Indicators of Compromise are Dead. Now What?

Organizations must pivot toward a new and superior class of threat intelligence known as "evidence of compromise" that doesn’t require human analysts and is instantly actionable.

Dark Reading Staff, Dark Reading

March 2, 2020

3 Min Read
Threat intelligence is comprehensive, but leads to many false positives, which make them less actionable than evidence of compromise because it provides only confirmed, actionable intelligence.Image Source: Prevailion

The mission of "evidence of compromise" (EoC) is simple: empower companies to audit and continuously monitor the security of their supply chains to an unprecedented degree, with the possibility of even predicting future breaches based on this real-time intelligence.

Current methods of cyber risk management such as incident response and risk modeling have failed to keep up with the growing sophistication and speed of cyber adversaries, ranging from organized criminal groups to state-sponsored hackers. As geopolitical tensions increase around the world, they are accelerating the overall risk for organizations. 

Over the next few years, the world's organizations will have to evolve their cyber intelligence operations to keep up with these rapidly advancing threats by shifting to a more reliable, actionable and machine-speed response capability. This will involve moving beyond the standard model of threat intelligence, which for over 20 years has been based largely on the highly imperfect "indicators of compromise" (IoC).

This legacy threat intelligence model has been problematic for companies in many ways, but particularly due to its high rate of false positives and slower method of execution, by which  data must be carefully culled through, refined and verified by human analysts.

To keep up with modern threats, organizations must pivot toward a new class of threat intelligence known as “evidence of compromise” or EoC. Unlike IoC, EoC is not at risk of errors, doesn’t require human analysts, and is instantly actionable. That is because the data is collected directly from the source — the attacker’s own infrastructure — rather than relying on guesswork and interpretation. This means EoC is inherently accurate, with a false positive rate of at or near 0%.


The financial sector has been at the forefront of cybersecurity for years, so much so that its networks are often difficult to breach directly. As a result, attackers are increasingly shifting to the financial sector’s periphery, by targeting lower-hanging fruit within the corporate supply chain.

As a result of this shift, the "trusted vendor" is now the greatest vulnerability in a financial company’s network and overall security. Until now, it has been exceedingly difficult for these companies to accurately gauge their vendors' security, particularly when it comes to active and emerging threats. EoC changes this equation, by allowing a company to see its vendors’ networks from the perspective of the attackers who are actively breaching them, gaining persistence and migrating to new targets affiliated with that organization.

This is a significant advancement over current threat intelligence capabilities, and it will become increasingly necessary in the next decade, as the threat landscape continues to evolve.  

About the Author: Karim Hijazi, CEO & Founder, Prevailion 
Karim Hijazi is a serial entrepreneur with more than 15 years in the cybersecurity and intelligence arena, including founding the data leak intelligence firm Unveillance.



About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights