Know: intelligence and analytics (advanced)¶

Intelligence and analytics focus on the CTI and CERT & ISAC components in the SOIM figure. This subsection examines some viewpoints on these and leads to the emphasis that intelligence and information sharing improve situational awareness, which is not only important but also largely required by regulation.

Cybersecurity knowledge management (advanced)¶

SIEM platforms are the most important technical tool supporting analysts in their defensive tasks. The earliest attempt at managing cybersecurity information was the sharing of vulnerability information through CERT advisories. Today, for managing such information there is the CVE database and the CVSS classification. Other databases also exist, such as the NIST National Vulnerability Database. The performance of these platforms depends on the information that is made available to their analysts.

CVE provides a way to reference vulnerabilities. This information is extremely useful for IDS signatures, as the vulnerable product and its version can be precisely identified. In addition, broader classification is required for higher-level processing, and for this purpose CVSS provides a standard way to assess the impact of vulnerabilities using numerical scores.

The performance of SIEM and SOAR platforms relies on the availability of accurate and comprehensive data in their databases. This information must also be continuously maintained.

Cyber-threat intelligence, CTI (advanced)¶

Information has long been gathered from cyber attackers as well using honeypot techniques, which are only briefly noted here as exceptional information systems whose value lies entirely in their unauthorised or illegal use. Honeypots and honeynets are introduced in the context of network security. They have largely been replaced by other kinds of indicators of compromise and statistical processing of observations. Nevertheless, honeypots have demonstrated that it is useful to observe malicious activity, capture malware, and detect new threats before they can spread widely. Attack mechanisms and trends are studied by examining both Internet-wide malicious activity and by conducting malware analysis.

Cyber-threat intelligence also includes information sharing, which national authorities increasingly require. Information sharing is the result of data analytics and is extremely useful for defenders, since risks, protection options, and mitigation possibilities are then better understood.

Situational awareness (advanced)¶

Situational awareness is defined as a cognitive process in which elements of the environment are perceived within a given time and space, their meaning is understood, and their status can be projected into the near future. The definition originates from aviation, and when applied to cybersecurity it means awareness of all suspicious or interesting activity in cyberspace. In addition to technology, cyber situational awareness research is influenced by the social sciences and has also been widely studied in military contexts.

The SIEM landscape is undergoing significant change due to regulation and the impact of cyber attacks. From a regulatory perspective, operators of critical infrastructure are required to include detection and mitigation capabilities. This is reflected in the implementation of the European NIS directive in national legislation (version NIS2 2025–). ENISA regularly provides information on cybersecurity incidents, particularly regarding detection and management procedures. Cooperation in information sharing continues to increase, and information sharing is critically important for sound decision-making.