If you've been in IT and watched the level of traffic through your network on some tool, then you know that baselines are the starting point for comparisons. We can consider that baselines are what normal is. Conversely, anomalies are anything that trends against a baseline. These anomalies can be a positive impact or negative impact to the baseline that is being evaluated.

Establishing baselines can be difficult because we have to define what normal is and then start measuring against that normalcy. We define normalcy by monitoring the regular activities of the items that we are interested in against a specific amount of time. 

The following are examples of anomalies against a baseline:

• Regular users trying to access directories that they are not permitted access to more than five times in a week
• Network usage spikes in off hours 

So, before we go down a baselining/anomaly rabbit hole of what if statements (because we can establish baselines for numerous amount of things), let's narrow down our focus on the cyber intelligence to provide a continuous monitoring capability of identifying deviations to baselines on a few items between IT operations and IT security.