Many Real-time Threat Intelligence Offerings Aggregate Indicators of Compromise (IoCs) and Are Strictly Reactive
The concept of “real-time intelligence” is frequently portrayed as the panacea for our security woes. And, in theory, it certainly could be. The purpose of intelligence, after all, is to equip its consumer with a decision advantage over relevant threats and adversaries. So, if intelligence pertaining to these threats or adversaries could be ready for consumption at the exact “real-time” moment a potentially malicious activity occurred, it would theoretically provide an even greater decision advantage.
But in reality, real-time intelligence is exceedingly difficult to attain. Many current offerings are limited in how they can address the broad spectrum of threats and adversaries that exist today. Organizations seeking to enhance their overall security posture and mitigate enterprise-wide risk need more than what existing offerings of real-time intelligence can provide. Here’s why:
Real-Time Intelligence is Reactive
The most successful intelligence programs strive to understand relevant threats and adversaries before they impact an organization. However, since many offerings labeled as real-time intelligence are automated solutions that aggregate indicators of compromise (IoCs), they are strictly reactive.
Real-Time Intelligence Has Incomplete Context
Since most existing offerings of real-time intelligence are largely composed of IoCs, they tend to provide very limited context. Although an IoC might tell us that an email signature or IP address is in some way malicious and should therefore be blocked, it doesn’t always help us understand why. Assessing the full context and relevance of an IoC will likely require an analyst to conduct additional research and deeper analysis. And given that many security teams receive an abundance of IoCs on a daily basis, this process can be time-consuming and inefficient.
For example, let’s say an IoC is the URL of a popular website that has been infected with malware. In many cases, this IoC would automatically trigger a countermeasure that prevents the URL from being accessed within an organization’s network. But what if the website is only infected with malware for a short amount of time? Or what if a company employee tries to access the website from a mobile network? Is blocking the URL indefinitely the most effective way to combat the threat? Since IoCs in and of themselves tend to be static and lacking in full context, they rarely provide enough insight into the full extent and potential impact of a threat.
Real-Time Intelligence Can Obscure Risk
When real-time intelligence is the only type of intelligence a security team consumes, the team can lose sight of the threat landscape and how it can (or does) impact the organization on a macro level. For example, while real-time intelligence might help a security team answer questions like “what phishing campaigns should we be worried about?” it likely won’t be able to address strategic and risk-focused questions such as “how can we raise enterprise-wide awareness of phishing in a manner that strengthens our overall security and risk posture?” It’s crucial to remember that the most effective teams focus not just on aggregating IoCs and blocking threats, they strive to understand why these threats exist in the first place and what can be done to enhance the organization’s overall risk posture moving forward.
Although real-time intelligence offerings can play a valuable role in an organization’s tactical network defense initiatives, they should never be viewed as a “silver bullet” or one-and-done solution.
Organizations seeking to gain a true decision advantage over a broad spectrum of relevant threats and adversaries need to look beyond just IoCs and work to integrate intelligence that is finished, actionable, and relevant — such as Business Risk Intelligence (BRI) — into their security and risk strategies.