Many organizations subscribe to IOC feeds. While one of the main purposes is to
support network defense, many Security Operations Centers (SOCs) do not routinely
use these feeds in their operations. Why? It has been our experience, having performed
IOC automation pilots over the last four years, that it is because these feeds are too
voluminous and too noisy, requiring significant resources to ingest these feeds into the
SOC environment, enrich, investigate, determine the appropriate response, and then
respond. There are just too many IOCs being shared with little to no context
surrounding them, and the technical resources required to analyze their relevance or
ability to be acted upon are already at capacity dealing with internal threat information
(i.e., alerts).
