Describe security intelligence authoring, sharing, and consumption

📘CCNP security (350-701)

1. What Is Security Intelligence?

Security intelligence is information about threats and attacks that helps security systems detect, prevent, and respond to cyber threats.

It answers questions such as:

What type of attack is happening?
Where did it come from?
Is it known to be malicious?
How dangerous is it?
How should systems respond?

Security intelligence is used by:

Firewalls
Intrusion detection systems (IDS/IPS)
Endpoint protection tools
SIEM platforms
Email and web security systems

2. Why Security Intelligence Is Important

Security intelligence allows organizations to:

Detect attacks early
Block known malicious activity
Respond faster and accurately
Reduce false alerts
Share threat knowledge across teams and tools

Without security intelligence:

Security tools work blindly
Attacks are harder to detect
Response is slow and reactive

3. The Security Intelligence Lifecycle

Security intelligence works in three main stages:

Authoring – Creating intelligence
Sharing – Distributing intelligence
Consumption – Using intelligence

This lifecycle is continuous.

4. Security Intelligence Authoring

4.1 What Is Authoring?

Authoring means creating security intelligence from data.

It involves:

Collecting security data
Analyzing that data
Turning it into usable threat information

4.2 Sources Used for Authoring

Security intelligence is authored using data from:

Network logs
Firewall logs
IDS/IPS alerts
Endpoint security alerts
Malware analysis results
SIEM correlation results
Threat research teams
Incident response investigations

4.3 Types of Intelligence Created

Authoring produces different types of intelligence:

a. Indicators of Compromise (IOCs)

Malicious IP addresses
Malicious domains
File hashes
URLs
Email sender addresses

b. Behavioral Indicators

Unusual login patterns
Abnormal traffic flows
Suspicious file execution behavior

c. Threat Signatures

IDS/IPS signatures
Malware detection patterns
Exploit detection rules

d. Contextual Intelligence

Threat severity
Confidence score
Attack type
Known threat actor association

4.4 Manual vs Automated Authoring

Manual Authoring

Done by security analysts
Uses investigation and research
High accuracy but slower

Automated Authoring

Done by security tools
Uses analytics and machine learning
Faster but may need validation

Most environments use both.

5. Security Intelligence Sharing

5.1 What Is Sharing?

Sharing means distributing security intelligence so other systems or organizations can use it.

Sharing improves:

Visibility
Coordination
Defense across multiple systems

5.2 Why Sharing Is Important

Threats spread quickly
One system’s detection can protect others
Reduces duplicated analysis
Enables coordinated defense

5.3 Internal vs External Sharing

Internal Sharing

Within the same organization:

Firewall to SIEM
SIEM to endpoint protection
SOC tools sharing IOCs

External Sharing

Between organizations:

Vendors
Industry groups
Trusted partners
Threat intelligence providers

5.4 Sharing Formats and Standards (Exam Important)

Security intelligence is shared using standard formats:

a. STIX (Structured Threat Information Expression)

Standard format for threat data
Describes IOCs, threats, relationships
Machine-readable

b. TAXII (Trusted Automated Exchange of Intelligence Information)

Transport mechanism
Used to share STIX data
Supports automated sharing

STIX = data format
TAXII = data transport

5.5 Cisco Intelligence Sharing Examples

Cisco security solutions share intelligence through:

Cisco Talos
SecureX
Cisco firewalls and endpoints
Cloud-based intelligence feeds

6. Security Intelligence Consumption

6.1 What Is Consumption?

Consumption is the process of using security intelligence to take action.

Security tools consume intelligence to:

Detect threats
Block malicious activity
Generate alerts
Trigger responses

6.2 Systems That Consume Intelligence

Security intelligence is consumed by:

Firewalls (block IPs/domains)
IDS/IPS (detect exploits)
Endpoint security (detect malware)
Email security (block phishing)
SIEM (correlate alerts)
SOAR platforms (automate response)

6.3 How Intelligence Is Used

Security intelligence enables:

a. Detection

Identifying known threats
Matching IOCs

b. Prevention

Blocking traffic
Quarantining files
Denying access

c. Response

Creating alerts
Triggering automated actions
Supporting incident response

6.4 Real-Time vs Historical Consumption

Real-Time

Blocking active threats
Immediate alerting

Historical

Threat hunting
Incident investigation
Forensics analysis

7. Integration with Security Operations

Security intelligence is tightly integrated with:

SOC (Security Operations Center)

Analysts review intelligence
Prioritize incidents
Improve detection rules

SIEM

Correlates intelligence with logs
Reduces false positives

SOAR

Automates actions based on intelligence
Enforces consistent response

8. Challenges in Security Intelligence

Understanding challenges helps for exam questions.

Common Challenges:

False positives
Low-quality intelligence
Lack of context
Too much data
Poor integration
Delayed sharing

9. Best Practices (Exam Focus)

Cisco expects understanding of best practices:

Use trusted intelligence sources
Automate sharing and consumption
Add context to intelligence
Regularly update intelligence feeds
Correlate intelligence with internal data
Validate intelligence before blocking critical systems

10. Key Exam Summary (Must Remember)

For the SCOR 350-701 exam, remember:

Security intelligence = threat information used to detect and respond
Authoring = creating intelligence from security data
Sharing = distributing intelligence internally and externally
Consumption = using intelligence in security tools
STIX = threat data format
TAXII = sharing mechanism
Intelligence improves detection, prevention, and response
Used by firewalls, endpoints, SIEM, SOAR, and SOC teams

11. One-Line Memory Aid

Author → Share → Consume → Detect → Respond → Improve