Transcript ipTrust Professional

Network Security Expertise
Founded 2008
 Based in Atlanta, GA USA
Executive Team
 Internet Security Systems (ISS) / IBM
 Founded X-Force Research Organization
Commercial Product Launched
 ipTrust product family
 2010 go-to-market
2
Botnets and Malware continue to wreak havoc
Over 290,000 organizations are infected with botnets and malware
Computing power ‘rented out’ to criminals is harder to detect, less likely to get
shut down, and massively powerful
Credit card fraud rings, extortion through DDoS, phishing, and spamming attacks all
easier to run using botnets
3
Data Collection
Botnet Harvesting
Attacker Data
Malware & Spam Data
Honeypots & Honeynets
Proxy and Satellite Info
Geolocation
 Enormous coverage of malicious Internet monitoring
 Database of databases, internal and 3rd party data
 24/7 collection and analysis guarantees up-to-date results
4
CAYMAN
Collection Example: Botnet Harvesting
Botnet Sinkhole
Internet
Pre-registered
Domains
Sinkhole Technology
 Bot and malware networks utilize multiple
domains simultaneously for Command &
Control (C&C)
 With the proper intelligence, pre-registering
domains used by the botnet allows for
visibility into the bot army
 Domain registrations allow command query
redirection
5
Data Analysis, Storage and Delivery
ipTrust Products
Web
XML
Intelligence
Professional
!
Value Defines
BIN
CSV
Is !
Create Map
TXT
Im !
Il !
(Short Interval) = (Hours in a Week) = 168
²
( Medium Interval ) = # Hours in ²#
²
( Long Interval ) = # Hours in ²#
Scoring
Hours
Week
1%
Hours !
%
¢ Year &
¢ = 2184 ² 1 %
4&
Year
# 4 ¢&
1%
Hours
%
¢ Year ¢ = 4368 1
&
2&
² %
¢ Year
#2&
Scoring
dT = ( Current Time ( in Hours ) ! Event Time ( in Hours ) )
Reduce
3
¢
dT ¢
if dT ² Is # Score = &! &
) + 1) x 0.25 + 0.75
% % Is (
(
dT ¢
else if dT ² Im # Score = &! &
)
% %Im (
HTTP
dT ¢
else if dT ² Il # Score = &! &
)
% % Il (
¢
+ 1) x 0.25 + 0.50
(
1.5
1.5
!
¢
+ 1) x 0.40 + 0.10
(
else # Score = 0.10
1
High-Volume
Security Data Flows
2
Map Reduce
In the Cloud
3
3 X@G!&GKRDJ @!1I HC@J H!XDH!G@Z@L!H@@G!DG!@Z@GC!FG!D!ADLCEQBN
DL!%
" !aB@LI O
!Y @!Y EN
N
!DN
Y DI H!L@CBLG
HQF L@!FP!d7d7!!%
P!DG!@Z@GC!XDH!AL@ZEFBHN
I !W@@G!QDACBL@KO
!WBC!HBPPEQE@GC!CEJ @!XDH!N
DAH@K!SE7@7!* F!@Z@
L@QF LK@K!Y ECXEG!CX@!N
FGR!EGC@LZDN
T!D!HQF L@!F P!d7pd!Y @!W@!L@CBLG@K!DGK!CXDC!%
" !DKKL@HH!Y EN
N
!G@Z@L!
K@QDI !ADHC!d7pd7!!!( KKECEFGDN
N
IO
!CX@!CEJ @!A@LEF KH!Y @!AEQ[ @K!DWF Z@!DL@!EGKEQDCEZ@!FP!WF CG@C!
FWH@LZDCEF GH!DGK!XFY !LDAEKN
I !EGP@QCEFGH!KEJ EGEHX7!
Real-time Scoring,
Deliver
Results
Research
Methodology
&GKRDJ @!1I HC@J H!XDH!K@Z@N
FA@K!D!BGEaB@!J @CXF KFN
FRI !PF L!J FGECF LEGR!W@XDZEFL!DGDN
I HEH!FG!CX@
RN
FWDN
!%
GC@LG@C!ZED!DQCEZ@!DGK!ADHHEZ@!L@QFGGDEHHDGQ@!C@QXGEaB@H7!&GKRDJ @!J @CXFKH!ALF KBQ@!
DQCEFGDWN
@!EGC@N
N
ER@GQ@!WI !QFLL@N
DCEGR!CX@!KDCD!DGK!J DAAEGR!DN
N
!KEHQFZ@L@K!J DN
EQEFBH!DGK!
QFJ ALFJ EH@K!EGC@LQFGG@QC@K!HI HC@J H7!
ipTrust Reputation Engine
!
!!!!!!!<!
!
" #$ " #%
&' ( #) !( * + !, $ * - %
+ &* ' %
( .!
6
Massive Collection of Security Data
300M
IP addresses
scored for
risk
5.7M
IP addresses
tracked in
last 24 hours
100
1+
TB of stored
security event
data
TB of malicious
events added
per week
7
The State of IP Reputation
IP Reputation technology is limited and underutilized
Existing systems (free and commercial)
 Contain incomplete or suspect data
 Do not effectively score risk
 Do not incorporate variety of data sources
Lacks focus on customer value – potential for
disruption and growth
8
ipTrust Professional
XML-RPC/REST based API
<100ms response time
Query
3,000+ queries per second
Response
XML, JSON, CSV return formats
Scoring over 250M IPs
 Cloud-based deployment, no hardware to install
 Delivers continuous, actionable information for all IPv4 IP-space
 Enables customers to construct purpose-built, granular controls
 Easy integration via a standards-based web API
9
Sample Request / Response
Request Status
Confidence Score
Geolocation Information
Security Event Data
10
Why ipTrust Professional?
Internet-wide Coverage
Know the risk associated with every new
connection at any point in the customer
relationship
Popular Use Cases

Security Operations
Center integration

Forensics Investigations

Incident Response

Safety-net Monitoring

Risk-based Authentication
Real-time Intelligence

Reputation Services
Decide how to conduct business with a
persistent infected user population

Security Technology
Integration - OEM
Enterprise Integration
Enhance existing investments in security
and anti-fraud systems
11
ipTrust Professional - Technology Integration
Network
Assessment
Scanners
Firewalls
And
Proxies
Network
Security
Appliances
Identity and
Access Mgmt
Security Info
Management
Anti-Fraud
Solutions
 Augment security capabilities with External threat information
 Derive new policies based on reputation (geo, events, score, etc.)
 Boost the detection and performance of existing solutions
 Reduce false positives and cut management overhead
12
ipTrust Professional – Sample Report
The following is an example report that partners can create using the Professional API.
13
ipTrust Intelligence
The ipTrust Intelligence Package provides
easy download access to consolidated threat
data in a neatly formatted CSV file available
daily.
Content includes:
Botnet
Command & Control
Known Attacker
Proxy
Identification
Known Attacker feed elements
Column Name
IP Address
Protocol
Port
Attack Type
AS Number
CC
Organization
Column Description
IP address of attacker
Protocol being used by the attacker
Destination port being attacked
Type of attack being used
Autonomous System Number for BGP Routing
Country code identified via geolocation
Organization name associated with IP address
Botnet Command & Control feed elements
Column Name
Domain
IP Address
Protocol
Port
Infection Name
AS Number
CC
Organization
Malware Hash
Process Date
Column Description
C&C DNS Domain
IP address at the time of processing
Botnet C&C protocol
C&C Port number
Botnet Infection Name
Autonomous System Number for BGP Routing
Country code identified via geolocation
Organization name associated with IP address
SHA or MD5 hash of malware sample
Date added or analyzed
Proxy Identification feed elements
Column Name
IP Address
Proxy Type
AS Number
CC
Organization
Column Description
IP address at the time of processing
Type of proxy (e.g. Anonymous, Transparent, TOR Exit
Node)
Autonomous System Number for BGP Routing
Country code identified via geolocation
Organization name associated with IP address
14
ipTrust Web – free offering currently in Beta
Hundreds of botnet
variants, spam and
malicious activity tracked
Easy sign-up - set network
ranges, notification
details and go
24/7 monitoring and
notification of malicious
activity emanating from
your network
Condensed, to-the-point
reporting, as well as
web, email and
mobile alerting
Cloud-based
web software
No hardware or software to install
15
ipTrust Partner Pricing
ipTrust
Professional
ipTrust
Intelligence
ipTrust
Web
ipTrust
Awareness
Lightweight API Interface
Daily Intelligence Feed
Web-based Interface
Web-based Interface
Access to Reputation Engine
Robust content channels:
Worldwide, 24/7 Monitoring
Infection Notifications
Bulk and historical lookups
Botnet C&C
Known Attacker
Proxy Identification
Up to 256 IP addresses
Full Feature Set
Weekly Infection Notification
Unlimited IP addresses
Unlimited access
Daily Infection Notification
JSON, XML, CSV output
Rapid Reports
Structured CSV package
Easy download access
Plans start at $5,000/mo
Less than 1¢ per query
Plans start at $160,000/yr
Enhanced Correlation
www.iptrust.com
Free
Robust Reporting
Offering and availability will
depend on shaping and
feedback of Beta program.
Sold via Strategic Partnerships:
 Hosting and Service Providers
 Managed Security Services Providers
 Value Added Resellers
 Technology Partners
16
Thank You
 John Wheeler
817 West Peachtree Street NW
Suite 770
Atlanta, GA 30308
Main: 404-941-3900
Fax: 404-941-9302
www.iptrust.com
VP of Business Development
[email protected]
404-941-3895
 Thomas Zebley
Business Development Manager
[email protected]
404-941-3812
17
ipTrust Professional - Partner API
Priced as an Annual Subscription based on Monthly Query Volume
Product Code
Queries / Month
Price / Month
Price / Query
Queries / Year
IPT-PAR-API-300M
300,000,000
$120,000
0.0004
3,600,000,000
IPT-PAR-API-200M
200,000,000
$100,000
0.0005
2,400,000,000
IPT-PAR-API-100M
100,000,000
$75,000
0.00075
1,200,000,000
IPT-PAR-API-50M
50,000,000
$50,000
0.001
600,000,000
IPT-PAR-API-10M
10,000,000
$20,000
0.002
120,000,000
IPT-PAR-API-5M
5,000,000
$12,500
0.0025
60,000,000
IPT-PAR-API-1M
Up to 1,000,000
$5,000
0.004
12,000,000
18
ipTrust Intelligence - Partner and OEM Feeds
Priced as Annual Subscription
ipTrust Intelligence Package for Partners
 Compliments existing partner security intelligence and research
 Can be incorporated into partner workflow to enhance services
Product Code
IPT-PAR-INT-PKG
Intelligence Feed Channels
Price / Annual Subscription
• Botnet Command & Control
• Known Attacker
• Proxy Identification
$160,000
ipTrust Intelligence Package for OEM Technology Integration
 Designed for resell and repackaging into technology products
 Offers value-add and differentiation in partner technology solutions
Product Code
IPT-PAR-INT-PKG
Intelligence Feed Channels
• Botnet Command & Control
• Known Attacker
• Proxy Identification
Price / Annual Subscription
Based on Partner Sales Model
(units, subscription, etc.)
19