Adding BrightCloud features and functionality to a security, network, or other solution adds significant value without forcing the partner to build a new technology/core competency or make a large investment in integration development. BrightCloud Threat Intelligence services are designed to give embedded security partners:
Because the cloud-based model scales across all types of devices, from smallest to largest, remote offices to enterprise data centers, BrightCloud Threat Intelligence services are flexible enough to address virtually any class of customer need.
BrightCloud Threat Intelligence is derived from the Webroot® Threat Intelligence Platform, which takes in data from millions of sources, including real-world endpoints and our embedded security partners. Select data points are correlated across URLs, IP addresses, files, and mobile apps to enable predictive determinations on where threats may emerge, based on a guilt-by-association model.
Our partners have the freedom to integrate BrightCloud Threat Intelligence services in the manner that makes the most sense for them. We provide flexible pricing models to suit partners’ business needs. Contact us for further information.
Adding BrightCloud features and functionality to an existing solution brings a variety of benefits:
You can integrate BrightCloud services across quick and lightweight development cycles, where typical development times range from one to four developer/QA months combined, depending on the complexity of the policy engine, reporting infrastructure, and management console with which the services are integrated. Reference platforms are available as development guides, as are performance metrics and testing services.
Webroot will occasionally release new versions containing the latest product features and enhancements to the BrightCloud Threat Intelligence SDK and Streaming Malware Detection SDK. Although older SDK versions will continue to be supported, we recommend customers update to the latest versions whenever possible to ensure optimal functionality. Furthermore, updates to the Streaming Malware Detection SDK may require additional system resources.
Technical documentation for SDK usage, including example requests and expected responses, is available to our embedded security partners. Contact us for more information.
The BrightCloud Web Classification and Web Reputation services are available through a RESTful API service and through the BrightCloud Threat Intelligence SDK. We recommend your integration combine a daily database download with cloud calls for URLs not found in the local database. In addition, customers can download real-time updates to the local database and build a dynamic local cache to resolve the majority of URL lookups locally.
The SDK can be configured and modified on the client's end to suit a number of integrations. We provide local database options, ranging from 17-430 MB in size, depending on the desired configuration, with additional storage capacity during daily update windows (generally less than 1 MB per update).
Full updates for the databases are published once per day and contain the latest categorization information for all URLs in the database. We recommend customers download real-time updates, which are published every 5 minutes, to stay up-to-date on the latest categorization and reputation changes.
Network latency is affected by a variety of factors, including bandwidth, congestion, and hardware resources. However, BrightCloud requests only extends the time it takes to fully load a web page by a nominal 5-10%, which is virtually unnoticeable to end users. In addition, using the local database and caching further reduces the amount of time to resolve a request to microseconds.
The IP Reputation service is available for through a RESTful API service and the BrightCloud Threat Intelligence SDK. Our recommended integration includes a daily download of a dynamic list of blacklisted IPs, with API calls for additional contextual intelligence, such as geo data and threat history. IP threat categories include Spam Sources, Windows Exploits, Web Attacks, BotNets, Scanners, Denial of Service, Reputation, Phishing, Proxy, Mobile Threats, and TOR Proxy.
The SDK is configured to download a local database of malicious IP addresses on a daily basis, with update intervals configurable by the embedded technology partner. The local database is ±20-40MB, with significantly smaller real-time updates. The service is designed to work with Public IPs and protect against inbound IP threats, but is not designed to protect against internal or intranet IPs.
Due to the dynamic nature of IP addresses and the threat landscape, we recommend you check for updates every 5 minutes to supplement the base daily file.
The BrightCloud SDK provides a local database to reduce latency by minimizing cloud calls. In addition, we cluster our machines and distribute them regionally so our APIs have minimal latency, and we typically measure responses in low milliseconds (depending the speed of the internet connection and other environmental factors).
The Real-Time Anti-Phishing service is available through a RESTful API service. API calls can be made both synchronously or asynchronously. Synchronous responses will be returned when all URLs in the request have been crawled and determined. Asynchronous calls use a ticketing system and return information for URLs that have been crawled and determined at the time of query.
We recommend you use the Real-Time Anti-Phishing service through a client application, such as a browser or endpoint, or as a part of a batch process.
The Real-Time Anti-Phishing service provides a determination on a URL at the time of request, so no updates are necessary to use the service.
Because the service relies on information collected from a live crawl of the website, users can expect a few seconds delay during the time when the crawler is collecting information on the URL.
Streaming Malware Detection is available as a pre-compiled SDK and is compatible with most flavors of Linux.
Streaming Malware Detection is typically embedded on a network edge device as part of the first layer of defense. It provides Good, Bad, or Unknown determinations on files in transit, as they stream through the device, without needing to download them fully. Please refer to the documentation before using additional variables.
We recommend downloading the latest machine learning model to the SDK at least once per day to ensure you are protected from the latest threats.
In many cases, the SDK can analyze and make determinations before the file download has completed. Determinations typically take milliseconds, depending on the size of the file and how much of the file is needed to make a determination.
The File Reputation service is available as a RESTful API call and within the BrightCloud Threat Intelligence SDK.
The File Reputation service is typically implemented as a real-time tool to detect known good and known bad files. Because there is no local database, all lookups are made using our cloud.
Service is dependent on cloud calls. No updates are required by our embedded security partners.
Depending on network conditions, call speeds are in the milliseconds. The upper limit on this API call is 100 file hashes at a time.
The Mobile Security SDK is a pre-compiled SDK compatible with Android™ 4.0 (API level 14) and above. It allows a host application to assess and enhance the security of the mobile device, e.g. by detecting and removing known bad files.
Webroot provides the SDK as a JAR file that can be embedded in a host application. The JAR file can also be embedded into another Android SDK to give that SDK additional functionality.
We update the SDK periodically to improve protection and ensure compatibility with new operating systems. We recommend partners take advantage of the latest updates whenever possible.
Performance may vary, depending on the implementation of the host app and the device itself. In general, the SDK is extremely lightweight and has a small device footprint.