More and more enterprise customers are now paying attention to IoC or Indirector of Compromise or in the process attempt to make use of it into their existing enterprise infrastructure and security system workflow setup. The objective is hope to get early warning and proactive action be acting on, before too late for them to do anything that ends up causing the business reputation damage due to post exploited and hacked data being stolen or making public disclosure in the public.
Before we talk further, let’s do the quick definition and provide background information, so the topic can be explained in more detail for those who are new to the subject and domain matter.
Indicators of Compromise (IoC) are “pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.” Indicators of compromise (IoC) aid information security (InfoSec) and IT professionals in detecting data breaches, malware infections, or other threat activity (this is the typical use case for IoC). By monitoring for indicators of compromise (IoC), organizations can detect attacks and act quickly to prevent breaches from occurring or limit damages by stopping attacks in earlier stages.
Since compromise or activity bring to compromise will be happen anything anywhere, so the asset need to be monitor continuously, together with the infrastructure, system and application security and correlated to provide a meaningful set of security information and event that worth to act on, by define it and automatically filter and escalate to the right officer to act on it. This is something all the modern IT infrastructure, their security information and event management (SIEM), security operation center (SOC) but be able to get from the log and correlate and present it in an actionable manner.
Depending on the enterprise security infrastructure and architecture setup, enterprise vulnerability management (EVM) or risk-based vulnerability management (RVM) that can perform continuous vulnerability assessment based on the asset and generate the vulnerability report. You can integrated your enterprise vulnerability management (EVM) or risk-based vulnerability management (RVM) to trigger or passing or exchange via syslog, SNMP trap or the better Json into your deployed security information and event management (SIEM) /security orchestration, automation and response (SOAR) to consolidated all the threat, vulnerability, security information and threat and correlation for come out with meaningful security intelligence that worth to act on, including for work out the IoC for your SecOps.
With the IoC, you are equipped with the ability to detect malicious activity early in the attack sequence. These unusual activities are the red flags that indicate a potential or in-progress attack that could lead to a data breach or systems compromise. To make it really meaningful, it always needs to look for correlation and piece them together to analyze whether a potential threat or incident.
Manual vulnerability assessment tool the most is make contribution as input, based on active vulnerability scan and provide list of vulnerability as feed into your SIEM/SOAR/SecOps, for a better security architecture, you always need passive vulnerability scanner or network based scanner provide the passive vulnerability to complete infrastructure vulnerability coverage. Else you may need network security or intrusion detection and prevention systems to provide the continuous feed of unusual traffic for the correlation purpose. In the very minimum, for vulnerability management context, you need enterprise vulnerability management capability of Active Scanner, Active Agents and Continuous Monitoring as part of your input.
The same goes for web application platforms, mobile application platforms, you need specialized web and mobile application, IoT, container vulnerability scanners to provide the specific vulnerability as one of the inputs for your IoC calculation and workout.Do not forget about antivirus, APT, malware detection etc is also needed for your IoC workout. Once you know the input and correction requirement, you will then get the better picture for IoC for your very own security infrastructure and architecture requirements and unique business context.
Above is the summarized solution architecture for those who are interested in implementing useful and practical IoC related to threat and vulnerability management input.
E-SPIN Group in the enterprise ICT solution supply, consulting, project management, training and maintenance for multinational corporation and government agencies. Feel free to contact E-SPIN for your enterprise requirement for the end to end enterprise threat and vulnerability management, SIEM/SOAR and SecOps requirements or integration.