Frequently Asked Questions

General

What are the benefits of integrating BrightCloud Threat Intelligence services?

Adding BrightCloud features and functionality to a security, network, or other solution adds significant value without forcing the partner to build a new technology/core competency or make a large investment in integration development. BrightCloud Threat Intelligence services are designed to give embedded security partners:

  • Complementary layers of security which are in high demand from their end customers.
  • A technology service that can be integrated across the full range of OEM product lines.
  • Partner-owned and branded services that can be sold through existing channels without channel conflict or customer ownership issues.

Because the cloud-based model scales across all types of devices, from smallest to largest, remote offices to enterprise data centers, BrightCloud Threat Intelligence services are flexible enough to address virtually any class of customer need.


How is BrightCloud Threat Intelligence generated?

BrightCloud Threat Intelligence is derived from data from millions of sources, including real-world endpoints and our embedded security partners. Select data points are correlated across URLs, IP addresses, files, and mobile apps to enable predictive determinations on where threats may emerge, based on a guilt-by-association model.


How does licensing and pricing work?

Our partners have the freedom to integrate BrightCloud Threat Intelligence services in the manner that makes the most sense for them. We provide flexible pricing models to suit partners’ business needs. Contact us for further information.


What technology advantages do BrightCloud services offer?

Adding BrightCloud features and functionality to an existing solution brings a variety of benefits:

  • Very rarely requires an increased hardware profile
  • Integrates directly with the partner's management console, policy engine, and reporting infrastructure
  • Scales across the partner's product lines, from solutions for SMBs to those for remote offices or roaming machines, to the data center
  • Development efforts that can be leveraged across the same range of product lines.

     


How hard is it to integrate BrightCloud Threat Intelligence services?

You can integrate BrightCloud services across quick and lightweight development cycles, where typical development times range from one to four developer/QA months combined, depending on the complexity of the policy engine, reporting infrastructure, and management console with which the services are integrated. Reference platforms are available as development guides, as are performance metrics and testing services.


How are the SDKs updated and maintained?

BrightCloud will occasionally release new versions containing the latest product features and enhancements to the BrightCloud Threat Intelligence SDK and Streaming Malware Detection SDK. Although older SDK versions will continue to be supported, we recommend customers update to the latest versions whenever possible to ensure optimal functionality. Furthermore, updates to the Streaming Malware Detection SDK may require additional system resources.


Where can I find technical documentation on BrightCloud services?

Technical documentation for SDK usage, including example requests and expected responses, is available to our embedded security partners. Contact us for more information.


Web Classification and Web Reputation

What integration options does BrightCloud offer?

The BrightCloud Web Classification and Web Reputation services are available through a RESTful API service and through the BrightCloud Threat Intelligence SDK. We recommend your integration combine a daily database download with cloud calls for URLs not found in the local database. In addition, customers can download real-time updates to the local database and build a dynamic local cache to resolve the majority of URL lookups locally.


How do I use this product?

The SDK can be configured and modified on the client's end to suit a number of integrations. We provide local database options, ranging from 17-430 MB in size, depending on the desired configuration, with additional storage capacity during daily update windows (generally less than 1 MB per update).


How is the data updated and maintained?

Full updates for the databases are published once per day and contain the latest categorization information for all URLs in the database. We recommend customers download real-time updates, which are published every 5 minutes, to stay up-to-date on the latest categorization and reputation changes.


What kind of performance can I expect?

Network latency is affected by a variety of factors, including bandwidth, congestion, and hardware resources. However, BrightCloud requests only extends the time it takes to fully load a web page by a nominal 5-10%, which is virtually unnoticeable to end users. In addition, using the local database and caching further reduces the amount of time to resolve a request to microseconds.


What's the difference between Web Reputation Score and
Domain Safety Score?

The Web Reputation Score primarily evaluates the predicted risk of a domain, but it also considers full URLs in situations where there are security risks on the page. The Domain Safety Score was developed as the next iteration of scoring, with the goal of helping our customers address the increasing reliance on domain-only traffic visibility. The Domain Safety Score leverages patented machine learning technology to evaluate domains based on their attributes, such as certificate and registration information, and their current and historic user traffic patterns. Both the Web Reputation Score and Domain Safety Score can be used to evaluate the riskiness of the domain. Customers should choose which score to use based on their level of traffic visibility.


IP Reputation

What integration options does BrightCloud offer?

The IP Reputation service is available for through a RESTful API service and the BrightCloud Threat Intelligence SDK. Our recommended integration includes a daily download of a dynamic list of blacklisted IPs, with API calls for additional contextual intelligence, such as geo data and threat history. IP threat categories include Spam Sources, Windows Exploits, Web Attacks, BotNets, Scanners, Denial of Service, Reputation, Phishing, Proxy, Mobile Threats, and TOR Proxy.


How do I use this product?

The SDK is configured to download a local database of malicious IP addresses on a daily basis, with update intervals configurable by the embedded technology partner. The local database is ±20-40MB, with significantly smaller real-time updates. The service is designed to work with Public IPs and protect against inbound IP threats, but is not designed to protect against internal or intranet IPs.


How is the data updated and maintained?

Due to the dynamic nature of IP addresses and the threat landscape, we recommend you check for updates every 5 minutes to supplement the base daily file.


What kind of performance can I expect?

The BrightCloud SDK provides a local database to reduce latency by minimizing cloud calls. In addition, we cluster our machines and distribute them regionally so our APIs have minimal latency, and we typically measure responses in low milliseconds (depending the speed of the internet connection and other environmental factors).


Real-Time Anti-Phishing

What integration options does BrightCloud offer?

The Real-Time Anti-Phishing service is available through a RESTful API service. API calls can be made both synchronously or asynchronously. Synchronous responses will be returned when all URLs in the request have been crawled and determined. Asynchronous calls use a ticketing system and return information for URLs that have been crawled and determined at the time of query.


How do I use this product?

We recommend you use the Real-Time Anti-Phishing service through a client application, such as a browser or endpoint, or as a part of a batch process.


How is the data updated and maintained?

The Real-Time Anti-Phishing service provides a determination on a URL at the time of request, so no updates are necessary to use the service.


What kind of performance can I expect?

Because the service relies on information collected from a live crawl of the website, users can expect a few seconds delay during the time when the crawler is collecting information on the URL.


Streaming Malware Detection

What integration options does BrightCloud offer?

Streaming Malware Detection is available as a pre-compiled SDK and is compatible with most flavors of Linux.


How do I use this product?

Streaming Malware Detection is typically embedded on a network edge device as part of the first layer of defense. It provides Good, Bad, or Unknown determinations on files in transit, as they stream through the device, without needing to download them fully. Please refer to the documentation before using additional variables.


How is the data updated and maintained?

We recommend downloading the latest machine learning model to the SDK at least once per day to ensure you are protected from the latest threats.


What kind of performance can I expect?

In many cases, the SDK can analyze and make determinations before the file download has completed. Determinations typically take milliseconds, depending on the size of the file and how much of the file is needed to make a determination.


File Reputation

What integration options does BrightCloud offer?

The File Reputation service is available as a RESTful API call and within the BrightCloud Threat Intelligence SDK.


How do I use this product?

The File Reputation service is typically implemented as a real-time tool to detect known good and known bad files. Because there is no local database, all lookups are made using our cloud.


How is the data updated and maintained?

Service is dependent on cloud calls. No updates are required by our embedded security partners.


What kind of performance can I expect?

Depending on network conditions, call speeds are in the milliseconds. The upper limit on this API call is 100 file hashes at a time.


Mobile Security SDK

What integration options does BrightCloud offer?

The Mobile Security SDK is a pre-compiled SDK compatible with Android™ 4.0 (API level 14) and above. It allows a host application to assess and enhance the security of the mobile device, e.g. by detecting and removing known bad files.


How do I use this product?

The SDK is provided as a JAR file that can be embedded in a host application. The JAR file can also be embedded into another Android SDK to give that SDK additional functionality.


How is the data updated and maintained?

We update the SDK periodically to improve protection and ensure compatibility with new operating systems. We recommend partners take advantage of the latest updates whenever possible.


What kind of performance can I expect?

Performance may vary, depending on the implementation of the host app and the device itself.  In general, the SDK is extremely lightweight and has a small device footprint.