sponsored

Reputation Counts When It Comes to Assessing IP Address Risks

In the shadowy world of cybersecurity, obvious and indisputable threats are more the exception than the rule. If that weren’t the case, it would be a lot simpler to identify and counter malicious actors, traffic, and websites.

istock 647191488
Neustar

In the shadowy world of cybersecurity, obvious and indisputable threats are more the exception than the rule. If that weren’t the case, it would be a lot simpler to identify and counter malicious actors, traffic, and websites. In practice, the best that defenders can often hope for are tools to help them sift through the shades of gray a potential threat exhibits to bolster their confidence that it is either dangerous or benign.

That’s certainly the case when it comes to evaluating the risks associated with IP addresses. Little is black and white in the IP address realm. While large institutional IP addresses remain fairly stable, many more addresses are constantly being used and reassigned. That means that an address once associated with an attack may no longer be a threat, while one previously thought safe may now be up to no good.

As a result, determining the reputation of any given IP address is far from a trivial undertaking. Doing so requires staggering volumes of data about the billions of IP queries occurring daily, along with other markers that, together, can help evaluate the risk associated with any individual IP address.

In an earlier post, we mentioned the IP Reputation service offered by Neustar as part of its security services portfolio. It’s worth exploring this service in a bit more detail to explain how it solves the IP reputation paradox.

The Neustar IP Reputation service provides two scores relating to an individual IP address – how likely the IP is coming from a human or from an automated bot, and the risk associated with an IP address based on a history of malicious activity in the past. The first of these assessments generates a “Real User Score” with a rating of from 1 to 5, with 5 being a strong indication the traffic is bot-driven.

The assessment second produces a 100-level “Risk Score,” with 1 being the safest rating and 100 being the strongest red-flag warning. To arrive at this score, Neustar monitors and analyzes on the order of 100 billion IP queries each day.

The combination of these two assessments, along with their respective ratings scales, gives organizations the ability to set more nuanced security policies than would otherwise be possible. For example, many bots, including search bots that scrape websites, are “good” bots that pose no threat. If such a bot is coming from a high-risk IP address, though, a company may still decide to block it.

Organizations can also decide at what risk levels to automate the blocking of an IP address or take some other action, and when to bring human security or fraud analysts into the decision flow. A company might, for instance, automatically block an IP address with a Real User Score of 4 or 5, and a Risk Score of 70 or higher.

Neustar’s IP Reputation service gives companies a way to shine some light into the IP address shadows. As such, it can serve as a critical element of a comprehensive cybersecurity infrastructure.