The Benefits of ThreatSTOP

ThreatSTOP provides many technology and business benefits to its customers. Call us today and learn how ThreatSTOP can benefit your company. Call (760) 683-8121 or email sales [at] threatstop [dot] com


1. "Call Homes" to Botnets Blocked

Firewalls using ThreatSTOP block all traffic to and from all IP addresses on its threat list that are known perpetrators of botnet and criminal malware. However, the biggest benefit it delivers—and the biggest problem it solves—is the outbound “call home” problem. Botnets need to communicate with their command and control hosts (C & C hosts) outside your network in order to carry out their mission. Once they succeed in connecting to those hosts, data exfiltration is near certain.

Furthermore, given that firewalls and other security devices cannot inspect, let alone block, SSL or encrypted traffic (lest they break the security model), cybercriminals naturally exploit that huge hole by burying all their purloined payload in SSL traffic, which goes right through your firewalls. ThreatSTOP plugs the holes in your firewall because it doesn’t inspect the content of the traffic, but rather the destination IP of the outbound traffic. Any attempted connection to an IP address on its threat list will be blocked, regardless of the protocol, application or content.

2. Prevent 0-Day Attacks

Because ThreatSTOP does not depend on attack signatures, it can detect a new attack from an IP address much faster and thus better protect you against 0-day attacks. The reason is that the signature approach requires a lengthy analysis, patch and signature development, update and patch process to mitigate against the latest attack. From discovery of a new attack, to an alert, to updating signatures, to writing a patch, to having the IT staff implement it may take days, weeks and often months, which is way too slow. In sharp contrast, once ThreatSTOP detects and confirms that a new IP (either a brand new bad IP or more typically a dormant IP that’s been activated) is acting badly and warrants blocking, it will be sent to your firewall at the next update cycle, and your network is immediately protected both inbound and outbound against that IP address. ThreatSTOP provides additional protection because it turns out that the criminals regularly reuse ip addresses for different attacks – indeed many bot herders rent their botnets out to other crooks for new attacks – so an address that appeared on our list last week as a C&C host may be a malware dropper this week and a spammer next week. Since ThreatSTOP has no interest in the application, the address is blocked even though it may be used in different sorts of attack, each of which would require a different signature, and often one that had not yet been developed.

3. Improve Network Performance and Reduce Bandwidth Utilization

Due to the much simpler and more efficient way a firewall using ThreatSTOP filters bad traffic than the current approach of deep packet inspection, load on the network servers and security infrastructure is reduced, and bandwidth used more efficiently. In short: “goodput” improves as the resources wasted by malware are freed up.

To understand this, you need to examine the difference between filtering by matching on IP address, which is in the first part of the first packet for every connection, as opposed to on content, which comes in packets subsequent to the second received packet for most connections.

For every incoming packet, a firewall using ThreatSTOP looks at only the source address, which requires only 64 bytes on the wire to do. If an address is on the list, reject; if not, accept. In contrast, other security devices use 800-4,000 bytes, and in almost all cases, at least 3 packets, to inspect the content of each message before determining to accept or reject it. The result: using ThreatSTOP requires less than 10% of the data deep packet inspection requires to make a decision—a huge gain. Given that a meaningful amount of network traffic is junk of all kinds (spam, bot recons, worms and other garbage), this efficiency advantage cascades throughout the network and adds up to on average 10-25% savings in capacity needed. This translates DIRECTLY to savings in operational and capital costs for every ThreatSTOP user.

As the following graph of SMTP traffic to a 55,000-student community college shows, its email system without ThreatSTOP experienced traffic spikes of 4X baseline, which completely filled the 100 Mbps pipe and swamped the servers, resulting in denial of service. With ThreatSTOP turned on, traffic went back to a steady-state and much more manageable 19.5 Mbps.

4. "Make Your Network Disappear", Reduce Spam and Risk of Attack

When a firewall using ThreatSTOP sees an incoming packet from a bad IP address, it rejects it immediately. It doesn’t even acknowledge the first syn packet. This has the effect of telling the sender that “there is no one here” or “this is wrong address”. After a few tries, your network effectively “disappears” from the Internet from the cybercriminals’ perspective, and they will move on to try their luck elsewhere. We call this our “Cloak of Invisibility”.

The problem with many current solutions, such as DNSBl based SPAM filtering and web application firewalls, is that they must first allow a connection that they will later reject, thereby letting the attacker know there is a server there. When they reject suspicious traffic, they send an acknowledgement back to the sender which not only confirms that your network exists, but often contains the reasons for the rejection and the identity of the filter responsible for the rejection. This tells the attacker which system has “made” them, and is just an open invitation to the criminals to try their whole repertoire of exploits and available IPs to get into your network, in the hope that at least one of them won’t be on the list, or you won’t have a signature for it. By contrast, a ThreatSTOP user sees none of this brute forcing, because it has become invisible to the “recon” bot, and so the botnet looks for easier targets.

As a result of this benefit, some ThreatSTOP customers have seen a 75% reduction in the amount of spam and virus traffic in their network, which further reduces network and server capacity needed. ThreatSTOP reduces the risk of attack by inviting fewer attacks in the first place when your network is invisible to attackers.

5. Improve IT/Security Productivity Through Automation

ThreatSTOP solves one of the biggest challenges to an effective IP Reputation service: how to update the list and get it to the device and people who need it? Without continuous updates or an automated method to distribute them, the service will. ThreatSTOP solved this problem through its patent-pending distribution method via DNS. This relieves the tedious and inefficient need to manually update the lists, make sure they are properly correlated, deduped so there are no false positives, write scripts or code for specific devices to enforce them etc. Instead, IT admins and security professionals can spend their time doing higher-value work.


1. Prevent Data Exfiltration and Ensure Compliance

The most important job for ThreatSTOP is to stop the theft of your valuable data, be it customer credit card numbers, your customer list or employee data, or your intellectual property. ThreatSTOP accomplishes that by blocking traffic to and from your network and known “bad” IP addresses with a very low false-positive rate. Since our default mode is to block the suspected traffic first, and provide you with log data to enable remediation of the breached machines, each failed attempt to breach is not a reportable event under the various compliance regimes. This is in contrast with most other products which just alert you to suspected traffic. This is of course is better than nothing, but by then the breach has already occurred and the whole incident response process, with its attendant costs and risks of legal action and lost reputation, has to unfold.

2. Simple to Deploy, Lowest Total Cost of Ownership

ThreatSTOP has the lowest cost of ownership since it is implemented in the firewall natively or via a simple script that can be set up within an hour. There is no need to buy another piece of equipment or replace your existing firewall, and therefore none of the labor, time and expense of network reconfiguration, testing and certification, and employee training.

"You delayed my need to upgrade my email servers by 2.5 years. That's $200,000 a year we put in the classroom instead."

-- Steve Gorham
Hillsborough Community College
Tampa, FL

Lower Network Equipment Costs

By significantly reducing unwanted traffic and the resources needed to process it, ThreatSTOP not only improves network performance but also the need for new capacity to process the junk traffic. That can add up to hundreds of thousands of dollars a year.