Every so often, a new phrase or buzzword does the rounds for a bit before it goes off to join the other forgotten buzzwords in the sky, only to be recalled at corporate parties for a laugh, or to gauge how long someone has been in the trade. However, a select few remain firmly embedded in the security lexicon because of the way they continuously enrich our lives and businesses. Security intelligence is a phrase with such staying power.

What Is Security Intelligence?

Security intelligence is actionable threat data compiled from security information and event management (SIEM), user behavior analytics (UBA), log management, and other tools and sources to aid incident response planning and decision-making around data breaches.

It’s all in a day’s work for security professionals, but what does all that security data mean to your business leaders?

Imagine your chief operating officer (COO) strolls up to your desk and asks you, “How fit are we on our security intelligence?” If they are like the COOs I’ve worked with, they’ve done a bit of homework before approaching you with this question. No amount of techno-babble, hand waving or staring off into the distance like Jack Sparrow will get you through this conversation — it’s not like we’re talking about encryption, after all.

A few things might run through your head at this point. You might think to yourself, “The board must’ve heard another buzzword at a conference, and now they want me to tell them what it is,” or, “Clearly, this is the new name for the logging and event management we’ve been doing for ages.” Well, yes and no.

Yes, security intelligence is a relatively new buzzword that has made its way into executives’ vocabulary.

Yes, you have been collecting logs and events for ages, and every now and then — in an increasingly worrying trend — something hits a threshold that makes you wonder, “Now, what’s going on there?”

Yes, you are going to have to explain it and assure top leadership that you are on top of it.


No, the way you have operated for all these years is not enough to keep up with the evolving cyberthreat landscape. Looking at logs and events in isolation is inadequate because the chain of attacks has morphed into something that is beyond traditional thinking and technology.

And no, security intelligence isn’t going away. In fact, I wouldn’t be surprised to see a surge in job postings for information security intelligence professionals in the near — if not immediate — future.

What Does a Successful Security Intelligence Program Look Like?

To put it simply, you need to be able to consume, analyze and asses the vast amount of security information passing through your network. We’re talking network devices, host operating systems, applications, databases, user activity and more.

The analytics must be able to identify, manage and prioritize the threats that pose the most risk, consummate with the organization’s risk appetite. It’s more than just security information and event management (SIEM) and risk management; it needs to be done in near real time and capable of automating incident response and compliance.

The world of cybercrime is constantly evolving, and threat actors are growing more sophisticated by the minute. When you’re bombarded with billions of events on thousands of endpoints every day, how can you interpret all that information to reveal threats lurking on your network and targeting your organization?

You need a security intelligence solution that can:

  • Provide full visibility into your network, application and user activity;
  • Identify high-risk threats;
  • Correlate those threats in near real time with behavioral anomaly detection;
  • Detect and understand vulnerabilities; and
  • Determine where high-priority incidents are occurring that would not normally rattle a threshold in the traditional way of using SIEM.

Staying ahead of this wave is difficult, and solutions often seem too big and complicated. Remember, you already have a lot of the answers in place; it’s more a question of how do we stitch all that data together to aid decision-making in this ever-changing cybersecurity landscape?

You’ll need a strategy to help you get your security intelligence program off the ground, but it’ll likely resemble the one you already have in place, because you should already know your networks, systems and data, and the threat model and attack surface should be in place. From your SIEM tools, you know what your data sources are, have specified events and use cases, and understand your thresholds.

Show How Security Impacts the Bottom Line

Even when threat analysis and risk management are in place, it’s critical to extract the right actionable information to inform the executive decision-making process regarding the reputation, profitability and overall health of the business. How are you measuring the success or value of your tools, reporting and communications? There is no case for improvement without feedback.

The myriad security incidents reported in the press emphasize the need and business case for better, smarter tooling that can respond in an automated fashion using artificial intelligence to analyze huge amounts of data at speed. If you can show why it is important and how it impacts the business’ bottom line, you should have no problem getting increasingly security-aware COOs and business leaders on the same page with your security intelligence strategy.

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…