I spoke with Todd Weller, Chief Strategy Officer at Bandura Cyber at RSA 2019. Bandura is in the category defined by Gartner as “Threat Intelligence Gateways.” This class of cybersecurity product is a network security solution purpose built to filter traffic. A Threat Intel Gateway like Bandura helps organizations filter out malicious traffic by blocking millions of suspicious IP addresses and blocking them.
Like so many innovative countermeasures, Bandura got its start in the American national security sector. The company is based on Maryland, where it built itself up over five years doing work with the DoD and US Army. Their projects in that environment involved learning how to turn large numbers of IP address on and off for DoD workers and contractors. This led to the development of a scalable, automated filtering engine for IP addresses, which Bandura is now commercializing.
Bandura has expanded the use case of its Threat Intel Gateway. It can now do geo IP filtering, which involves learning where an IP address is (really) located. This is a huge challenge today, as many cyber criminals and nation state actors obscure their actual location with proxies. “There’s a lot of geographic misdirection with IP addresses, as we well know,” Weller shared. “The question, though, is how to mitigate the risk and determine when someone has commandeered infrastructure in another location, as North Korea allegedly does with IT assets in places like Singapore.”
A well-informed Threat Intel Gateway can keep track of who is really who, and where they really are located. To achieve this, Bandura federates and integrates with many third parties, including ISACs. It also pulls in threat intel from commercial threat intelligence solutions like Webroot.
Functionally, Bandura is a layer 2 device. It sits on the network in front of the firewall. This architecture means no changes to routers or firewalls. It makes allow/deny decisions based on a presence, blacklists, reputation and risk scores. “People want to know why the firewall isn’t doing this,” Weller said. “It’s a matter of scale. Even a big firewall can only handle about 300,000 third party IP addresses. The problem is that the threat landscape offers up suspicious IPs by the million…”
“People want to know why the firewall isn’t doing this,” Weller said. “It’s a matter of scale. Even a big firewall can only handle about 300,000 third party IP addresses. The problem is that the threat landscape offers up suspicious IPs by the million…”
Weller emphasized what he referred to as the “Four A’s” of Threat Intel Gateways. A is for “Access” to threat intel. “You have to have access to the widest, deepest pools of threat intel, no matter where they come from,” Weller noted. “A” is for “Aggregate,” as in, one must aggregate threat intel if that isn’t already happening in a SIEM solution. “A” is for “Automate.” Finally, “A” is for “Act.”
“This may seem obvious, but you have to take action when you detect a malicious IP address,” Weller added. “It is obvious, but turning awareness into action can be challenging. That’s why a turn-key Threat Intel Gateway can help you stay secure. It enables you to take action in blocking IP addresses without a lot of overhead and staff resources.”