Light Dark
March 7, 2017 By Joerg Stephan 3 min read
Intelligence & Analytics

In the modern security operations center (SOC) model, the security intelligence analyst (SIA) represents a core role. In my opinion, it is one of the most important roles in the field of the cybersecurity.

The Role of the Security Intelligence Analyst

Customers often ask me what the role of the SIA actually is. The SIA is responsible for protecting the organization against real-world threats. This requires an intimate understanding of the technology that is used throughout the organization and how it benefits the business.

When security analysts read the latest security intelligence feeds, they must understand how certain events affect clients and know how to respond appropriately to protect customer data.

Three Main Elements of Cybersecurity

To fulfill these responsibilities, an SIA’s decision-making process should revolve around three key elements: threat intelligence, event intelligence and enrichment. Each of these areas is rich for information mining. The more company-focused the fields, the richer the outcome.

1. Threat Intelligence

Basically, threat intelligence describes all the information you can get about actual threats to your company. Nowadays, many companies and communities will share this information with you.

To avoid overloading your feed consumption, especially when you’re getting started, I recommend focusing on industry sector and geolocation. If your organization is part of the financial sector, for example, reach out to the Financial Services — Information Sharing and Analysis Center (FS-ISAC). This industry-specific intelligence is shared by companies just like yours, so the likelihood of facing a common threat is rather high.

The same goes for geolocation. Try to connect with your local computer emergency response team (CERT), such as the European Union Computer Emergency Response Team (CERT-EU), to gain a deeper understanding of actual threats in your area. If your IT infrastructure is located in a specific country, the volume of attacks against a certain region or IP range is very useful intelligence.

2. Event Intelligence

If you have ever taken a look at the input stream of a security information and event management (SIEM) solution or have seen the messages log on a Linux system, you are aware of the need to understand these events. This knowledge, combined with the know-how to tweak this output, is what I mean when I talk about event intelligence.

Event intelligence helps you understand the threat data you can actually use and decide whether certain indicators provide value. Does the data apply to your system? Will the indicators be visible on your SIEM solution, or do you need to tweak the quality, coverage and verbosity of the log sources?

3. Enrichment

Finally, the enrichment stage is when you start to add more information to the indicators and close the gap between threat intelligence and event intelligence.

Let’s say, for example, that your trusted source has shared SHA-1 malware hashes with you (threat intelligence), but you know that your systems are only logging MD5 hashes for email attachments (event intelligence). In this case, you can easily reach out to sources such as the IBM X-Force Exchange or VirusTotal to enrich the indicators. Both platforms are capable of showing the file information behind the SHA-1 hash or providing the MD5 hash required to perform a search on the system. This way, you can produce the right indicators to actually protect your business.

The possible use cases of enrichment are endless. In general, it helps SIAs in two major ways. First, it helps them understand individual indicators by adding the risk indication or getting deeper insight. When checking an IP address, for example, an analyst will receive additional indicators such as country of origin, owner and risk score.

Secondly, you can use the strategy to enrich a complete threat report. Here you can find additional information, such as which system types or software versions are actually affected by a CVE or which delivery method is normally used for a specific malware. All these enrichments can help SIAs better detect, understand and respond to threats.

Listen to the podcast to learn how cognitive technology benefits security intelligence analysts

 |  |  |  | 
Joerg Stephan
Security Consultant, IBM

More from Intelligence & Analytics
February 6, 2025

Hacking the mind: Why psychology matters to cybersecurity

4 min read - In cybersecurity, too often, the emphasis is placed on advanced technology meant to shield digital infrastructure from external threats. Yet, an equally crucial — and underestimated — factor lies at the heart of all digital interactions: the human mind. Behind every breach is a calculated manipulation, and behind every defense, a strategic response. The psychology of cyber crime, the resilience of security professionals and the behaviors of everyday users combine to form the human element of cybersecurity. Arguably, it's the…

November 27, 2024

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

September 5, 2024

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature