Startup ipTrust will let businesses avoid botnets and infected machines by revealing which IP addresses are linked to botnets, malware and other Web threats.
Endgame Systems launched iPTrust, a cloud-based botnet and
malware detection service that collects and distills security data into a
reputation engine, the company said on Oct. 28. The ipTrust service provides
useful information that identifies which system on an organization's network
has been compromised by a botnet, the company said.
An enterprise is often the last one to know that its
systems have been compromised
. Until they figure it out, they are inadvertently
distributing even more malware to other unsuspecting organizations.
The ipTrust services gives organizations "useful and
actionable" information they can use to keep their networks secure, said Dan
, chief operating office of Endgame Systems to eWEEK.
"With the events data, we know the exact IP address that was compromised, what it did and
when it occurred," said Ingevaldson.
With this information in hand, ipTrust identifies and
over the Internet without relying on any internal network data.
There is no software or hardware for anyone to install; ipTrust's Web-based
technology monitors public IP addresses and stores all security-related event
data, according to Ingevaldson.
More than 280,000 organizations and more than 250 million IP
addresses have been infected with botnets
, worms, viruses and other malware
threats, many of which are designed to access networks and harvest private
data, said ipTrust. ipTrust monitors all the traffic on public IP addresses and
stores the information in its database.
Customers have access to the "hundreds of terabytes" of
event data, and can determine if their systems, or partner and customer
networks it comes in contact with, have been infected and unwittingly carrying
out other attacks, said Ingevaldson.
The botnet and malware detection service harvests,
analyzes and classifies malware and botnet samples
into an ipTrust Reputation
Engine, said Ingevaldson.
According to Ingevaldson, ipTrust will offer two products
to take advantage of all that stored data: ipTrust Web and ipTrust
Professional. Currently in beta and free for the time being, ipTrust Web
remotely monitors the customer network and sends a notification if and when it
has been compromised. Although currently not available, ipTrust Professional
will include an API that will allow customers to access the security events
stored in the ipTrust Reputation Engine.
"ipTrust is not in the business of making desktop
security software," Ingevaldson said. Instead, organizations can take the
"continuous actionable information" from ipTrust and relay it to their own
security products, whether they are custom systems or from third-party vendors,
to take the appropriate action to fix the problem.
A cloud-based infection notification service operating
entirely outside the organization's network, ipTrust Web provides customers
with 24/7 monitoring and notification of malicious activity originating from a
company's network, said Ingevaldson. The customer provides ipTrust with the
range of its public IP addresses when signing up. Then ipTrust continuously
monitors its events data to see if those IP addresses ever show up. If there is
a match, the service knows a system within the network has been compromised and
immediately notifies the customer, he said.
Since the customer is notified as soon as the infected
system starts sending out malware, it can take steps to shut down the offending
machine immediately, thus minimizing the potential for damage, said Ingevaldson.
To determine the "trustworthiness" of an address from a
computer accessing the network, ipTrust Professional checks to see whether or
not the address belongs to a client, according to Ingevaldson.
It's not just IP-address monitoring, as ipTrust also
takes into account specific behaviors and when they occurred as part of its
confidence score calculations. A machine that connected to a known botnet
server this week will have a worse confidence score, indicating it is a threat,
compared to a machine that connected a year ago and never again, said
ipTrust provides easy to read reports that provide an
efficient view into the threats emanating from the network and the IP addresses
likely hosting those threats, said Ingevaldson.
According to Ingevaldson, ipTrust's data is entirely
available via a Web-based API. IT managers can tap into the Engine and
integrate the data with the organization's applications, such as checking an IP
address trying to access the VPN against the ipTrust engine before allowing
access to the network, said Ingevaldson.
The events data in ipTrust's database was compiled from
monitoring academic networks, by setting up honeypots
and sinkholes to gather
data about malicious networks, and from vendors that gather security data, said