Today, cybercriminals have an immense number of exploits and attack vectors available to them, and they use numerous techniques to hide their identities and activities, such as encrypted communications, DNS cache poisoning, URL redirection, hyperlink obfuscation, etc. However, every packet on the internet has a source IP address and a destination IP address, so disabling inbound and outbound communications to and from IPs known to be malicious is highly effective. But how does one know which IPs to block? How can administrators differentiate between an employee chatting online with an associate in Eastern Europe or an attack on the corporate network?
BrightCloud IP Reputation Service for Splunk, from the BrightCloud for SIEM solution family, allows enterprise customers to easily integrate BrightCloud IP threat intelligence into their Splunk with a continuously updated feed of malicious IP addresses. This allows Splunk to correlate the malicious IP addresses with other data coming into Splunk, detect malicious IP threats and alert the security team before those threats lead to incidents and breaches.
To keep the list of 12 million malicious IPs updated and accurate, Webroot uses a prosecution methodology:
Customers can either have the Splunk for BrightCloud App pull IP Reputation data directly from BrightCloud or use the BrightCloud Connector for Splunk to add IP Reputation to their Splunk environment. The BrightCloud Connector is a virtual appliance that can be easily deployed in a VMware virtual environment.