Neustar's Real-Time Threat Service Uses AI to Identify Risks

Neustar's UltraThreat Feeds service provides customers with access to real-time threat data to help them identify and block malicious traffic.

Karen D. Schwartz, Contributor

January 17, 2020

2 Min Read
detecting cyberthreats
Getty Images

Neustar, an information services company with a focus on identity, this week announced a new service it says will harden a company's attack surface from emerging threats.

The UltraThreat Feeds service combines Neustar's own proprietary data derived from its Security Portfolio & OneID identity resolution platform with data from hundreds of billions of Domain Name System (DNS) requests and responses from 30 globally distributed nodes every day. All of the data passes through Neustar's 11-terabit-per-second distributed denial-of-service (DDoS) mitigation network.

The goal, said Neustar Security CTO Rodney Joffe, is to provide the company's customers with access to real-time threat data, which can help them better identify cyberthreats as they evolve at the network and application layer. More specifically, it will allow customers to identify and block both inbound and outbound malicious traffic, including suspicious DNS tunneling attempts; malicious domain generation algorithms; newly observed, published or recently deactivated domains; domain updates; and anonymous proxies.

"Traditional malware researchers rely on having to capture malware, detonate it successfully in a sandbox, successfully decrypt and disassemble it, successfully identify the algorithm, generate the domains and feed them to some kind of device to filter with. This takes hours," Joffe said.

Instead, Neustar uses a proprietary set of artificial intelligence and machine learning technology on its multiyear historical database of DNS queries and answers to identify suspicious patterns of behavior. Once identified, they can be blocked long before the malware itself is even identified, he added.

Michael Kaczmarek, Neustar's vice president for products, said the real-time threat service aims to improve monitoring and alerting by delivering more true positives and reducing the amount of time security teams spend researching false positives. The UltraThreat Feeds service also helps users limit dwell time on infiltrations, reducing the mean time to detection (MTTD) and mean time to remediation (MTTR) over time, he said.

Access to this type of contextualized, actionable intelligence can help organizations identify indicators of compromise or malicious activity more quickly and prevent them from infiltrating the boundaries of the company. For example, if the real-time threat service notifies an organization that a certain domain is a spam domain, that domain can be blocked.

It can also help protect domains that have been hijacked and identify proxies that could be obscuring their true IP addresses and geolocation information for malicious activities.

"If you run a streaming service and a connection comes into you through an anonymous but legitimate looking proxy, that could be someone illegally rebroadcasting your content," Kaczmarek said.

The service also enables forensic and threat-hunting activities, such as understanding linkages between domains and hosts to determine the scope of intrusion events and identify clients requesting DNS responses for suspicious domains.

About the Author

Karen D. Schwartz

Contributor

Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek and Government Executive

https://www.linkedin.com/in/karen-d-schwartz-64628a4/

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like