Content
Given that your current security stack (AntiVirus, Firewall, SIEM, etc.) already comes integrated with its own auto-updated IOC feeds, do you still need an additional IOC threat intel feed?
10 Feb 2021
Given that your current security stack (AntiVirus, Firewall, SIEM, etc.) already comes integrated with its own auto-updated IOC feeds, do you still need an additional IOC threat intel feed?
Cyber Security is an ever-growing challenge where security teams have to deliver within limited resources and time. Thereby, in the current era of information overload, an effective Cyber Security strategy has to address how to steer away from TIN (Threat Intelligence Noise). Indicators of compromise (IOCs) are the golden factor that enables most of the security technologies to function. Any IP, Domain, URL/Host or file hash that is associated with the malicious activity is introduced as a periodic update to relevant security technologies, enabling detection and blocking of any event that is found attempting to associate with those IOCs.
The daily number of IOCs being discovered across the Cybersecurity industry is mind-boggling. As per AlienVault, their OTX platform provides open access to a global community of threat researchers and security professionals. It now has more than 100,000 participants in 140 countries, who contribute over 19 million threat indicators daily’
The sheer volume shows that it has to be an automated process where the IOCs need to be produced, aggregated, validated and finally, updated into products in a timely manner. Relevant security vendors must do so for the proper functioning of their products.
As for the corporate businesses that are consumers of security products, they are already leveraging IOCs from multiple vendors. Namely, Endpoint security, Perimeter Firewall, IDS/IPS, Email & Web firewall and a SIEM. All these vendors are producing and sharing their IOCs with their peers and each has an auto-update feature in their products.
Now comes the big question. How much extra value would a business gain by investing in a separate cyber threat Intel feed of IOCs and taking on the operational overhead to inject the same across their security products. What will determine that their current product vendors are in fact missing on these IOCs?
BEWARE: There have been situations where a group of non-security business organizations established a platform to share IOCs among themselves. These IOCs may come from unreliable threat feeds and even many times from totally unknown sources. The first question here is how do you establish qualification & validation of those IOCs? The second more important question is, are these IOCs, in fact, unique/new? (not available in the updates of the industries leading security product vendors).
These questions need a well thought out answer before an investment is made into procuring an independent Threat Intelligence feed or a sharing platform of IOCs. The measurement would be by assessing the number of times these IOCs were unique AND they were discovered inside your network affiliated with malicious events. The other approach would be just to ensure that your current security technology stack is configured for timely updates. Specifically, ensure that your SIEM is leveraging from IOC feeds that are already part of your current investments.
