The world’s first comprehensive black list of
Transcription
The world’s first comprehensive black list of
DATA SHEET The world’s first comprehensive black list of the Internet’s highest risk IPs Traditional black lists are often prone to false positives and are usually an aggregation of other lists, leading to incomplete or poor coverage. As a result, organizations relying on these lists to protect their business have “blind spots” that can miss high risk traffic and lead to breaches and compromises. Norse Darklist is the next generation of black lists. Darklist is a live, continuously updated list of the three to four million highest risk IPs on the Internet, enabling organizations to protect their network from external bad actors. Darklist provides a Norse risk score for each IP, the risk category (such as “botnet” or “Tor proxy”) to provide context to the score, and latitude and longitude provided by Norse’s superior geolocation capabilities. Darklist is not just another black list – the information is live, accurate, and contextual. IP IPQ Score Latitude Longitude Country Category 1.0.243.152 97.1 7.909 98.3332 TH Protocols Last Seen Botnet Bot 11/19/13 10:21 11/19/13 1:34 31.131.30.210 94.7 33.7257 -84.4309 US Proxy IP based proxy 46.38.7.58 90.7 48.4808 135.093 RU Bogon Unadv IP unadvertised 11/15/13 1:31 50.22.130.187 100 32.9299 -96.8353 US Proxy Web Proxy 11/19/13 8:56 Malware domain 11/11/13 2:15 54.213.1.27 100 40.5525 -74.2915 US Passive DNS 79.19.216.131 99.3 41.9 12.4833 IT Proxy Tor Exit 11/17/13 1:13 124.228.42.141 94.2 26.8881 112.615 CN Malware Malware URL 11/18/13 3:02 Darklist provides a list of the top three to four million highest risk IP addresses on the Internet with a risk score and critical context for each. Norse Darklist can be integrated into customers’ SIEMs or other security solutions for alerting on high-risk connections, forensics, and advanced threat notification. Norse Darklist delivers a level of visibility into the Internet’s most dangerous IP addresses unmatched by any other solution. Darklist leverages Norse’s DarkMatter™ live attack intelligence platform to deliver a compilation of three to four million IP addresses from across the globe, spanning the entire Internet. The Norse platform identifies high risk IPs through a myriad of methods including millions of honeypots, anonymous proxy (such as Tor) usage, custom crawlers, and more. When the DarkMatter platform identifies a malicious IP it analyzes it and assigns it a risk score between 0 and 100 based on the IP’s history and type of malicious activity. High risk IPs are added to Darklist within five seconds of identification, so each time a customer requests a new Darklist they can be assured that it is always up to date. Darklist Use Cases: • • • • • Integration with SIEM for alerting on high risk connections Import into NGFW or IPS to block known bad IPs Integration with SIEM for correlation with anomalies for Advanced Persistent Threat (APT) identification Integration with SIEM for post-attack forensics Integrate with security operations center processes for faster incident response “The number of attackers and their sophistication is constantly growing, and traditional IP black lists with only tens or hundreds of bad IPs don’t scratch the surface. Norse’s Darklist of millions of continuously updated high risk IPs has real potential to help customers proactively identify threats within their networks and prevent serious breaches.” Richard Stiennon Chief Research Analyst, IT Harvest norse-corp.com DATA SHEET Darklist is available via a simple RESTful API query (manual or automated) and returned in CSV format for integration into customers’ SIEMs, IPS, NGFW, or other security solutions. Key Features • • • • • Solution Benefits API-based retrieval enables user-configurable update frequency – weekly, daily, hourly or more frequently Differential updates ensure low bandwidth usage Norse IPQ risk score provides a simple risk weighted scoring system Advanced geolocation capabilities enable scoring of transactions and connections based on an IP address’ geographical location Millisecond API response time delivered via a simple, flexible REST API. • • • • Delivers the top 3 to 4 million highest risk IPs for comprehensive network protection Intelligence gathered by Norse’s threat intelligence platform is available in Darklist within seconds, ensuring the blacklist is always up to date API-driven delivery enables simple integration with other security solutions IP risk category and protocol provides context for the Norse risk score . ABOUT NORSE Norse is the global leader in live attack intelligence. Norse delivers continuously-updated and unique Internet and darknet intel that helps organizations detect and block attacks that other systems miss. The superior Norse DarkMatter™ platform detects new threats and tags nascent hazards long before they’re spotted by traditional “threat intelligence” tools. Norse’s globally distributed “distant early warning” grid of millions of sensors, honeypots, crawlers and agents deliver unique visibility into the Internet – especially the darknets, where bad actors operate. The Norse DarkMatter™ network processes hundreds of terabytes daily and computes over 1,500 distinct risk factors, live, for millions of IP addresses every day. Norse products tightly integrate with popular SIEM, IPS and next-generation Firewall products to dramatically improve the performance, catch-rate and security return-on-investment of your existing infrastructure. © 2014, Norse Corporation. All rights reserved. Silicon Valley St. Louis 1825 South Grant Street, Suite 635 San Mateo, CA 94402 | 650.513.2881 101 South Hanley Road, Suite 1300 St. Louis, MO 63105 | 314.480.6450 norse-corp.com