Applying an intelligence-based approach to Cybersecurity; SIEM and dark web monitoring

November 6, 2023  |  Chris Mark

“History repeatedly has demonstrated that inferior forces can win when leaders are armed with accurate intelligence.” – Central Intelligence Agency; Intelligence in War

In the ever-changing landscape of global cybersecurity, the boundaries between traditional military intelligence and cybersecurity are increasingly blurred. At the heart of this convergence lies the science of intelligence analysis—a process fundamental to both realms. Equally important is the recognition of target indicators, which serve as harbingers of impending activities, whether on a battlefield or within the complex circuits of cyberspace.

For the modern organization, Security Information and Event Management (SIEM) systems serve as the nexus where the ancient art of intelligence gathering meets the contemporary needs of cybersecurity. This fusion is further enriched by dark web monitoring, a relatively new frontier in information gathering that equips analysts with a fuller understanding of the threat landscape in the darker recesses of the Internet where cybercriminals do their bidding.

Traditionally, military intelligence has been the linchpin of strategic and tactical decision-making. It involves complex processes for data collection, analysis, and interpretation.  In short, it turns ubiquitous data into actionable intelligence. The types of data used in intelligence analysis range from intercepted radio communications, satellite images, and even information gathered from troops on the ground. Analysts and applications sift through this plethora of information to extract actionable insights, scrutinizing for target indicators—clues that signal the enemy's intent or location. For instance, an unusual accumulation of vehicles in a remote area could indicate the staging of troops, thereby serving as a target indicator. Recognizing such cues is crucial for informed decision-making.

Likewise, in cybersecurity, intelligence analysis serves as the backbone of protective strategies. Here, data collection is continuous and automated, thanks to SIEM systems and security correlation engines. These systems aggregate logs from various network endpoints, generating alerts based on defined rules that flag anomalies or known indicators of compromise. Just as military analysts look for signs like troop movement or weapons stockpiling, cybersecurity analysts review SIEM logs for target indicators such as repeated failed login attempts or abnormal data transfers, which might indicate a cyber-attack.

The enrichment of SIEM data sets through dark web monitoring brings a novel depth to cybersecurity. For the uninitiated, the dark web serves as a haven for cybercriminals, offering a marketplace for anything from hacking tools to stolen data. This space is often the first point of compromise, where stolen data may appear for sale or where impending cyber-attacks might be discussed.

Dark web monitoring involves the tracking of these criminal forums and marketplaces for specific keywords, threats, or data sets related to an organization. Information gleaned from the dark web provides that extra layer of intelligence, allowing for a more proactive cybersecurity posture. For example, a company might discover on the dark web that its stolen user credentials or company client lists are being sold. This type of information is a specific target indication that a company has experienced a data breach at some level.

The parallels between military intelligence and cybersecurity are not merely conceptual; they have practical implications. Military operations often employ real-time data analytics to generate quick situational reports, enabling rapid decision-making. In a similar vein, a well-configured SIEM system can offer real-time analysis of security alerts generated by hardware and software infrastructures. In both contexts, the speed and accuracy of the intelligence analysis are crucial for successful outcomes. 

Organizations that successfully implement both dark web monitoring and SIEM solutions stand to benefit in manifold ways. Apart from augmenting the data pool for analysis, it adds a proactive element to the generally reactive field of cybersecurity. It allows for the anticipation of attacks rather than just preparation for them, thereby offering the strategic advantage of time—often the most crucial factor in both military and cybersecurity operations.

In summary, the art of intelligence gathering and analysis, forged and refined through centuries of military strategy, finds a new battleground in the domain of cybersecurity. SIEM systems serve as the operational hubs where these time-tested strategies meet the unique challenges posed by the digital age. Further enriched by the advent of dark web monitoring, the modern SIEM system is a testament to the synergetic power of combining the old with the new. As we continue to navigate the evolving landscape of threats, both physical and digital, the integration of these diverse yet interrelated fields will be key to devising more robust, resilient defense mechanisms for the future.

AT&T provides a number of advanced cybersecurity products and solutions designed to help companies navigate the challenging landscape of today’s cyber threats.  AT&T’s Dark Web Monitoring provides an industry leading dark web monitoring solution to identify credentials, and other target indicators of a breach. Additionally, AT&T’s USM Anywhere, a centralized security monitoring solution, is essentially a SIEM on steroids.  By providing security events and alerts in a single pain of glass, USM Anywhere enables decision makers to make decisions based upon actionable intelligence. 

Share this with others

Get price Free trial