For over a decade, the security industry has relied on indicators of compromise (IOCs) — attributes that implicate an item as being associated with cybercrime — to spot threats. Since anything observable, such as a file name, a checksum, a registry entry or an email subject line, can be an IOC, IOCs are easy to write, share, and use.
The premise of IOCs is both simple and sound: When attackers are in your systems, there will be things that aren’t quite right. There will be files or settings that wouldn’t otherwise be there, and the attacker will do things that wouldn’t happen in a non-compromised system.
So, why the title “RIP IOCs”? Well, to start with, IOCs are a management nightmare. There are literally thousands available, and more are created every day. Keeping ahead of the game by figuring out just which ones you need and promptly deploying them is a challenging task.
But the management overhead pales in comparison to the ineffectiveness of IOCs at improving security. The fact is, IOCs tend to result in massive false positive rates. Have you ever missed important and legitimate email because it got dumped in your Spam folder? Perhaps it had an IOC keyword in the Subject line or body of the text. Even worse, IOCs often fail to catch real threats. After all, cybercriminals can simply run their malware through all the thousands of public IOCs and fine-tune it until it slips right past.
It’s critical to understand why IOCs don’t work very well. Here’s the key: What’s abnormal for one system or user might be completely normal for another user or system, or even for the same user at a different time of day. Therefore, IOCs written for one environment rarely transfer into new environments without lots of false positives and false negatives.
But this is exactly the kind of problem that machine learning excels at! Machine learning enables us to monitor behavior over time and spot deviations. That’s why SecureAuth is starting to use machine learning to move from a rules-based approach to authentication to a behavior-driven workflow that enables us to better detect anomalies and block threats.
Machine learning isn’t new, but until recently, it has been available only at very high cost due to the amount of CPU and memory it requires. Cloud computing has changed all that. Affordable access to supercomputer capabilities opens the doors to machine learning being applied to more and more problems — as we’re doing with authentication.
Stay tuned for my next blog post, where I’ll explain our new approach in more detail.
