Threat Intelligence service overview of Infoblox ActiveTrust
Expert Ed Tittel looks at the features and capabilities of the Infoblox ActiveTrust threat intelligence service for providing data on the top IT threats to organizations.
Infoblox ActiveTrust is a threat intelligence service that pulls threat data from a variety of vetted sources -- law enforcement, internet infrastructure providers, open source providers and security companies that gather their own intelligence. The Infoblox threat intelligence team uses the ActiveTrust platform to validate, analyze, filter and categorize its big data analytics to provide structure, standardization and context.
ActiveTrust also includes Infoblox DNS Firewall, Infoblox Threat Intelligence Data Exchange (TIDE) and Infoblox Dossier. DNS Firewall is a virtual firewall appliance; TIDE is the component that actually gathers threat intelligence data from within an organization, as well as from third parties; and Dossier is a threat indicator investigation tool that enables the user to analyze and prioritize threats.
ActiveTrust Cloud delivers intelligence as a service. Because the service is easy to set up, accessible from anywhere over the internet and enables customers to scale up or down, it's ideal for smaller organizations, or even remote or branch offices.
The Infoblox intelligence team normalizes and enhances machine-readable threat intelligence data through TIDE. Customers can access data feeds by downloading them from ActiveTrust using an API. Data feeds come in JSON, STIX, CSV, CEF and RPZ format. The data is fed directly to the DNS Firewall, or into a customer's security information and event management (SIEM) system, firewall, intrusion detection system (IDS) or intrusion prevention system (IPS), or an application.
The ActiveTrust threat intelligence management system also provides analysis and collaboration tools to customers.
The ActiveTrust threat intelligence service is used for two primary use cases.
- It works on the front line to block malicious traffic moving in and out of a network.
- It is used during the investigation of a security incident or breach. The service can help determine what factors, which weren't apparent before the incident, may have contributed to the breach.
Data feeds
Infoblox offers three core ActiveTrust data feeds via Infoblox TIDE: host names, IP addresses and URLs. The company also offers reputation data sets that can be applied to the Infoblox DNS Firewall zone policy. Customers can choose from three different Infoblox ActiveTrust bundles.
- ActiveTrust Standard: Includes a basic threat data set for the Infoblox DNS Firewall.
- ActiveTrust Plus: Includes an expanded data set, as well as data from SURBL, an Infoblox partner. Customers may choose one of the data feeds (host names, IP addresses or URLs).
- ActiveTrust Advanced: Includes all data sets and all feeds included in ActiveTrust Standard and ActiveTrust Plus.
Typical customer size
Infoblox customers tend to be larger organizations with well-developed security programs, in-house security staff (including one or more analysts) and perhaps an internal security center. These customers have systems that are ready for data digestion, such as SIEM, IDS or IPS, which incorporate ActiveTrust data.
Pricing and licensing
Infoblox sells ActiveTrust as an annual subscription. The ActiveTrust Standard subscription is based on the virtual appliance model, and the ActiveTrust Plus and Advanced subscriptions are based on the number of protected users in an organization. Infoblox data via TIDE is not available with a Standard subscription. The Plus subscription allows customers to choose one of the available data feeds, and all three feeds are included in the Advanced subscription. Specific pricing information is available from a sales representative or a reseller.
Support
Infoblox customer support is available 24/7 year-round to address questions, assist in takedowns of identified criminal websites and perform mitigation.