March 7, 2017 By Joerg Stephan 3 min read

In the modern security operations center (SOC) model, the security intelligence analyst (SIA) represents a core role. In my opinion, it is one of the most important roles in the field of the cybersecurity.

The Role of the Security Intelligence Analyst

Customers often ask me what the role of the SIA actually is. The SIA is responsible for protecting the organization against real-world threats. This requires an intimate understanding of the technology that is used throughout the organization and how it benefits the business.

When security analysts read the latest security intelligence feeds, they must understand how certain events affect clients and know how to respond appropriately to protect customer data.

Three Main Elements of Cybersecurity

To fulfill these responsibilities, an SIA’s decision-making process should revolve around three key elements: threat intelligence, event intelligence and enrichment. Each of these areas is rich for information mining. The more company-focused the fields, the richer the outcome.

1. Threat Intelligence

Basically, threat intelligence describes all the information you can get about actual threats to your company. Nowadays, many companies and communities will share this information with you.

To avoid overloading your feed consumption, especially when you’re getting started, I recommend focusing on industry sector and geolocation. If your organization is part of the financial sector, for example, reach out to the Financial Services — Information Sharing and Analysis Center (FS-ISAC). This industry-specific intelligence is shared by companies just like yours, so the likelihood of facing a common threat is rather high.

The same goes for geolocation. Try to connect with your local computer emergency response team (CERT), such as the European Union Computer Emergency Response Team (CERT-EU), to gain a deeper understanding of actual threats in your area. If your IT infrastructure is located in a specific country, the volume of attacks against a certain region or IP range is very useful intelligence.

2. Event Intelligence

If you have ever taken a look at the input stream of a security information and event management (SIEM) solution or have seen the messages log on a Linux system, you are aware of the need to understand these events. This knowledge, combined with the know-how to tweak this output, is what I mean when I talk about event intelligence.

Event intelligence helps you understand the threat data you can actually use and decide whether certain indicators provide value. Does the data apply to your system? Will the indicators be visible on your SIEM solution, or do you need to tweak the quality, coverage and verbosity of the log sources?

3. Enrichment

Finally, the enrichment stage is when you start to add more information to the indicators and close the gap between threat intelligence and event intelligence.

Let’s say, for example, that your trusted source has shared SHA-1 malware hashes with you (threat intelligence), but you know that your systems are only logging MD5 hashes for email attachments (event intelligence). In this case, you can easily reach out to sources such as the IBM X-Force Exchange or VirusTotal to enrich the indicators. Both platforms are capable of showing the file information behind the SHA-1 hash or providing the MD5 hash required to perform a search on the system. This way, you can produce the right indicators to actually protect your business.

The possible use cases of enrichment are endless. In general, it helps SIAs in two major ways. First, it helps them understand individual indicators by adding the risk indication or getting deeper insight. When checking an IP address, for example, an analyst will receive additional indicators such as country of origin, owner and risk score.

Secondly, you can use the strategy to enrich a complete threat report. Here you can find additional information, such as which system types or software versions are actually affected by a CVE or which delivery method is normally used for a specific malware. All these enrichments can help SIAs better detect, understand and respond to threats.

Listen to the podcast to learn how cognitive technology benefits security intelligence analysts

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today