Security Experts:

Real-Time Intelligence: Security Silver Bullet or Too Good to Be True?

Many Real-time Threat Intelligence Offerings Aggregate Indicators of Compromise (IoCs) and Are Strictly Reactive

The concept of “real-time intelligence” is frequently portrayed as the panacea for our security woes. And, in theory, it certainly could be. The purpose of intelligence, after all, is to equip its consumer with a decision advantage over relevant threats and adversaries. So, if intelligence pertaining to these threats or adversaries could be ready for consumption at the exact “real-time” moment a potentially malicious activity occurred, it would theoretically provide an even greater decision advantage. 

But in reality, real-time intelligence is exceedingly difficult to attain. Many current offerings are limited in how they can address the broad spectrum of threats and adversaries that exist today. Organizations seeking to enhance their overall security posture and mitigate enterprise-wide risk need more than what existing offerings of real-time intelligence can provide. Here’s why: 

Real-Time Intelligence is Reactive

The most successful intelligence programs strive to understand relevant threats and adversaries before they impact an organization. However, since many offerings labeled as real-time intelligence are automated solutions that aggregate indicators of compromise (IoCs), they are strictly reactive.

Cyber Threat Intelligence SolutionsIoCs, by nature, are tactical and only provide insight into individual threats that already exist and malicious activity that has already occurred. While these solutions can greatly enhance network defense and perimeter security, they are suitable for little else and should never be the sole source of intelligence in any security program.

Real-Time Intelligence Has Incomplete Context

Since most existing offerings of real-time intelligence are largely composed of IoCs, they tend to provide very limited context. Although an IoC might tell us that an email signature or IP address is in some way malicious and should therefore be blocked, it doesn’t always help us understand why. Assessing the full context and relevance of an IoC will likely require an analyst to conduct additional research and deeper analysis. And given that many security teams receive an abundance of IoCs on a daily basis, this process can be time-consuming and inefficient. 

For example, let’s say an IoC is the URL of a popular website that has been infected with malware. In many cases, this IoC would automatically trigger a countermeasure that prevents the URL from being accessed within an organization’s network. But what if the website is only infected with malware for a short amount of time? Or what if a company employee tries to access the website from a mobile network? Is blocking the URL indefinitely the most effective way to combat the threat? Since IoCs in and of themselves tend to be static and lacking in full context, they rarely provide enough insight into the full extent and potential impact of a threat.

Real-Time Intelligence Can Obscure Risk

When real-time intelligence is the only type of intelligence a security team consumes, the team can lose sight of the threat landscape and how it can (or does) impact the organization on a macro level. For example, while real-time intelligence might help a security team answer questions like “what phishing campaigns should we be worried about?” it likely won’t be able to address strategic and risk-focused questions such as “how can we raise enterprise-wide awareness of phishing in a manner that strengthens our overall security and risk posture?” It’s crucial to remember that the most effective teams focus not just on aggregating IoCs and blocking threats, they strive to understand why these threats exist in the first place and what can be done to enhance the organization’s overall risk posture moving forward. 

Although real-time intelligence offerings can play a valuable role in an organization’s tactical network defense initiatives, they should never be viewed as a “silver bullet” or one-and-done solution.

Organizations seeking to gain a true decision advantage over a broad spectrum of relevant threats and adversaries need to look beyond just IoCs and work to integrate intelligence that is finished, actionable, and relevant -- such as Business Risk Intelligence (BRI) -- into their security and risk strategies.

view counter
Josh Lefkowitz is the CEO of Flashpoint, which delivers Business Risk Intelligence (BRI) to empower organizations worldwide with meaningful intelligence and information that combats threats and adversaries. Lefkowitz has worked extensively with authorities to track and analyze terrorist groups. He has also served as a consultant to the FBI's senior management team and worked for a top tier, global investment bank. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.