The Role of the Security Intelligence Analyst and the Three Main Elements of Cybersecurity

March 7, 2017
| |
3 min read

In the modern security operations center (SOC) model, the security intelligence analyst (SIA) represents a core role. In my opinion, it is one of the most important roles in the field of the cybersecurity.

The Role of the Security Intelligence Analyst

Customers often ask me what the role of the SIA actually is. The SIA is responsible for protecting the organization against real-world threats. This requires an intimate understanding of the technology that is used throughout the organization and how it benefits the business.

When security analysts read the latest security intelligence feeds, they must understand how certain events affect clients and know how to respond appropriately to protect customer data.

Three Main Elements of Cybersecurity

To fulfill these responsibilities, an SIA’s decision-making process should revolve around three key elements: threat intelligence, event intelligence and enrichment. Each of these areas is rich for information mining. The more company-focused the fields, the richer the outcome.

1. Threat Intelligence

Basically, threat intelligence describes all the information you can get about actual threats to your company. Nowadays, many companies and communities will share this information with you.

To avoid overloading your feed consumption, especially when you’re getting started, I recommend focusing on industry sector and geolocation. If your organization is part of the financial sector, for example, reach out to the Financial Services — Information Sharing and Analysis Center (FS-ISAC). This industry-specific intelligence is shared by companies just like yours, so the likelihood of facing a common threat is rather high.

The same goes for geolocation. Try to connect with your local computer emergency response team (CERT), such as the European Union Computer Emergency Response Team (CERT-EU), to gain a deeper understanding of actual threats in your area. If your IT infrastructure is located in a specific country, the volume of attacks against a certain region or IP range is very useful intelligence.

2. Event Intelligence

If you have ever taken a look at the input stream of a security information and event management (SIEM) solution or have seen the messages log on a Linux system, you are aware of the need to understand these events. This knowledge, combined with the know-how to tweak this output, is what I mean when I talk about event intelligence.

Event intelligence helps you understand the threat data you can actually use and decide whether certain indicators provide value. Does the data apply to your system? Will the indicators be visible on your SIEM solution, or do you need to tweak the quality, coverage and verbosity of the log sources?

3. Enrichment

Finally, the enrichment stage is when you start to add more information to the indicators and close the gap between threat intelligence and event intelligence.

Let’s say, for example, that your trusted source has shared SHA-1 malware hashes with you (threat intelligence), but you know that your systems are only logging MD5 hashes for email attachments (event intelligence). In this case, you can easily reach out to sources such as the IBM X-Force Exchange or VirusTotal to enrich the indicators. Both platforms are capable of showing the file information behind the SHA-1 hash or providing the MD5 hash required to perform a search on the system. This way, you can produce the right indicators to actually protect your business.

The possible use cases of enrichment are endless. In general, it helps SIAs in two major ways. First, it helps them understand individual indicators by adding the risk indication or getting deeper insight. When checking an IP address, for example, an analyst will receive additional indicators such as country of origin, owner and risk score.

Secondly, you can use the strategy to enrich a complete threat report. Here you can find additional information, such as which system types or software versions are actually affected by a CVE or which delivery method is normally used for a specific malware. All these enrichments can help SIAs better detect, understand and respond to threats.

Listen to the podcast to learn how cognitive technology benefits security intelligence analysts

Joerg Stephan
Security Consultant, IBM

Joerg Stephan is a security consultant with IBM and a former member of an international IBM team of dedicated customer analysts. Before joining IBM in 2014, ...
read more