Cyber threat intelligence ( CTI ) is a subfield of cybersecurity that focuses on the structured collection, analysis, and dissemination of data regarding potential or existing cyber threats . It provides organizations with the insights necessary to anticipate, prevent, and respond to cyberattacks by understanding the behavior of threat actors, their tactics, and the vulnerabilities they exploit. Cyber threat intelligence sources include open source intelligence , social media intelligence , human Intelligence , technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.
23-560: ISOC is an abbreviation which may refer to: Information Security Operations Center , is a location where enterprise information systems are monitored, assessed, and defended. Internet Society , ISOC, an international organization that promotes Internet use and access Internal Security Operations Command , a unit of the Thai military devoted to national security issues Islamic Society , various Islamic-based groups Independent State of Croatia ,
46-476: A managed security provider (MSSP) . The process of developing cyber threat intelligence is a circular and continuous process, known as the intelligence cycle, which is composed of five phases, carried out by intelligence teams to provide to leadership relevant and convenient intelligence to reduce danger and uncertainty. The five phases are: 1) planning and direction; 2) collection; 3) processing; 4) analysis; 5) dissemination. In planning and directing,
69-434: A managed security service . The term SOC was traditionally used by governments and managed computer security providers, although a growing number of large corporations and other organizations also have such centers. The SOC and the network operations center (NOC) complement each other and work in tandem. The NOC is usually responsible for monitoring and maintaining the overall network infrastructure, and its primary function
92-410: A "single pane of glass" for the security analysts to monitor the enterprise. SOC staff includes analysts, security engineers, and SOC managers who should be seasoned IT and networking professionals. They are usually trained in computer engineering , cryptography , network engineering , or computer science and may have credentials such as CISSP or GIAC . SOC staffing plans range from eight hours
115-406: A comprehensive threat assessment. Cyber threat intelligence provides a number of benefits, which include: There are three key elements that must be present for information or data to be considered threat intelligence: Cyber threats involve the use of computers, storage devices, software networks and cloud-based repositories. Prior to, during or after a cyber attack technical information about
138-560: A corner of the wall is sometimes used for showing a news or weather TV channel, as this can keep the SOC staff aware of current events which may affect information systems. A security engineer or security analyst may have several computer monitors on their desk. Processes and procedures within a SOC will clearly spell out roles and responsibilities as well as monitoring procedures. These processes include business, technology, operational and analytical processes. They lay out what steps are to be taken in
161-464: A country that existed during WWII Topics referred to by the same term [REDACTED] This disambiguation page lists articles associated with the title ISOC . If an internal link led you here, you may wish to change the link to point directly to the intended article. Retrieved from " https://en.wikipedia.org/w/index.php?title=ISOC&oldid=1092230471 " Category : Disambiguation pages Hidden categories: Short description
184-434: A day, five days a week (8x5) to twenty four hours a day, seven days a week (24x7). Shifts should include at least two analysts and the responsibilities should be clearly defined. Large organizations and governments may operate more than one SOC to manage different groups of information and communication technology or to provide redundancy in the event one site is unavailable. SOC work can be outsourced, for instance, by using
207-569: A possible cyber-attack or intrusion (event), and determines if it is a genuine malicious threat (incident), and if it could affect business. Establishing and operating a SOC is expensive and difficult; organisations should need a good reason to do it. This may include: A security operations center (SOC) can also be called a security defense center (SDC), security analytics center (SAC), network security operations center (NSOC), security intelligence center, cyber security center, threat defense center, security intelligence and operations center (SIOC). In
230-448: Is a comprehensive, technology agnostic cybersecurity solution that utilizes leading-edge technology and tools, highly skilled and experienced human talent (composed of cyber intelligence gatherers, analysts, and security experts), and proactive cyberwarfare principles to prevent and neutralize threats against an organization’s digital infrastructure, assets, and data. In addition, there are many other commonly referenced terms related to
253-428: Is different from Wikidata All article disambiguation pages All disambiguation pages Information Security Operations Center An information security operations center ( ISOC or SOC ) is a facility where enterprise information systems ( web sites , applications , databases , data centers and servers , networks , desktops and other endpoints) are monitored, assessed, and defended. A SOC
SECTION 10
#1732851219484276-575: Is gaining importance in recent years since, as IBM estimates, the most common method companies are hack is via threat exploitation (47% of all attacks). Threat vulnerabilities have risen in recent years also due to the COVID-19 pandemic and more people working from home - which makes companies' data more vulnerable. Due to the growing threats on one hand, and the growing sophistication needed for threat intelligence, many companies have opted in recent years to outsource their threat intelligence activities to
299-457: Is related to the people, processes and technologies that provide situational awareness through the detection, containment, and remediation of IT threats in order to manage and enhance an organization's security posture. A SOC will handle, on behalf of an institution or company, any threatening IT incident, and will ensure that it is properly identified, analyzed, communicated, investigated and reported. The SOC also monitors applications to identify
322-486: Is to ensure uninterrupted network service. The SOC is responsible for protecting networks, as well as web sites, applications, databases, servers and data centers, and other technologies. Likewise, the SOC and the physical security operations center coordinate and work together. The physical SOC is a facility in large organizations where security staff monitor and control security officers/guards, alarms, CCTV, physical access, lighting, vehicle barriers, etc. Not every SOC has
345-845: The Canadian Federal Government the term, infrastructure protection center (IPC), is used to describe a SOC. SOCs typically are based around a security information and event management (SIEM) system which aggregates and correlates data from security feeds such as network discovery and vulnerability assessment systems; governance, risk and compliance (GRC) systems; web site assessment and monitoring systems, application and database scanners; penetration testing tools; intrusion detection systems (IDS); intrusion prevention system (IPS); log management systems; network behavior analysis and Cyber threat intelligence ; wireless intrusion prevention system; firewalls, enterprise antivirus and unified threat management (UTM). The SIEM technology creates
368-531: The SOC operates independently from the NOC to maintain separation of duties . Typically, larger organizations maintain a separate SOC to ensure focus and expertise. The SOC then collaborates closely with network operations and physical security operations. SOCs usually are well protected with physical, electronic, computer, and personnel security. Centers are often laid out with desks facing a video wall, which displays significant status, events and alarms; ongoing incidents;
391-412: The customer of the intelligence product requests intelligence on a specific topic or objective. Then, once directed by the client, the second phase begins, collection, which involves accessing the raw information that will be required to produce the finished intelligence product. Since information is not intelligence, it must be transformed and therefore must go through the processing and analysis phases: in
414-540: The event of an alert or breach including escalation procedures, reporting procedures, and breach response procedures. A cloud security operations center (CloudSOC) may be set up to monitor cloud service use within an enterprise (and keep the Shadow IT problem under control), or parse and audit IT infrastructure and application logs via SIEM technologies and machine data platforms to provide alerts and details of suspicious activity. A Smart SOC (Security Operations Center)
437-535: The form of the Cybersecurity Information Sharing Act encouraged the sharing of CTI indicators between government and private organizations. This act required the U.S. federal government to facilitate and promote four CTI objectives: In 2016, the U.S. government agency National Institute of Standards and Technology (NIST) issued a publication (NIST SP 800-150) which further outlined the necessity for Cyber Threat Information Sharing as well as
460-880: The information and operational technology, devices, network and computers between the attacker(s) and the victim(s) can be collected, stored and analyzed. However, identifying the person(s) behind an attack, their motivations, or the ultimate sponsor of the attack, - termed attribution is sometimes difficult, as attackers can use deceptive tactics to evade detection or mislead analysts into drawing incorrect conclusions. Multiple efforts in threat intelligence emphasize understanding adversary TTPs to tackle these issues. A number of recent cyber threat intelligence analytical reports have been released by public and private sector organizations which attribute cyber attacks. This includes Mandiant's APT1 and APT28 reports, US CERT's APT29 report, and Symantec's Dragonfly, Waterbug Group and Seedworm reports. In 2015 U.S. government legislation in
483-472: The original "ISOC" title including the following: Cyber threat intelligence In recent years, threat intelligence has become a crucial part of companies' cyber security strategy since it allows companies to be more proactive in their approach and determine which threats represent the greatest risks to a business. This puts companies on a more proactive front, actively trying to find their vulnerabilities and preventing hacks before they happen. This method
SECTION 20
#1732851219484506-576: The processing (or pre-analytical phase) the raw information is filtered and prepared for analysis through a series of techniques (decryption, language translation, data reduction, etc.); In the analysis phase, organized information is transformed into intelligence. Finally, the dissemination phase, in which the newly selected threat intelligence is sent to the various users for their use. There are three overarching, but not categorical - classes of cyber threat intelligence: 1) tactical; 2) operational; 3) strategic. These classes are fundamental to building
529-415: The same role. There are three different focus areas in which a SOC may be active, and which can be combined in any combination: In some cases the SOC, NOC or physical SOC may be housed in the same facility or organizationally combined, especially if the focus is on operational tasks. If the SOC originates from a CERT organisation, then the focus is usually more on monitoring and control , in which case
#483516