BrightCloud IP Reputation Service for

Security Incident & Event Management


Detect, Alert & Respond to Known Bad IPs & Unknown Malicious IPs in SIEM

Faced with an onslaught of perimeter breaches, targeted attacks and unknown threats, even large and well-funded IT security organizations may struggle to detect and respond to incidents in a timely fashion, increasing the risk of data theft. Many breaches can go undetected for months because enterprises lack real-time insight into emerging threats.

One of the most effective ways to decrease this "time exposed to danger" is with predictive threat intelligence which correlates multiple attack vectors, such as URLs, IPs, files and mobile apps, to identify known threats, and accurately predict which unknown objects are likely to be malicious. This highly-accurate, real-time intelligence can eliminate or greatly reduce the effects of an attack by detecting malicious activities as soon as possible so InfoSec teams can quickly respond, investigate and remediate.

BrightCloud IP Reputation Service for SIEM integrates BrightCloud's highly-accurate, constantly updated IP predictive threat intelligence into SIEM environments. This enables the SIEM solution to correlate real-world IP threat data from BrightCloud against IP logs, identify malicious activities from known bad IPs and unknown malicious IPs in real-time, and alert InfoSec teams so they can quickly investigate, respond to active endpoint breaches or even take proactive actions by sending attacking IPs to firewall for blocking.

BrightCloud IP Reputation Service catches unknown, malicious IP threats with predictive threat intelligence

BrightCloud IP Reputation Service is powered by the Webroot Intelligence Network, an advanced, cloud-based threat analysis platform, which continuously collects real-world data from tens of millions of protected endpoint and network devices around the world, as well as vast array of internet sensors and global threat databases.

In order to identify known bad IPs and predict the likelihood of an unknown IP being malicious, the Webroot Intelligence Network analyzes the behavioral history of all 4.3 billion IPs as well as their contextual relationships with other objects (IPs, URLs, files and mobile applications). This is made possible by a big data architecture which includes technologies such as Cassandra, 3rd-generation machine learning (Maximum Entropy Discrimination) and a massive number of classifiers (e.g. 400 IP classifiers that can classify 20,000 IPs per second). Not only does this provide higher accuracy than human-based analysis, but it also provides several very unique benefits:

  1. Accurately predicts the likelihood that a never-before-seen IP is malicious based on its relationships with other IPs, URLs, files and mobile apps

2. Continuously updates risk prediction using behavioral analysis as well as contextual relationships between objects to reduce false positives and missed threats

3. Predicts which other malicious IPs, URLs, files or mobile apps are likely to attack in the future

The Webroot Intelligence Network then assigns an IP reputation score to each of the 4.3 billion IPs to indicate the likelihood of it being malicious, and updates this reputation score every 5 min with new behavioral data and contextual relationships with other objects. BrightCloud IP Reputation Service exposes this predictive IP reputation score so it can be easily consumed by enterprises to detect malicious IP activities.

IP Reputation Score Category Description Number of IPs in this category
1-20 High Risk IPs There is a high risk that these IPs will deliver attacks to your infrastructure and endpoints in one of the following categories: botnets, Windows exploits, web attacks, phishing, anonymous proxies, spam sources and scanners. ~12 million
21-40 Suspicious IPs There is a higher than average risk that these IPs will deliver attacks to your infrastructure and endpoints in one of the aforementioned categories.
41-60 Benign IPs These IPs have exhibited some potential risk characteristics. There is some risk that they will deliver attacks to your infrastructure and endpoints. ~882 million
61-80 Low Risk IPs These IPs rarely exhibit characteristics that expose your infrastructure and endpoints to security risks. There is a low risk of attack.
81-100 Trustworthy IPs These are clean IPs that have not been tied to a security risk. There is very low risk that your infrastructure and endpoints will be exposed to attack. ~3.4 billion

BrightCloud IP Reputation Service for LogRhythm

BrightCloud IP Reputation Service for LogRhythm integrates highly-accurate, real-time threat intelligence from the BrightCloud IP Reputation Service into the LogRhythm environment for advanced monitoring, alerting and correlation analysis. It enables LogRhythm to detect malicious IP activities and invoke customer-defined actions such as adding attacking IPs to a firewall ACL.

BrightCloud IP Reputation Service for Splunk

BrightCloud IP Reputation Service for Splunk enables enterprises to easily integrate BrightCloud IP predictive threat intelligence into their Splunk environment so it can correlate with IP traffic data indexed by Splunk, detect malicious IP activities in both incoming and outgoing IP traffic, alert infosec teams of such as activities and provide them with additional contextual info of these malicious IPs so the infosec teams can respond and remediate quickly before these activities lead to security breaches.