The world’s first comprehensive black list of

Transcription

The world’s first comprehensive black list of
DATA SHEET
The world’s first comprehensive black list of
the Internet’s highest risk IPs
Traditional black lists are often prone to false positives and are usually an aggregation of
other lists, leading to incomplete or poor coverage. As a result, organizations relying on
these lists to protect their business have “blind spots” that can miss high risk traffic and
lead to breaches and compromises.
Norse Darklist is the next generation of black lists. Darklist is a live, continuously updated
list of the three to four million highest risk IPs on the Internet, enabling organizations
to protect their network from external bad actors. Darklist provides a Norse risk score
for each IP, the risk category (such as “botnet” or “Tor proxy”) to provide context to the
score, and latitude and longitude provided by Norse’s superior geolocation capabilities.
Darklist is not just another black list – the information is live, accurate, and contextual.
IP
IPQ
Score
Latitude
Longitude
Country
Category
1.0.243.152
97.1
7.909
98.3332
TH
Protocols
Last Seen
Botnet
Bot
11/19/13 10:21
11/19/13 1:34
31.131.30.210
94.7
33.7257
-84.4309
US
Proxy
IP based
proxy
46.38.7.58
90.7
48.4808
135.093
RU
Bogon
Unadv
IP
unadvertised
11/15/13 1:31
50.22.130.187
100
32.9299
-96.8353
US
Proxy
Web Proxy
11/19/13 8:56
Malware
domain
11/11/13 2:15
54.213.1.27
100
40.5525
-74.2915
US
Passive
DNS
79.19.216.131
99.3
41.9
12.4833
IT
Proxy
Tor Exit
11/17/13 1:13
124.228.42.141
94.2
26.8881
112.615
CN
Malware
Malware URL
11/18/13 3:02
Darklist provides a list of the top three to four million highest risk IP addresses on the Internet
with a risk score and critical context for each.
Norse Darklist can be integrated into customers’ SIEMs or other security solutions for
alerting on high-risk connections, forensics, and advanced threat notification. Norse
Darklist delivers a level of visibility into the Internet’s most dangerous IP addresses
unmatched by any other solution. Darklist leverages Norse’s DarkMatter™ live attack
intelligence platform to deliver a compilation of three to four million IP addresses from
across the globe, spanning the entire Internet. The Norse platform identifies high risk IPs
through a myriad of methods including millions of honeypots, anonymous proxy (such
as Tor) usage, custom crawlers, and more.
When the DarkMatter platform identifies a malicious IP it analyzes it and assigns it a
risk score between 0 and 100 based on the IP’s history and type of malicious activity.
High risk IPs are added to Darklist within five seconds of identification, so each time
a customer requests a new Darklist they can be assured that it is always up to date.
Darklist Use Cases:
•
•
•
•
•
Integration with SIEM for alerting
on high risk connections
Import into NGFW or IPS to
block known bad IPs
Integration with SIEM for
correlation with anomalies
for Advanced Persistent
Threat (APT) identification
Integration with SIEM for
post-attack forensics
Integrate with security
operations center processes
for faster incident response
“The number of attackers
and their sophistication is
constantly growing, and
traditional IP black lists with
only tens or hundreds of bad
IPs don’t scratch the surface.
Norse’s Darklist of millions of
continuously updated high
risk IPs has real potential to
help customers proactively
identify threats within their
networks and prevent
serious breaches.”
Richard Stiennon
Chief Research Analyst,
IT Harvest
norse-corp.com
DATA SHEET
Darklist is available via a simple RESTful API query (manual or automated) and returned in CSV format for integration into customers’ SIEMs, IPS,
NGFW, or other security solutions.
Key Features
•
•
•
•
•
Solution Benefits
API-based retrieval enables user-configurable update
frequency – weekly, daily, hourly or more frequently
Differential updates ensure low bandwidth usage
Norse IPQ risk score provides a simple risk
weighted scoring system
Advanced geolocation capabilities enable scoring of
transactions and connections based on an IP address’
geographical location
Millisecond API response time delivered via a
simple, flexible REST API.
•
•
•
•
Delivers the top 3 to 4 million highest risk IPs for comprehensive network protection
Intelligence gathered by Norse’s threat intelligence platform
is available in Darklist within seconds, ensuring the blacklist is
always up to date
API-driven delivery enables simple integration with
other security solutions
IP risk category and protocol provides context for
the Norse risk score
.
ABOUT NORSE
Norse is the global leader in live attack intelligence. Norse delivers continuously-updated and unique Internet and darknet intel that helps organizations detect and block attacks that other
systems miss. The superior Norse DarkMatter™ platform detects new threats and tags nascent hazards long before they’re spotted by traditional “threat intelligence” tools. Norse’s globally
distributed “distant early warning” grid of millions of sensors, honeypots, crawlers and agents deliver unique visibility into the Internet – especially the darknets, where bad actors operate. The
Norse DarkMatter™ network processes hundreds of terabytes daily and computes over 1,500 distinct risk factors, live, for millions of IP addresses every day. Norse products tightly integrate
with popular SIEM, IPS and next-generation Firewall products to dramatically improve the performance, catch-rate and security return-on-investment of your existing infrastructure.
© 2014, Norse Corporation. All rights reserved.
Silicon Valley
St. Louis
1825 South Grant Street, Suite 635
San Mateo, CA 94402 | 650.513.2881
101 South Hanley Road, Suite 1300
St. Louis, MO 63105 | 314.480.6450
norse-corp.com