URL or domain reputation – as found in Symantec’s RuleSpace web categorization database – is one of the most valuable and commonly licensed forms of threat intelligence. Also known as web reputation, it enables security vendors and service providers to protect their customers (businesses or private individuals) from websites that host malicious code or potentially unwanted applications.
Unfortunately, Broadcom recently decided to discontinue the Symantec’s RuleSpace URL database. If you have been affected by the decision to end-of-life the RuleSpace URL database, how should go about selecting a new provider?
When assessing threat intelligence we want to understand the quality of the data. Often this is a measure of three characteristics:
- Coverage (i.e. geographic, # sources),
- Velocity (update rate, delay, response time), and,
- Depth (classification, categorization, transparency of the data and types of intelligence covered).
Much like RuleSpace, Avira’s web reputation delivers both threat classifications and content categorization. This intelligence enables us to decide if a site or domain is blacklisted, contains PUAs, or is safe and clean. It also allows us to understand the site’s content categorization using with IAB-1, tier 1 and 2.
Approaching a billion data sources means that Avira has one of the broadest scopes of any threat intelligence, and has global coverage built from consumer and technology partner telemetry on every continent – except perhaps Antarctica.
This exceptional visibility into website reputation is enhanced by a reassessment of sites that occurs 24×7.
Finally, the geographic distribution of access portals using Amazon Web Services ensures a sub 10ms server response time and redundancy.
Ease of access
Machine-readable threat intelligence (MRTI) is accessed as a feed or as an API. For example, an Avira threat intelligence can be queried in real-time using an API. Or downloaded as a JSON from an Amazon S3 bucket every minute.
It’s this simple machine-readable integration that makes threat intelligence relatively portable. When a vendor’s data no longer meets your needs, or as in the case of RuleSpace, terminated, it should be reasonably easy to move to another provider.
If you have looked at the market, assessed several threat intelligence databases, and perhaps built a shortlist of web reputation services, there may be two more topics you want to consider.
Is this supplier relationship going to last? And might they be acquired, or even, are they my competitor?
An acquisition can happen to any company. If it can happen to Symantec, it can happen to anyone. But you can take steps to protect yourself against an acquisition of your supplier. These are outlined in Gartner’s recent paper 5 Best-Practice Steps for Selecting a Security Technology OEM
The paper looks at many aspects of technology licensing, including price negotiation and service protection. And it also provides valuable insight into the question ‘do I build it myself, acquire a company for it, or license the technology?’
Within the OEM team at Avira, we tend to summarize this last point as:
- If the technology you need is of strategic value to your company, or is a market differentiator, then ‘build it or buy it.’ In other words, develop it in-house. Or consider acquiring a company that already has the technology.
- If the technology you need is essential – but not strategic to your security solution – and is not your key differentiator in the market, consider licensing it.
Threat intelligence (and anti-malware) technologies often fall into this second category. It is the reason so many vendors buy-in their intelligence. It’s challenging to build intelligence just by yourself (it requires a lot of time and a lot of sources). Even if you are building your own database, alternative providers – another viewpoint – will always add value.
Am I partnering with a competitor?
It is also worth considering if you are partnering with a provider that is actually a competitor.
Over the past year, increasingly cut-throat competition in the enterprise market has led vendors to discontinue a service or change a license agreement to disadvantage their partner. It most commonly occurs when the OEM provider competes with their partner in the same market.
Many enterprise cyber-security vendors have an OEM business that supplies technology or intelligence to their competitors. This invariably creates a tension between their enterprise sales business and their OEM/licensing business. Whether this tension led to Broadcom discontinuing the RuleSpace URL database is speculation. Still, we’ve certainly seen other cyber-security vendors terminate services or change license agreements to gain a competitive advantage over their OEM partners.
At Avira, we don’t compete with our partners; we don’t sell into the enterprise market. So if you’ve decided that Avira’s Web Reputation API service delivers the quality that you require, at the price you need, with the licence the terms you want, then one thing you don’t have to worry about is relying on a competitor for important parts of your solution.