From Monitoring, Logging, and Network Analysis to Threat Intelligence Extraction

This chapter provides an introduction into the concepts of information sharing, and introduces different sources of information that are currently used to identify cybersecurity incidents on a system or corporate level. It highlights their benefits and shortcomings and describes the common setup of monitoring infrastructures. The chapter also provides details about analysis methods that combine information from multiple sources in different ways to derive higher-level alerts. These concepts include signature-based approaches, anomaly detection, stateful analysis, and ontologies. As cyber threat intelligence is shared in the form of indicators or threat intelligence reports, asset management is vital for an organization to filter information streams. Effective use of this information requires efficient asset management processes be in place to identify the potentially vulnerable components in the managed network. Centralized logging makes log management much easier and simplifies the correlation of information collected at different locations of a network.