Endgame Systems Launches ipTrust Reputation Service to Fight Botnets

Endgame Systems launched iPTrust, a cloud-based botnet and malware detection service that collects and distills security data into a reputation engine, the company said on Oct. 28. The ipTrust service provides useful information that identifies which system on an organization’s network has been compromised by a botnet, the company said.

An enterprise is often the last one to know that its systems have been compromised. Until they figure it out, they are inadvertently distributing even more malware to other unsuspecting organizations.

The ipTrust services gives organizations "useful and actionable" information they can use to keep their networks secure, said Dan Ingevaldson, chief operating office of Endgame Systems to eWEEK.

"With the events data, we know the exact IP address that was compromised, what it did and when it occurred," said Ingevaldson.

With this information in hand, ipTrust identifies and track botnets over the Internet without relying on any internal network data. There is no software or hardware for anyone to install; ipTrust’s Web-based technology monitors public IP addresses and stores all security-related event data, according to Ingevaldson.

More than 280,000 organizations and more than 250 million IP addresses have been infected with botnets, worms, viruses and other malware threats, many of which are designed to access networks and harvest private data, said ipTrust. ipTrust monitors all the traffic on public IP addresses and stores the information in its database.

Customers have access to the "hundreds of terabytes" of event data, and can determine if their systems, or partner and customer networks it comes in contact with, have been infected and unwittingly carrying out other attacks, said Ingevaldson.

The botnet and malware detection service harvests, analyzes and classifies malware and botnet samples into an ipTrust Reputation Engine, said Ingevaldson.

According to Ingevaldson, ipTrust will offer two products to take advantage of all that stored data: ipTrust Web and ipTrust Professional. Currently in beta and free for the time being, ipTrust Web remotely monitors the customer network and sends a notification if and when it has been compromised. Although currently not available, ipTrust Professional will include an API that will allow customers to access the security events stored in the ipTrust Reputation Engine.

"ipTrust is not in the business of making desktop security software," Ingevaldson said. Instead, organizations can take the "continuous actionable information" from ipTrust and relay it to their own security products, whether they are custom systems or from third-party vendors, to take the appropriate action to fix the problem.

A cloud-based infection notification service operating entirely outside the organization’s network, ipTrust Web provides customers with 24/7 monitoring and notification of malicious activity originating from a company’s network, said Ingevaldson. The customer provides ipTrust with the range of its public IP addresses when signing up. Then ipTrust continuously monitors its events data to see if those IP addresses ever show up. If there is a match, the service knows a system within the network has been compromised and immediately notifies the customer, he said.

Since the customer is notified as soon as the infected system starts sending out malware, it can take steps to shut down the offending machine immediately, thus minimizing the potential for damage, said Ingevaldson.

To determine the "trustworthiness" of an address from a computer accessing the network, ipTrust Professional checks to see whether or not the address belongs to a client, according to Ingevaldson.

It’s not just IP-address monitoring, as ipTrust also takes into account specific behaviors and when they occurred as part of its confidence score calculations. A machine that connected to a known botnet server this week will have a worse confidence score, indicating it is a threat, compared to a machine that connected a year ago and never again, said Ingevaldson.

ipTrust provides easy to read reports that provide an efficient view into the threats emanating from the network and the IP addresses likely hosting those threats, said Ingevaldson.

According to Ingevaldson, ipTrust’s data is entirely available via a Web-based API. IT managers can tap into the Engine and integrate the data with the organization’s applications, such as checking an IP address trying to access the VPN against the ipTrust engine before allowing access to the network, said Ingevaldson.

The events data in ipTrust’s database was compiled from monitoring academic networks, by setting up honeypots and sinkholes to gather data about malicious networks, and from vendors that gather security data, said Ingevaldson.