Cyber intelligence is driven by the service's capability of communicating across and up:

• Across = Operational level teams
• Up = Tactical level SOC through F3EAD process and Security State Analysis

The main questions to answer here are:

• Who needs to know this information for:
  • Remediation efforts?
  • Reference to their processes and analyses?
• What do they need to know?
  • How does this need to be delivered?
  • Is there customization of the information that needs to be done so that it is actionable?

By the end of this phase, the information should be distributed to the right people in the proper format for action. The following is a graphical representation of the service capabilities and how they integrate with the SOC:

In the preceding diagram, we have three layers:

• Tactical
• Operational
• Evaluated Areas

As we can see in the Tactical layer, the Security Content Management service interfaces with the SOC. The SOC would be providing the Feedback, Command and Control, and Situational Awareness for this particular service, as well as all of the other services that it is responsible for.

Going counterclockwise, the service drives down Tactical initiatives to the Operational level through their core processes. In the Operational level is where the interface between the operational team and the stakeholders is. The SCM service discovers and detects, and may or may not reduce risk through communicating with stakeholders in the evaluated areas.

Through the constant communication and interaction between the team and the stakeholders, the data being collected is reconciled at the Operational level in preparation to move to the Tactical level. If it is normal reporting, then the information would go through the normal reporting channels and cyber intelligence information on specific, targeted data would go through F3EAD processes up to the Tactical level.