Security Intelligence (SI) describes the practice of collecting, standardizing, and analyzing data that is generated by networks, applications, and other IT infrastructure in real-time, and the use of that information to assess and improve an organization's security posture.
Security Intelligence (SI) includes the deployment of software assets and personnel with the objective of discovering actionable and useful insights that drive threat mitigation and risk reduction for the organization.
To enable Security Intelligence to an organization network at a large scale, you will need to pull the data from different sources, analyze it using sophisticated software tools and produce actionable insights (aka Intelligence) in order to prevent Cyberattack against any Enterprise IT infrastructure.
Professionals from IT software and other related organizations often use "Data", "Information", and "Intelligence" interchangeably, but the distinctions are important.
What is Data?
Data consists of discrete facts and statistics gathered as the basis for further analysis.
What is Information?
Information is comprised of multiple data points that are combined to answer specific questions.
What is Intelligence?
Intelligence is the output of an analysis of data and information that uncovers patterns and provides vital context to inform decision-making.
Without an error-free data, it's difficult to derive the intelligence from data and provide insights on any platform to drive the decision-making.
Resolution Intelligence supports the following categories of Security Intelligence.
Threat detection (TD) is the practice of analyzing the entirety of a security ecosystem to identify any malicious activity that could compromise the network. If a threat is detected, then mitigation efforts must be enacted to properly neutralize the threat before it can exploit any present vulnerabilities.
Response is a process how security analysts respond to any threat(known or unknown) detected in the tenant IT infrastructure in order to reduce the damage.
Threat detection example
What is the threat?
SOC analysts are first alerted that there may be an attack in progress through a signal generated by an analytic looking for remote creation of a scheduled task (Behavioral).
After seeing this signal from the compromised machine, the analyst runs an analytic looking for any anomalous services that have been scheduled on that host. This analytic reveal that not long before the remote task was scheduled, a new service was in fact created on the originating host (Anomaly/Outlier).
What is it doing?
Having suspected the remote access of other hosts from the compromised machine, the analyst decides to investigate any other remote connections that may have been attempted from that machine. To this end, the analyst runs an analytic detailing all of the remote logins that have occurred in the environment from the machine in question and discovers other hosts to which connections were made (Situational Awareness)
Does it matter?
After identifying the new suspicious service, the analyst then investigates further. He runs an analytic that identifies all child processes of the suspicious service. Investigating in this way may reveal indicators of what activity was being performed on the host. This investigation exposes the behavior of the RAT. Running the same analytic again, looking for children of the RAT child process reveals the execution of PowerShell by the RAT (Forensic).