Security Insider Interview Series: John McArthur, Senior Product Manager, IP Intelligence; and Rupert Young, Senior Director Software Engineering, Data Compilation and Identity, Neustar

Every internet connection is based on one irrefutable bit of data—the IP address. Neustar’s John McArthur and Rupert Young talk about IP Intelligence and its applications for everything from preventing fraud to using targeted marketing.

istock 455690757

How do you define IP Intelligence?

McArthur: IP Intelligence is a set of objective and subjective ways of evaluating IP addresses. The objective measures are, ‘What is its location? What country does it belong to? What state, city, postal code?’ We’re also talking about the connection type and line speed, and ownership details around the IP address. There’s also enhanced intelligence to determine if the address is associated with a proxy that might be used to obfuscate details about its owner.

The subjective measures involve scoring the IP addresses based on analysis. How certain are we it belongs in that location? And scoring its reputation—how likely is it a real user versus some sort of server or bot? How likely is this IP address being used to do something malicious?

Young: We went with word ‘Intelligence,’ because often people think of an IP address as purely a location. There’s a lot more you can know than just purely knowing where it may be coming from.

What are some of the primary use cases for IP Intelligence data? Is more for intelligence gathering or more geared toward proactively preventing inbound threats?

McArthur: The use cases run the gamut from marketing to cybersecurity and fraud protection. Should I target an ad campaign based on where they are? If it’s from Spain, for example, should I display a web site in Spanish?

And there are certainly compliance, fraud, and security use cases. Compliance might relate to certain goods and services only available in certain areas, like the ability to watch sports on-line within sports blackout restrictions. When talking about fraud and cybersecurity, when we see an IP address that may be attached to a proxy, do I want to flag that before allowing further action? 

Young: That one piece of data you always have when someone is connecting is their IP address. You may have a cookie, you may have some mobile ID, but you always have IP address. That’s a baseline piece of data you can attach to other types of data about that user to either help enhance the user experience or try to stop malicious intent.

How do you use IP-geolocation to defend against threats?

McArthur: The most basic thing to do with IP geolocation is just block the session if it comes from a risky area. If you have additional information—like an account number or billing address—and you start to see transactions from locations that don’t line up, that’s a red flag. You might want to put that transaction through some secondary authentication.

How do you precisely track specific IP addresses back to their source?

McArthur: We rely on variety of sources. Some are publicly available such as where IP addresses are registered and allocated. That’s our baseline for mapping the internet. From there, we enrich the data. We also work with trusted partners. We take all those data sources and have a formula for coming up with the best answer. We do an extreme amount of vetting before letting new data sources into our system.

Young:  Each data source has its own different types of errors. But if you look at all of them together, then you get a better view. They all make sense together. And that’s part of the challenge—measuring the potential error.

How do you handle cases with those who ping their Internet signal all around the globe to prevent detection?

McArthur: That really depends on your use case. If you’re doing a transaction and can’t readily ID where the user is coming from, you may be talking about fraudulent account access. That’s probably when you would ask a secondary question or just block the transaction outright. When it comes to proxies and VPNs, you want to ensure you’re using other information to corroborate the true identity of this person to prevent fraud or malicious activity.

How much of the process is automated and how much requires human intervention?

McArthur: The data collection itself is automated. The manual intervention and the team of NGAs (network geography analysts) are involved in the QA checks. They take a pulse check to make sure the data makes sense. They also do additional research on reference data, such as cities and postal codes, identifying new organizations, and keeping that up to date.

Young: The NGAs are placing lot of structural framework into which the automated data can flow. Then when we collect the data, it has an attachment point. The NGAs also research the data and determine where they think an IP or block of IPs may be. That’s key feature for law enforcement and compliance.

What do you see for the future of IP Intelligence? What are some anticipated technological advances as well as new or expanded usage cases?

McArthur: IP Intelligence has been based on the IPv4 protocol, and that space is effectively running out of addresses. The green field is IPv6, so the focus will be on IPv6 as that continues to grow. We’re also focusing on tailoring the IP Intelligence data we have and working with customers to create custom feeds to enrich their data for the purposes of minimizing fraud and stopping unauthorized account access. We’re working together, instead of just providing them with data.

Young:  There is so much more data than there used to be. Obviously, an IP address is a bridge, but it only works if you’re being smart about it. You have to tie all those things together. We can bring the logic we use in our own process to help customers with their data.


Copyright © 2017 IDG Communications, Inc.