Summary


ThreatSTOP is an Internet security service that protects enterprise networks from bots, trojans, spam, viruses and other forms of "malware." The company has established relationships with a wide variety of partners that are part of the Internet monitoring community. Using a proprietary analytics engine, ThreatSTOP reduces the data provided by millions of Internet sensors down to a dynamic list of the current most active and most dangerous sources of network attacks and bot control. This list is then applied to our customers' firewalls to stop not only inbound attacks but also compromised computers calling home.



Benefits

Inbound Threat Blocking

more


Outbound Data Theft Protection

more


Automation

more


Web Based Management and Reporting

more


Implementation Details

ThreatSTOP users apply the ThreatList to firewalls by adding two simple rules - one to block inbound traffic from addresses on the ThreatList and a second for traffic outbound to these addresses. Precisely how these rules are applied depends on the type of firewall - see the list of firewalls that can run ThreatSTOP - but there are a number of common elements that make up the ThreatSTOP solution

Customized Profiles

When a customer subscribes to the ThreatSTOP service, a profile of the customer's IT environment is created. If, for example, you have no business at all with a country such as China (or Korea or Russia which are other sources of many attacks) then the entire country can be blocked. You can also ensure that you abide by legal requirements so that, for example, if you run an auction site you can block all visitors from France

Using this profile, ThreatSTOP periodically updates a personalized subset of the active threat list as a "block list" in the customer's network firewalls. Every 2-4 hours each firewall downloads the latest list and applies it automatically making sure that it is protected against the most recent threats.

Any connection attempt from a system on the block list is immediately dropped at the perimeter of the enterprise.

Any connection from an internal system out to an address on the list is also blocked, thereby isolating a compromised machine.

Outbound attempts are typically also logged so that the machine can be cleaned


Reputation and Policy

The IP addresses on a ThreatSTOP active threat list have all earned a "reputation" of being a current active source of network attacks or other malicious intent based on observed behavior. By being able to block every connection attempt to or from these addresses, an enterprise significantly decreases the risk of being compromised.


The Domain Name Service (DNS)

ThreatSTOP leverages the scalability and pervasiveness of the Internet's Domain Name Service (DNS) to reliably propagate threat intelligence as enforcable policy. Using standard DNS protocols, ThreatSTOP delivers the active threat lists via a private, secure, DNS system.

The ThreatSTOP threat intelligence service requires no special hardware or traffic re-routing and is wholly managed through a Web service.


Implementation on Your Firewalls etc.

To use ThreatSTOP, your firewall(s) and other traffic management devices resolve the domain _threatstop.local_ through our private DNS. You then use special lookups that tell you what to block or whitelist in your rules. The lookups are updated by your devices querying our nameservers, and logs are uploaded by you.

ThreatSTOP does not take control of your systems in any way. All communication is initiated by your devices. You control synchronization, update, and log submission activity and schedule.


Discover which firewalls can run ThreatSTOP and read more about our service in the FAQ .