Connect with us

Hi, what are you looking for?


Risk Management

Real-Time Intelligence: Security Silver Bullet or Too Good to Be True?

Many Real-time Threat Intelligence Offerings Aggregate Indicators of Compromise (IoCs) and Are Strictly Reactive

Many Real-time Threat Intelligence Offerings Aggregate Indicators of Compromise (IoCs) and Are Strictly Reactive

The concept of “real-time intelligence” is frequently portrayed as the panacea for our security woes. And, in theory, it certainly could be. The purpose of intelligence, after all, is to equip its consumer with a decision advantage over relevant threats and adversaries. So, if intelligence pertaining to these threats or adversaries could be ready for consumption at the exact “real-time” moment a potentially malicious activity occurred, it would theoretically provide an even greater decision advantage. 

But in reality, real-time intelligence is exceedingly difficult to attain. Many current offerings are limited in how they can address the broad spectrum of threats and adversaries that exist today. Organizations seeking to enhance their overall security posture and mitigate enterprise-wide risk need more than what existing offerings of real-time intelligence can provide. Here’s why: 

Real-Time Intelligence is Reactive

The most successful intelligence programs strive to understand relevant threats and adversaries before they impact an organization. However, since many offerings labeled as real-time intelligence are automated solutions that aggregate indicators of compromise (IoCs), they are strictly reactive.

Cyber Threat Intelligence SolutionsIoCs, by nature, are tactical and only provide insight into individual threats that already exist and malicious activity that has already occurred. While these solutions can greatly enhance network defense and perimeter security, they are suitable for little else and should never be the sole source of intelligence in any security program.

Real-Time Intelligence Has Incomplete Context

Since most existing offerings of real-time intelligence are largely composed of IoCs, they tend to provide very limited context. Although an IoC might tell us that an email signature or IP address is in some way malicious and should therefore be blocked, it doesn’t always help us understand why. Assessing the full context and relevance of an IoC will likely require an analyst to conduct additional research and deeper analysis. And given that many security teams receive an abundance of IoCs on a daily basis, this process can be time-consuming and inefficient. 

Advertisement. Scroll to continue reading.

For example, let’s say an IoC is the URL of a popular website that has been infected with malware. In many cases, this IoC would automatically trigger a countermeasure that prevents the URL from being accessed within an organization’s network. But what if the website is only infected with malware for a short amount of time? Or what if a company employee tries to access the website from a mobile network? Is blocking the URL indefinitely the most effective way to combat the threat? Since IoCs in and of themselves tend to be static and lacking in full context, they rarely provide enough insight into the full extent and potential impact of a threat.

Real-Time Intelligence Can Obscure Risk

When real-time intelligence is the only type of intelligence a security team consumes, the team can lose sight of the threat landscape and how it can (or does) impact the organization on a macro level. For example, while real-time intelligence might help a security team answer questions like “what phishing campaigns should we be worried about?” it likely won’t be able to address strategic and risk-focused questions such as “how can we raise enterprise-wide awareness of phishing in a manner that strengthens our overall security and risk posture?” It’s crucial to remember that the most effective teams focus not just on aggregating IoCs and blocking threats, they strive to understand why these threats exist in the first place and what can be done to enhance the organization’s overall risk posture moving forward. 

Although real-time intelligence offerings can play a valuable role in an organization’s tactical network defense initiatives, they should never be viewed as a “silver bullet” or one-and-done solution.

Organizations seeking to gain a true decision advantage over a broad spectrum of relevant threats and adversaries need to look beyond just IoCs and work to integrate intelligence that is finished, actionable, and relevant — such as Business Risk Intelligence (BRI) — into their security and risk strategies.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...