CYBER SECURITY \ REPUTATION-BASED CONNECTION BLOCKING

Reputation-based Connection Blocking

Automatically prevent inbound & outbound connections to known malicious IP addresses.

 

If you were in charge of security would you let anyone in or would you pre-screen visitors and prevent criminals from entering?

All cyber attacks originate from, and are controlled by, a computer somewhere.

The bad news is there are nearly four billion IP addresses in use today creating a noisy, confusing environment in which attackers can hide.

While most cybersecurity products focus on identifying and stopping anomalous activities already on the network, Reputation-based Connection Blocking prevents the majority of those threats from ever connecting to your network in the first place.

Stop Cyber Attack Sign in Red Polygon on Pale Bare Hand. Isolated on White Background..jpeg

How It Works

Our Reputation-based Connection Blocking solution is simple, fast to deploy, and light-weight.

A new IP address connects

A new IP address initiates communication with your firewall or an employee attempts to connect to a new IP address.

IP is Scored

The IP is sent to our cloud service for analysis against over 60+ Threat Intelligence feeds and block lists.

Connection is Blocked

If the IP has a bad reputation we tell your firewall to immediately block the connection now and into the future.

Redemption

If the IPs reputation improves or if the IP gets added to your whitelist your firewall is automatically told to permit connections with that IP.

All Cyber Attacks Originate from an IP Address.

Irrespective of the attack vector, methodology, objective, or its sophistication, every cyber attack must be launched from a computer with an IP address.

reputation-based-connection-blocking-diagram.png

All IP Addresses Can Be Given a Threat Score

The solution correlates data from 60+ Threat Intelligence feeds, uses predictive analytics and compares the IP against the other customer’s experiences to determine an IPs current Threat Score.

The Threat Score is a combination of IP risk and score confidence. A score of 9 indicates a high-risk IP address with a high confidence in that assessment.

Threat Scoring.png
  • Trusted Web-sites

  • Social Media

  • Search Engines

  • Remote Connections

  • Email

  • Untrusted Web-sites

  • Ransomware

  • DDOS Attacks

  • Port Scanners

Stop Threats at the Door

Reputation-based Connection Blocking automatically stops inbound & outbound traffic from connecting with known-bad IPs while letting good traffic flow without interruption.

Clean Traffic.jpg

Real World Examples

The table below presents the number of high risk IPs connecting to each of five small businesses we evaluated for a period of one month.

The table below helps to quantify the constant threat facing all small business networks by cyber criminals worldwide. Certainly, the numbers are alarming: just five small businesses in one month saw not hundreds but thousands of bad actors attempt to connect tens of thousands of times.

The bold number presented is the total, unique IP addresses connecting to the firewall, while the number in parentheses is the total number of times those unique addresses collectively connected (or attempted to connect) to the network. The figures presented are absolute, and are not normalized for the traffic volume of the enterprise.

Analysis Timeframe: The month of March, 2021

Analysis Subjects: the five organizations evaluated in this discussion are:

  • A four-attorney law firm

  • A small-sized K-12 school district

  • A small orthodontics practice with one doctor

  • A 30-employee animal hospital

  • The corporate office of a specialty pharmacy chain

Reputation-based Connection Blocking

Affordable, automated blocking of connections with known or suspected malicious IP addresses.

Signals-Based Intelligence

Predictive Analytics

Community Analytics

Firewall Integration

Web Dashboard

Compatibility

 

Signals-Based Intelligence

 

One of the methods we use to calculate reputation, is Signal-based intelligence. We look at the presence of an IP in a threat intelligence source as a signal of bad activity. We can then look across time and across sources to determine how strong that signal might be at any moment in time. Signals can be weak or strong. The combination of signals and their strength affects our calculation of Threat Score.

Key factors used are:

  • Presence on 60+ Threat Intelligence Feeds

  • Number of Times Observed Seen on Lists

  • Age (how long on lists)

  • Quality of Lists (reputation and accuracy of the list)

  • Correlation of Lists (does the IP show on multiple lists)

Predictive Analytics

 

In some cases, the IP address or domain name we’re scoring doesn’t appear in our Threat Intelligence Library. In this case we use Predictive Analytics to determine if an IP address that is not in our Threat Intelligence Library shares attributes with risky IP addresses that are in our library

The number of shared attributes allows us to predict whether this IP address is likely to be malicious. For example, if our platform is scoring an IP address that was registered yesterday with a less-than-reputable registrar in a nation known to be a source of malicious activity, and with a randomly-generated set of characters for a name, it will be scored as a high-risk IP even it it’s not yet on any threat intelligence lists.

The 2017 WannaCry exploit provides a compelling example of how Predictive Analytics can identify a malicious IP before it’s highlighted as problematic on traditional threat intelligence lists. In its attack, the WannaCry perpetrators used a randomized domain name on their server, meaning the server used to launch the attack was named via a random string of characters, not a name that an organization would typically assign to a server used for legitimate purposes.

Based on this and other criteria, our system assigned the domain name used in the WannaCry exploit with a Threat Score of 8 before that exploit was named or published by other organizations.

Community Analytics

 

Our Reputation-based IP Blocking solution was granted a patent in August of 2020, for it’s unique approach to anonymizing threat data from thousands of customers’ into a real-time data set.

The system uses this real-time data set to to improve the accuracy of scoring and to remove false positives from the data set.

Firewall Integration

 

The Reputation-based Connection Blocking system integrates directly with your firewall by configuring it to send a remote netflow or syslog feed to a custom URL, and to consume a custom generated URL-based block list.

Integration can typically happen within minutes and requires no firewall downtime.

Reputation-based Threat Detection & Blocking.png

Web Dashboard

 

Simple web-based dashboard makes viewing and managing the system easy.

  • View all IPs that connected to your network

    • See their score and if they were blocked

    • Drill into more detail and lookup IPs on public threat intelligence lists

      • Cisco Talos

      • Alienvault OTX

      • AbuseIPDB

      • VirusTotal

    • Manually block lower score threats or unblock false positives

  • Maintain your IP / Domain whitelist

  • See how many connections have been blocked

  • IPs mapped showing their country of origin

web dashboard.jpg

Compatibility

 
  • Cisco

    • Meraki MX

    • ASA with Firepower

  • Palo Alto (PA220, 220R, 800, 3000, 3200, 5200)

  • Sonicwall

    • TZ

    • NSA

  • Fortigate (30, 60, 80, 90, 100, 200, 300, 500, 600, 800, 900)

  • Sophos

    • SG (UTM)

    • XG

  • PfSense

Block Cyber Attacks Before They Happen

Preventing known threats from connecting to your network is as easy as 1, 2, 3.

Step 1

Schedule a Call

During a short call we will review pricing, answer any questions you have and get your account set up.

Step 2

Install Software

We will work with you to configure your firewall(s) and whitelist any required exceptions.

Step 3

Enjoy Decreased Cyber Risk

No administration is required and the system starts blocking threats within minutes.

Click Here