Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Real-Time Intelligence: Security Silver Bullet or Too Good to Be True?

Many Real-time Threat Intelligence Offerings Aggregate Indicators of Compromise (IoCs) and Are Strictly Reactive

Many Real-time Threat Intelligence Offerings Aggregate Indicators of Compromise (IoCs) and Are Strictly Reactive

The concept of “real-time intelligence” is frequently portrayed as the panacea for our security woes. And, in theory, it certainly could be. The purpose of intelligence, after all, is to equip its consumer with a decision advantage over relevant threats and adversaries. So, if intelligence pertaining to these threats or adversaries could be ready for consumption at the exact “real-time” moment a potentially malicious activity occurred, it would theoretically provide an even greater decision advantage. 

But in reality, real-time intelligence is exceedingly difficult to attain. Many current offerings are limited in how they can address the broad spectrum of threats and adversaries that exist today. Organizations seeking to enhance their overall security posture and mitigate enterprise-wide risk need more than what existing offerings of real-time intelligence can provide. Here’s why: 

Real-Time Intelligence is Reactive

The most successful intelligence programs strive to understand relevant threats and adversaries before they impact an organization. However, since many offerings labeled as real-time intelligence are automated solutions that aggregate indicators of compromise (IoCs), they are strictly reactive.

Cyber Threat Intelligence SolutionsIoCs, by nature, are tactical and only provide insight into individual threats that already exist and malicious activity that has already occurred. While these solutions can greatly enhance network defense and perimeter security, they are suitable for little else and should never be the sole source of intelligence in any security program.

Real-Time Intelligence Has Incomplete Context

Since most existing offerings of real-time intelligence are largely composed of IoCs, they tend to provide very limited context. Although an IoC might tell us that an email signature or IP address is in some way malicious and should therefore be blocked, it doesn’t always help us understand why. Assessing the full context and relevance of an IoC will likely require an analyst to conduct additional research and deeper analysis. And given that many security teams receive an abundance of IoCs on a daily basis, this process can be time-consuming and inefficient. 

For example, let’s say an IoC is the URL of a popular website that has been infected with malware. In many cases, this IoC would automatically trigger a countermeasure that prevents the URL from being accessed within an organization’s network. But what if the website is only infected with malware for a short amount of time? Or what if a company employee tries to access the website from a mobile network? Is blocking the URL indefinitely the most effective way to combat the threat? Since IoCs in and of themselves tend to be static and lacking in full context, they rarely provide enough insight into the full extent and potential impact of a threat.

Real-Time Intelligence Can Obscure Risk

When real-time intelligence is the only type of intelligence a security team consumes, the team can lose sight of the threat landscape and how it can (or does) impact the organization on a macro level. For example, while real-time intelligence might help a security team answer questions like “what phishing campaigns should we be worried about?” it likely won’t be able to address strategic and risk-focused questions such as “how can we raise enterprise-wide awareness of phishing in a manner that strengthens our overall security and risk posture?” It’s crucial to remember that the most effective teams focus not just on aggregating IoCs and blocking threats, they strive to understand why these threats exist in the first place and what can be done to enhance the organization’s overall risk posture moving forward. 

Although real-time intelligence offerings can play a valuable role in an organization’s tactical network defense initiatives, they should never be viewed as a “silver bullet” or one-and-done solution.

Organizations seeking to gain a true decision advantage over a broad spectrum of relevant threats and adversaries need to look beyond just IoCs and work to integrate intelligence that is finished, actionable, and relevant — such as Business Risk Intelligence (BRI) — into their security and risk strategies.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Funding/M&A

More than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability, attack surface management firm Censys warns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...