Reducing the time your customers spend analyzing reports by weeks is quite an achievement. Here's how Spamhaus Intelligence API assisted Red Sift in accomplishing that and more.

Who is Red Sift?

The Red Sift Open Cloud is a data analysis platform that is purpose-built for the challenges of cybersecurity. By harnessing the power of Artificial Intelligence (AI), it securely collates, computes & visualizes data from thousands of individual signals, delivering intelligent automation to its global customers.

In the beginning…

From its inception in 2015, Red Sift’s client portfolio has rapidly grown. Product development teams were always aware that they would need to lean on threat intelligence data to help them keep one step ahead of the competition.

Initially, for their OnDMARC and OnINBOX products, they required DNS blocklists (DNSBLs) to validate the reputation of IPs and domains sending email. For the OnINBOX product, utilizing blocklists helps Red Sift supply customers with an Authentication, Contents and Trust score (ACT) highlighting what emails are safe to interact with, helping combat Business Email Compromise (BEC).

After trialing various DNSBL vendors, Red Sift chose Spamhaus’ IP and Domain blocklists. Multiple factors led to this decision, including the quality and consistency of Spamhaus’ datasets, not to mention its global footprint providing widespread coverage. Additionally, accessing the DNSBLs was simple with Spamhaus’ Data Query Service. This provided Red Sift with a set-and-forget solution, which hasn’t failed since it went live in 2015.

Meeting and exceeding customer demands

With an increasing number of enterprise-sized customers, Red Sift was servicing more complex infrastructures. This meant a greater volume of report generation.  One key aspect of DMARC is classifying your assets listed in these reports and mapping IPs to known senders.

In the first instance, customers had to undertake manual analysis, primarily done via lengthy internal conversations or outsourcing to consultants, both expensive and time-consuming.

With Red Sift’s focus on intelligent automation, they turned to Spamhaus Intelligence API (SIA), enabling them to provide their customers with additional insights that saved time and quickly highlighted urgent areas to focus on.

How did Spamhaus Intelligence API help?

This API provides a wealth of metadata related to listings in Spamhaus’ blocklists, specifically the Exploits Blocklist (XBL), which lists IPs related to compromised behavior, e.g., machines infected with malware.

A DNSBL provides a binary “yes, it is listed” or “no, it is not listed” response. Meanwhile, SIA provides numerous data points relating to the listed IP address, furnishing the user with more in-depth insight into the compromised IP’s activity.

When Red Sift identifies an IP listing on the XBL, they make a call to the API. Currently, 20-25% of all IP addresses they process are listed on the XBL and therefore called into SIA.

With the added intelligence SIA provides, Red Sift can automatically score the IP and provide its customers with the relevance of why the IP is being blocked; automated, immediate intelligence.

How are Red Sift’s customers benefiting?

As previously mentioned, before SIA, enterprise customers were manually working through hundreds of reports. Now Red Sift automates the analysis, giving a contextual layer of why an IP is considered “bad.”

Users of OnDMARC can now log in and view a list of senders, along with an IP score that delivers a quick health check.  This score can indicate to users if a legitimate sender has bad list hygiene or, worse, unsolicited use.

This intelligence is invaluable for OnDMARC users, saving them from sifting through reports and wasting valuable time, providing instant insight into what to prioritize and focus on.

One customer, a specialized agency of the United Nations, used OnDMARC to analyze over 29,000 sending IPs in just minutes. The intelligent automation behind this analysis was powered using SIA. As a result, 22% of their sending IPs were instantly highlighted as “known malicious,” saving the organization weeks of work.

In the words of Deepak Prabhakara, Red Sift’s Founding Engineer and CTO, “Spamhaus data allows us to add huge amounts of value for our customers and beyond.“

How is Red Sift benefiting?

Here are the additional benefits being experienced by Red Sift:

Saving time: With the additional insight SIA brings, Red Sift’s Customer Success Teams can quickly classify potential threats, dramatically reducing report analysis time, freeing them up to provide additional value to their customers.

Scalable solution: In the words of Deepak, “We don’t have to worry about scale. The data is easy to access and a great benefit for us.” He added, “We can push as much traffic as we need towards Spamhaus, and we know it’s going to work.”

Product innovation: Red Sift utilizes SIA to help realize their product roadmap, and there’s more in the pipeline for Red Sift’s customers in terms of automation and further insights.

Simple implementation: Deployment of DQS was very straightforward, with standard DNS queries. For SIA, the Red Sift technical team uses a specially written reverse proxy, which goes from the client, performing a DNS request, caching it and automating the token refresh, avoiding the potential of multiple active tokens.

Today and looking to the future

The threat intelligence that SIA provides Red Sift is assisting them with product innovation. As a result, their customers rapidly gain visibility of problem IPs and understand the context surrounding the issue. This enables them to remediate issues far quicker. Ultimately, productivity is significantly increased, which is always a positive outcome.

Meanwhile, Red Sift can focus on further innovations, while Spamhaus is detecting threats 24/7 on their behalf, delivering accurate IP and domain reputation data via a robust infrastructure.

 

Related products

Spamhaus Intelligence API (SIA)

This API provides access to metadata relating to IP addresses exhibiting compromised behavior, including malware, worm and trojan infections, and SMTP-specific traffic emitting spam.

The breadth of data available via an easily consumable API provides security developers with scores of opportunities.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in

A new dataset is available via the Spamhaus Intelligence API

30 June 2021

News

Spamhaus has released the extended CSS Blocklist (CSS) and made it available via our API service. This provides users with additional insights relating to compromised and malicious IP addresses.

Welcome to the Spamhaus Developer License

23 March 2021

Blog

We're aware that it can take time to find the right use case and build the right application to meet its needs. So, we've created a license to give developers access to the data without the 30-day time limit attached to a trial. The developer license runs for six-month periods.

Discover the possibilities with Spamhaus Intelligence API [beta]

2 December 2020

News

This API provides security developers with easy access to metadata relating to IP addresses that are showing signs of compromise. This data provides scores of opportunities for use across security applications, programs and services.