In the modern security operations center (SOC) model, the security intelligence analyst (SIA) represents a core role. In my opinion, it is one of the most important roles in the field of the cybersecurity.

The Role of the Security Intelligence Analyst

Customers often ask me what the role of the SIA actually is. The SIA is responsible for protecting the organization against real-world threats. This requires an intimate understanding of the technology that is used throughout the organization and how it benefits the business.

When security analysts read the latest security intelligence feeds, they must understand how certain events affect clients and know how to respond appropriately to protect customer data.

Three Main Elements of Cybersecurity

To fulfill these responsibilities, an SIA’s decision-making process should revolve around three key elements: threat intelligence, event intelligence and enrichment. Each of these areas is rich for information mining. The more company-focused the fields, the richer the outcome.

1. Threat Intelligence

Basically, threat intelligence describes all the information you can get about actual threats to your company. Nowadays, many companies and communities will share this information with you.

To avoid overloading your feed consumption, especially when you’re getting started, I recommend focusing on industry sector and geolocation. If your organization is part of the financial sector, for example, reach out to the Financial Services — Information Sharing and Analysis Center (FS-ISAC). This industry-specific intelligence is shared by companies just like yours, so the likelihood of facing a common threat is rather high.

The same goes for geolocation. Try to connect with your local computer emergency response team (CERT), such as the European Union Computer Emergency Response Team (CERT-EU), to gain a deeper understanding of actual threats in your area. If your IT infrastructure is located in a specific country, the volume of attacks against a certain region or IP range is very useful intelligence.

2. Event Intelligence

If you have ever taken a look at the input stream of a security information and event management (SIEM) solution or have seen the messages log on a Linux system, you are aware of the need to understand these events. This knowledge, combined with the know-how to tweak this output, is what I mean when I talk about event intelligence.

Event intelligence helps you understand the threat data you can actually use and decide whether certain indicators provide value. Does the data apply to your system? Will the indicators be visible on your SIEM solution, or do you need to tweak the quality, coverage and verbosity of the log sources?

3. Enrichment

Finally, the enrichment stage is when you start to add more information to the indicators and close the gap between threat intelligence and event intelligence.

Let’s say, for example, that your trusted source has shared SHA-1 malware hashes with you (threat intelligence), but you know that your systems are only logging MD5 hashes for email attachments (event intelligence). In this case, you can easily reach out to sources such as the IBM X-Force Exchange or VirusTotal to enrich the indicators. Both platforms are capable of showing the file information behind the SHA-1 hash or providing the MD5 hash required to perform a search on the system. This way, you can produce the right indicators to actually protect your business.

The possible use cases of enrichment are endless. In general, it helps SIAs in two major ways. First, it helps them understand individual indicators by adding the risk indication or getting deeper insight. When checking an IP address, for example, an analyst will receive additional indicators such as country of origin, owner and risk score.

Secondly, you can use the strategy to enrich a complete threat report. Here you can find additional information, such as which system types or software versions are actually affected by a CVE or which delivery method is normally used for a specific malware. All these enrichments can help SIAs better detect, understand and respond to threats.

Listen to the podcast to learn how cognitive technology benefits security intelligence analysts

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read