How cybersecurity professionals use IP data
In today's digital landscape, cybersecurity has become a critical concern for businesses and organizations. Cyber threats are constantly evolving, and cybercriminals are always looking for new ways to exploit vulnerabilities in infrastructure and networks.
In this context, IP data plays a crucial role in the work of cybersecurity teams, including SOC as a Service and Security Information and Event Management (SIEM). Here are several ways IPinfo’s cybersecurity users implement IP address data.
Attack surface management
Many well-known cybersecurity teams and organizations use IPinfo’s data to conduct attack surface management, including Lacework, NetSPI, and Graylog. These and many other organizations conduct risk assessments and manage vulnerabilities by using IP address data to map their clients' or their organization’s assets.
IP address data is an integral part of identifying systems at risk or vulnerabilities within networks. For organizations looking for threat actors, IP to Company is an important part of investigating IP ownership by companies. This particular dataset reveals the company name, domain name, network, and company type, such as business, hosting providers, ISPs, or educational institutions.
Using IPinfo’s data to determine what IP ranges are associated with companies is critical for attack surface management and network monitoring. Many security teams use our IP Ranges data to investigate ranges operated by a single entity.
Security teams also need to gather inferences from Hosted Domains data. These Reverse IP downloads show a full list of domains that are hosted on a single IP address. This dataset can be used to investigate entry points such as landing pages and domains as part of the attack surface.
Security companies or teams also download the IP Whois database. With Point of Contact (POC), Organization Identifiers (ORG), and Networks (NET) information, security teams can identify trends such as changes in IP address ownership, who owns the IP address, the organization ID, and much more.
IP to Geolocation data is another useful tool for cybersecurity teams who need to identify organizations that have different locations or franchises and who host a variety of networks that may or may not be connected.
For some cybersecurity organizations, including cyber insurance, the impact of these datasets can reach tens of millions of dollars when vulnerable and targeted technology or network exposures are identified.
But without accurate IP address data, false alerts and faulty data inferences can result in more revenue losses. That’s why accurate IP address data plays a major role in mapping those attack surfaces.
Threat actor intelligence
But beyond monitoring a company's or customer's assets, some cybersecurity teams also use IP address data to map and investigate adversarial infrastructure and networks. Since threat actors continuously change their infrastructure over months, weeks, and sometimes days, network monitoring solutions often need IP address data that are updated daily.
That’s why many security organizations choose IPinfo’s data. These IP datasets are more than what users could aggregate from publicly-available IP address data. We’ve developed our own proprietary algorithms to monitor data accuracy, and our data engineers continually verify and improve our databases.
We also invest in robust traceroute systems to validate IP address information. In short, this data is accurate enough to keep pace with the accelerated investigations and intelligence needed by cybersecurity teams.
Cybersecurity teams specializing in threat actor intelligence focus on gathering as much information about adversary assets as possible. And they may still map out a company’s assets, but the focus of their investigations is quite different.
The implications of adversary threat intelligence are that when security teams notice communication between threat actors and the company’s network they’re monitoring, they can often infer that an attack is happening and often infer what type of attack is taking place.
IP Whois and ASN data are just two critical datasets for developing threat actor intelligence and keeping pace with rapidly changing adversarial infrastructure. To do this, cybersecurity teams need near-real-time IP address data that are updated every day.
Managed detection and response
Managed Detection and Response (MDR) and Security Information and Event Management (SIEM) enrich traffic logs with IP address data for better outcomes and customer confidence.
MDR relies on IP data to improve alerts based on anomalies detected in IPs accessing networks or systems. Enterprise customers like Panther, Datadog, Expel, and Greylog use IPinfo’s data to fuel better MDR.
“As a cloud-native SIEM that provides highly-scalable, real-time threat detection, Panther needs effective enrichment to make sure customers get the context they need fast. As a fellow Snowflake partner, IPInfo was an ideal choice for seamless alert enrichment - quickly adding the geolocation and ASN context our customers need to tune detections and accelerate triage.” Joren McReynolds, SVP of Engineering, Product & Design
Privacy Detection is an important data source for MDR because it returns masked IPs, including VPNs, proxies, tor usage, relay usage, or connections via a hosting provider. Any of these could potentially be used to tunnel traffic into networks by hiding the true location of the user.
IP to Geolocation also helps SIEMs enrich traffic logs with relevant geolocation information from around the world. This dataset includes hostnames, location coordinates to the nearest city center, region, postal or zip code, country, and city-level insights. SIEMs use geolocation data to detect higher-risk alerts.
Along with these other datasets, IP to Company and ASN data are important for enriching alerts and gathering further context. This dataset reveals the country, number of IPs, allocation date, hosting, registry, and hosting service of an IP address. Enterprise organizations use these insights to detect suspicious connections between data centers or IPs known for malicious activity.
In addition to datasets, organizations like Panther use IPinfo’s integrations to seamlessly implement IP address data into their workflow and log enrichment. This is why IPinfo offers supported integrations like Snowflake, Splunk, and Palo Alto.
Fraud prevention
Organizations also use IP address data to prevent fraud. IP address data is a useful part of automated fraud scoring models and helps a variety of companies, from cybersecurity to financial institutions, establish better fraud detection. Several of these include Feedzai, Forter, Nethone, Dupaco, and Adcash.