Demystifying Cyber Intelligence

As cyber security takes its place as the industry to watch for the foreseeable future, discussion surrounding this sector has become a minefield of buzz words and infographics. One of its most talked about—yet least understood—concepts is.

Cyber Intelligence

In an ominous threat landscape, the use of Cyber Intelligence has become crucial for IT Security and Incident Response teams.[1] Although the implementation of Cyber Intelligence among IT departments is more widespread than ever, many security professionals are unclear about Cyber Intelligence and how to best use it. Many CIO’s are currently implementing Cyber Intelligence but are unable to quantify how the solution improves their risk management posture. To make the most of Cyber Intelligence, security professionals need a basic understanding of how it works and what is needed to effectively utilize it.

What is Cyber Intelligence?

For a tool regarded as indispensable to a solid cybersecurity posture, one would be hard-pressed to find a consensus on what Cyber Intelligence actually is. One reason for the disarray is that the tools and processes surrounding Cyber Intelligence are still maturing and adjusting against unpredictable threats. Discord also stems from a glut of community-driven standards that contradict each other, built on vague data and antiquated methodology. The lack of standardized knowledge of Cyber Intelligence has not only generated an uncertainty about its purpose, but also doubt among higher-ups about its ultimate value.

In a nutshell, Cyber Intelligence is a systemized coordination of analytics platforms, business intelligence, and information forensics that converts ingested data into an actionable security initiative. Cyber Intelligence feeds are managed and analyzed by an integrated SIEM platform, a dedicated intrusion monitoring platform, or a holistic forensics platform.[2] Whatever the platform, an effective intelligence lifecycle is a feedback loop that can use the information it disseminates to optimize performance. Cyber Intelligence cycles can be broken down into the following steps.[3]

• Ingestion– Data from firewall logs, intrusion detection systems logs, honeypots, etc. are fed into the Cyber Intelligence platform for processing. Information fed into the platform should reflect the intelligence goals determined by the IT department.
• Processing– Raw and binary data is analyzed and converted into human-readable information (ASCII, EBCDIC).
• Production– Information is converted into an intelligence product, strategy, or solution. This process often involves the collaboration of several cyber consultants and IT strategists.
• Diffusion– The final product, strategy or solution is integrated or released. Results are used to optimize the Cyber Intelligence cycle.

Though Cyber Intelligence can be a wormhole in terms of intricacy and depth, a simple definition makes it easier to recognize its place within Cybersecurity. From this outline, a basic understanding of how Cyber Intelligence works can be grasped. The success of Cyber Intelligence not only depends on the sophistication of the tools, but also the skill of cyber consultants and decision-makers involved.

[1]SANS State of Cyber Threat Intelligence Survey: CTI Important and Maturing. SANS Analyst Program.

[2] “Who’s Using Cyberthreat Intelligence and How.” www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767

[3] “An Introduction to Cyber Intelligence.” http://www.tripwire.com/state-of-security/security-data-protection/introduction-cyber-intelligence/