Datasources are not Created Equal

We continue to treat all data feeds as if they carry equal weight. They do not. A feed built on simple pattern matching is limited by that very mechanism. A feed built on direct observation of compromised systems offers a picture of reality that is far harder to fake.

‍

Let me explain with a tale of two companies. First, Fortinet. Its feed is driven by a small group of rules. They either fire or they don’t. When they do fire, the events often appear threatening, even when they come from the copious numbers of harmless researchers or bug bounty hunters who spend their days prodding the edges of the internet. It’s not that the feed is lying, exactly. It’s just that it’s not measuring what people think it is. Anything that resembles a threat gets pulled in. Anything that falls outside that narrow lens of their pre-determined detection slips by unnoticed. You get both blind spots and a stream of noise that overwhelms whatever truth is hiding inside it. There is truth, to be clear, but it’s difficult to find.

‍

Contrast that with what Vigilocity gathers. Its signal begins with real infected systems reaching out to the infrastructure that Vigilocity has taken over from the existing botnet command and control infrastructure. They watch compromised systems talk to what they believe is their command and control infrastructure. They do not guess at compromise based on static rules. They see actual botnet traffic as it unfolds. Random noise may still show up now and then when a researcher pokes at a server, but the volume of that noise is tiny compared to the constant hum of actual compromised hosts checking in.

‍

The difference in fidelity is an important one for our industry. One feed is built around what might be dangerous. The other shows what is currently dangerous in real time. Our industry needs to take this distinction more seriously. We have grown too comfortable with low-fidelity data. Better sources exist. What else are you seeing that is high fidelity?