI technologies such as natural language processing — which are behind OpenAI’s ChatGPT and Google’s forthcoming Bard chatbot — could potentially remove some of the tedium, he said. “I think there’s definitely value there.”

Meanwhile, when it comes to strategic activities, organizations can benefit from integrating threat intelligence more tightly with their overall risk management process, according to Hultquist.

For example, with organizations in the financial sector with highly advanced and mature risk management processes, “I’ve seen them build intelligence right into it — and really make smart decisions on the basis of that about their entire operation,” he said. “Especially in a time when budgets might be tighter, efficiencies like that are going to make a difference.”

All in all, “I really hope that we start thinking about how to do a better job operationalizing some of this intelligence,” Hultquist said.