Security Intelligence Services

Product Description

As security operations become more advanced, they will require more data to power their capabilities and instantly enrich incidents.  Security Intelligence Services provides direct, high volume access to RiskIQ data, allowing mature customers the ability to use this data to programmatically defend against threats to their environment.

The Security Intelligence Services offering is broken out into a two tier service model.  The first tier - Internet Data - focuses on providing organizations with high volume access to data that form the building blocks of our overall core RiskIQ product offering.  These data sets allow organizations to power their internal security tools and operations and access to this data is based on query volume.  The second tier of data focuses on RiskIQ's unique ability to enrich these raw data sets with our own internal analytics and provides proactive threat intelligence to defend against evolving threats.  This data is accessible via time slice and can be pulled down and ingested by organizations based on their risk tolerance and profile.

Customer Challenges

  • Enabling Operations - Many top tier security operations groups have built internal systems to process, correlate, and respond to suspicious events within their organizations.  These systems need access to high scale reliable data sets to power detection, correlation, and enrichment.
  • Event Enrichment - Security enterprises today are overloaded with alerts from all their products. It’s difficult for them to identify where to focus their efforts and what items to action first. 
  • Hunting - As security operations mature, they want to proactively hunt through internal data to identify possible suspicious activity.  This hunting requires triaging hundreds of thousands of IPs and domains on a weekly basis - most of which are legitimate

Internet Data

With thousands of customers and processing petabytes of Internet datasets daily, RiskIQ is a pioneer in expanding the reach of the security program to prevent attacks.  These internet datasets are now available in raw format and allow organizations to power their security operations tools with RiskIQ data.

  • WHOIS - Use registration based correlation to expand your knowledge of the adversary
    • WHOIS data, an internet database of ownership information about a domain, IP address or subnet, can give an organization insight into those behind an attack campaign. WHOIS data helps determine the maliciousness of a given domain or IP address based on ownership records. Using domain registration information, an organization can unmask an attacker’s infrastructure by linking a suspicious domain to other domains registered using the same or similar information. 
  • Passive DNS - Enhance your understanding of an attack with historical resolution data
    • Passive DNS (PDNS) data, a system of record that stores DNS resolution for a given domain or IP address, provides security analysts with insight into how a particular domain name or IP address changes over time. RiskIQ’s implementation of PDNS  enables programmatic links between related domains/IP addresses and, when researching an event, can provide context to an attack or additional malicious domains/IP addresses. PDNS helps identify the indicator of compromise through correlation of historical resolution lookups, time-based analysis, and fully qualified domain name lookups.
  • SSL Certificates - Uncover new attack infrastructure using certificate hash and facet overlap
    • Securing user transaction and interaction on the internet is an essential part of everyday life on the internet.  SSL certificates are files that digitally bind a cryptographic key to a set of user-provided details and assist in providing this security.  You may only associate certificates with the small locks inside of your browser bar, but beyond securing your data, certificates are a great way for analysts to connect disparate network infrastructure and track malicious actors.

Attack Analytics Feeds

RiskIQ Attack Analytics, a proprietary RiskIQ dataset, is based on malicious observations inside of real-time Internet datasets.  As attacks evolve and propagate outside of your network, RiskIQ behavioral analytics identifies cyber threats and provides customers with filtered lists of known bad hosts, domains, IPs and URLs.

  • Newly Observed Domains - Identify malicious domains as soon as they resolve in PDNS (bad.com)
    • Newly Observed Domains provides customers with near real-time intelligence of domains seen for the first time. Organizations can proactively defend against new domains that could be hosting phishing sites, distributing or operating malware or posing other cyber threats by blocking newly observed domains for a specified time period based on policy and risk tolerance.
  • Newly Observed Hosts - Identify malicious hosts as they appear in our data sets (super.bad.com)
  • Blacklist - RiskIQ threat intelligence to power detection and incident response


Key Benefits

  • Offers access to 3 major raw data sets (passive DNS, WHOIS, SSL) via a single set of APIs
  • SIS offers organizations high volume API access to data.  These API endpoints can handle 100K - 1M queries per day
  • Enrichment data based on RiskIQ machine learning and analytics