Understanding Indicators of Attack vs Compromise
It’s the choice between stopping an attack before it gets in or detecting a compromise after it affects your company
There are two main methods of detection in the security marketplace—Indicators of Attack (IoA) and Indicators of Compromise (IoC). The two methods approach detection in vastly different ways.
In this Quick Read, we’ll cut through the crosstalk to compare and contrast IoAs and IoCs. Plus, we’ll share examples of Capsule8 Protect’s different approach to attack protection.
How IoCs and IoAs Work
Indicators of Compromise
- IP addresses, files, and other markers
- Specific behavior of known attacks
- A focus on post-exploitation tooling and command and control
Indicators of Attack
- Detect exploitation techniques
- Provide real-time visibility across your environment
- Are agnostic to individual vulnerabilities
- Work proactively to identify unknown or emerging exploits and attacks
Linux Monitoring Requirements for IoA Detection
The rapid adoption of Linux-based microservices in enterprises has driven the shift to solutions that detect IoAs. For those in SecOps, a modern IoA detection approach must be:
- Deployed at the local and host level (i.e., utilizing user space code that gathers telemetry from various sources)
- Flexible enough to detect generic exploitation techniques
- Rolled up to generate high-value alerts at low volume
- Lightweight enough to not disrupt production
- Integrated into the existing build chain
Capsule8 Protect is the only attack protection solution that:
- Deploys out-of-the-box sensors
- Detects locally and analyzes all exploit data
- Alerts you only when specific security policies are violated
- Enforces hard limits to system CPU, disk and memory using a resource limiter and an intelligent load-shedding strategy
- Is fully extensible with an API-first perspective
See Linux Monitoring and Response in Action
Download our Technical Primer: Demonstration of Detection Capabilities in Capsule8 Protect to learn how we support modern Linux environments without slowing down production.
Protection Without Slowing Production
A system that keeps you safe but doesn’t let you get your work done will produce one of two results: Your company’s productivity will slow to a crawl or your employees will start using workarounds that will leave you even more vulnerable than before.
So it’s critical that the approach you take, whether it’s IoA- or IoC-based, not disrupt production. But even though one part of your company might think things are going well with the chosen protection method, another might encounter disruptions. For example, SecOps might think things are humming along nicely, but that doesn’t necessarily mean Ops will feel the same, especially when you’re dealing with agents and kernel modules.
Capsule8 Solves the Problem in a Different Way
Capsule8 enables IoC and IoA methods but we believe IoA is the superior method for today’s advanced attacks.
So we engineered Capsule8 Protect using the kprobe + perf approach to Linux monitoring. kprobes are subsystems that grant visibility into the kernel via syscalls between specific processes. When used in conjunction with perf, a stabler alternative to kernel modules, you can extract kernel data without performance compromise.
The kprobe + perf approach designed by Capsule8 Protect is a safer way to perform Linux monitoring because it:
- Doesn’t require a kernel module to deploy
- Can’t crash the kernel
- Won’t flood the network
- Won’t require extra config labor by Ops
Different Approaches to Linux Monitoring
Learn more about this better way to do Linux monitoring in our recent blog post.
Customer needs are at the core of Capsule8 Protect
- With Capsule8 Protect in place, security teams can detect active exploits as well as known malware and other security issues.
- Capsule8 Protect prepares your operation with the right telemetry, so you can respond to exploits, cost- and time-efficiently, as they happen.
- Capsule8 Protect supports the way you work. It’s infrastructure and cloud agnostic, cost tunable, and enables you to meet controls that can help you comply with policies. Plus, it’s low maintenance and is suitable for both SecOps and Ops teams.