RIP IOCs: How Machine Learning will Revolutionize IT Security – Part II

Back to Blog
July 20, 2017
David Ross

In my last blog post, I sounded the death knell for indicators of compromise (IOCs) — attributes that implicate an item as being associated with cybercrime. IOCs written for one environment rarely transfer into new environments without lots of false positives and false negatives because what’s abnormal (and therefore an IOC) for one system or user might be completely normal for another user or system, or even for the same user at a different time of day.

But, as I noted, this is exactly the kind of problem that machine learning excels at! That’s why SecureAuth is working to incorporate machine learning into our adaptive authentication engine and make it even better. As I promised, here are more details.

Machine learning will enable us to monitor behavior over time and spot deviations. Consider “normal” time of day. Is it odd when someone VPNs into the corporate network 2:00 in the morning to write a blog post? An IOC has to say either “Yes” or “No” — but the answer is clearly “It depends.” Has this person logged in during the night before? Do they normally write blogs? Do other people in the company with similar behavior portfolios also VPN in during the wee hours? (That last part is important:  Normal isn’t just about how you normally behave, but also how others like you behave.)

In my case, a 2 a.m. VPN connection on Sunday night is normal because I promised the blog would be done Monday morning and I’m always doing things at the last minute. Abnormal would be me logging in from my office desk at 8 a.m. tomorrow! Try to write an IOC to find that behavior. But that’s just the kind of thing machine learning can do oh so well.

SecureAuth’s adaptive authentication already analyzes behavior. For example, our geo-velocity check can ask, “Given the time since your last authentication, could you have physically traveled to your current location?” But imagine adding in machine learning. Then we could ask, “Have you or anyone at your company exhibited similar travel patterns (time of day + day or week + location) over a given time span?”

For example, this might be the first time you’ve ever logged in from Santa Cruz on a Tuesday, but a co-worker did the same thing last Tuesday, and you logged in from the nearby Irvine office yesterday. So instead of denying your authentication request outright, machine learning — unlike an IOC — can say “Hmmm,” step up with two-factor authentication, and note the new normal.

By leveraging machine learning, SecureAuth is working to take authentication from a rules-based system to a behavior-driven workflow that enables us to find anomalies — without creating more management overhead. Look for machine learning to revolutionize the way we authenticate users and verify identities to deliver even stronger identity access management.

If you’re interested in learning more, read our blog post about how machine learning powers adaptive authentication, or request a demo here

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities


Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy


Workforce Identities

Govern and control access rights for employees, partners, and contractors

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources


Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution



Financial Services


Energy and Utilities

Public Sector


White Papers


Recorded Webinars

Analyst Reports

Innovation Labs


Support Portal

Events & Webinars



Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth