What is Evidence of Compromise?

Evidence of Compromise (EoC) is a collection of forensic data that points to a confirmed malicious attack on a commercial, industrial or government network. 

Evidence of Compromise supersedes indicators by providing organizations with actionable intel, not just a possibility. This empowers organizations to highlight only what is relevant, actionable, and critical for their security needs—freeing them from time-consuming threat intelligence data feeds and costly subscriptions.

How is Evidence of Compromise different from Indicators of Compromise?

EoC is different from its counterpart, Indicators of Compromise (IoC), because of how it is sourced.

Indicators can come from a variety of sources, each with varying degrees of accuracy. Actionable intel like this must be distilled from those various sources, which can take time and ultimately lead nowhere.

Evidence is sourced from active, malicious network activities, bringing to the surface what threat actors see when an infected computer “calls home” from a victim’s compromised network. This direct sourcing removes the guesswork involved with indicators, making every bit of collected intelligence guaranteed to be accurate and actionable. 

This unique visibility into the ongoing activity of threat actors is made possible through proprietary sensors and algorithms, which ingest and analyze data directly from adversaries operating active malicious campaigns around the world.

Finding the Needle of Evidence in the Haystack of Indicators 

For organizations as large as multinational corporations or nation-states, finding evidence of compromise instead of mere indicators can be like searching for one or two needles spread throughout dozens of different barns, inside hundreds of haystacks, among millions of pieces of straw. 

Standard threat intelligence solutions focus on gathering a pool of indicators, which proposes an inside-out solution to the haystack problem. This necessitates requesting authorization to go inside into each barn, inspecting each piece of straw, bending it, and categorizing it based on its observable properties. Some pieces could be rightly discarded as threats, but many would defy the ruleset and be stacked into a pile for further straw analysis. Given enough time, the offending needles would indeed be found. Whether an actionable conclusion would come prior to the heat death of the universe is up to the number of haystacks and the diligence of the analysts involved.

Evidence of Compromise proposes a simpler, outside-out approach—empowering analysts to stand far outside all of those barns, equipped with a powerful electromagnet. By flipping a switch, the dangerous needles fly straight to the magnet, providing the solution without any time-consuming searching.

Prevailion’s Unique Visibility into Active Global Compromises

Prevailion Apex Compromise Intelligence platform is like a search engine for discovering active and historical third-party compromises worldwide. Organizations can set it up in less than a minute and find EoC within their own or third-party ecosystems right away.

Apex was built around the basic premise that IoC has failed organizations, and EoC is the future of compromise visibility.  Our customers have unique insight into the ongoing activities from threat actors, giving them the tailored intelligence they need to stay not just one, but several steps ahead of potential threats to their ecosystem.

The Latest

U.S. Hackers have likely “gone to ground”

Karim Hijazi, who served as the director of intelligence of the cybersecurity firm Mandiant and now serves as CEO of the security firm Prevailion, said the hackers will likely have “gone to ground” at this point.

Who’s Impacted by TA505 and Why It Matters

While threat actors like Cozy Bear and Fancy Bear get a lot of attention, there is another While threat actors like Cozy Bear and Fancy Bear get a lot of attention, there is another sophisticated crime actor that companies need to be watching out for.The group is called TA505 and it is believed to be […]

‘Most pristine espionage effort’ in modern history right under the US’s nose

“This was the most pristine espionage effort, unlike anything we’ve seen in a very long time,” said Karim Hijazi, a former intelligence community contractor. “Everyone in the cybersecurity community is freaking out, because we don’t know where this could stop.”

Copyright 2021 Prevailion, Inc. All rights reserved

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.