The ThreatSTOP Admin portal is the web application where you can manage and assign devices and policies, run reports and configure the features of your account.
Policies are updated throughout the day and deployed automatically to your devices:
- firewalls or routers for IP Defense
- DNS servers for DNS Defense
- Windows/OSX laptops and workstations for Roaming Defense
These devices enforce your policy and send log files containing the details of blocked connections and DNS queries back to the portal, where they are matched against our Threat Intelligence systems for rich reporting and analysis.
The home page of the portal is a dashboard which provides a quick overview of the activity in your network
- Outbound: the number of blocked outbound TCP/IP connections attempted by devices in your network
- Inbound: the number of blocked inbound TCP/IP connections attempted into your network
- DNS FW: the number of DNS queries blocked by ThreatSTOP’s DNS Defense
- Devices: the number of devices in your network that originated blocked connections
- Top 3 Threats: the top type of threats associated with the blocked connections
The graphs display the evolution of the number of blocked connections in the last 7 days
Devices enforce the policy that you selected, and send corresponding logs back to ThreatSTOP’s portal. It is possible to deploy ThreatSTOP on multiple devices and we integrate with most Firewall and DNS server vendors.
During the initial trial, you will be able to add two types of devices:
- The ThreatSTOP LiveISO combines a ready-to-use IP Firewall and DNS Firewall suitable for exploring ThreatSTOP’s features without making changes to a device in your network
- A Roaming device group: the TSRoaming application which can be installed and uninstalled on Windows and OS X laptops in a matter of seconds.
You can delete devices created through the guided setup or manually. If you delete a device entry, the corresponding device (LiveISO or Roaming group) will stop receiving policy updates and generating reports.
If you would like to deploy ThreatSTOP on an real firewall or DNS server, our customer service team will be happy to assist you with the configuration and installation of the agent. Please contact us at firstname.lastname@example.org to learn more or schedule an installation.
Policies define the list of Threats that will be blocked by your device. Trial accounts provide access to a set of pre-defined policies. The full version of the product allows customizing policies and adding your own blacklists and whitelists.
ThreatSTOP organizes Threat Intelligence into Targets: lists of IP addresses, subnets and domains that are associated with different types of threats. Policies can be tailored based several criteria, such as:
- what you are protecting: such as end-user desktops, or servers reachable from the Internet, or roaming laptops
- your security posture
- your network hardware
Targets are also used to enrich the log entries generated by enforcing your policy. They can be used to identify the IOCs (Indicator of Compromise) and threats associated with a connection or DNS query.
The Guided Setup will help you selecting a device type, a pre-defined policy and will guide you through the device installation. If you don’t have time to install an device, you can choose to load sample data in your account, and look at the capabilities of the Reporting and Threat Intelligence features without installing anything.
You can run the Guided Setup multiple times and select different protection types or policies.
Reporting and Check IOC
When your device blocks a connection or a DNS query because of it detected an IP address or domain contained in your policy, it will generate a log entry. Log entries are uploaded periodically to the ThreatSTOP backend, where they are matched against with Threat Intelligence database. The enriched logs are accessible into a wide range of reports, from summaries to the full details of the event.
The reports allow you to track which of your machines are making or targeted by dangerous connections. They also identify the targets associated with the IP address and domains as well the origin and destination of the connections. Further more, the Check IOC feature will present the Threat Intelligence profile of the external IP addresses and domains. The available information includes the current threats associated with that IOCs, its history, and the list of IPs and domains associated with it.