Back Arrow Back to All Integrations

Dynamic Blocklists and Threat Feeds

Dynamic Blocklists and Threat Feeds

Blumira’s Automated Response

With Blumira’s Dynamic Blocklists, you can automate threat response with one click and reduce your overall attack surface by blocking malicious source IP addresses and domains through your next-generation firewalls. Blumira integrates with many different firewall providers, including:

And many others – see all of our integrations.

 

Blumira’s Threat Feed allows your organization to compare incoming network traffic against many reputable threat intelligence feeds – once enabled, any incoming traffic is blocked from connecting to your network.

 

With Community blocking, Blumira allows you to opt into sharing known malicious IP addresses and domains to other Blumira customers (no confidential information is shared).

 

See more details about these features below.

Dynamic Blocklists

A Dynamic Blocklist (DBL) is used for blocking malicious source IP’s and domains on Next-Gen Firewalls (NGFW) by referencing an external list, in this case Blumira.

The Blumira Blocklist function is enabled by hooking into your NGFW through a URL on the Block Lists page. When this feature is configured on your firewall, you may notice a question in your future workflows asking if you’d like to add a threatening IP to your DBL.

When an IP or Domain is added through a finding workflow, it will be added immediately to the Blumira blocklist, but may take a few minutes to reflect on the firewall. The list will be populated at Infrastructure > Blocklists.

Threat Feeds

Threat intelligence data feeds provide users with constantly updated information about potential sources of attack. Sources of threat intelligence data include free indicator feeds, paid feeds, bulletins, internal intelligence gathering and strategic partnerships. Organizations within in the network security community, including SANS and CERT, make open source TI feeds freely available.

The Blumira Threat Feed function allows your business to compare incoming network traffic against numerous reputable threat feeds. When enabled, incoming network traffic from IP’s or Domains on the feeds are automatically blocked from successfully connecting to your network. When adding these to a NGFW, you may be able to set them to monitor only if you’d like to view what activity they block at first.

Results will depend on the severity level of thread feed that is enabled.

Low – If you feel as though you’d like to have conservative blocking, start with the “Low” setting. The lowest setting will have very high confidence that the incoming IP’s and Domains are, in fact, malicious.
Moderate – Our recommended setting is Moderate, as this will have a higher number of known bad sources, including Tor nodes.

Community Blocking

Lastly, we’re dipping our toes into the Community blocking function. This allows all Blumira customers using the blocking feature to share the malicious IP addresses and domains they’ve added to their DBLs. The IP addresses and domains will automatically populate as other Blumira customers find malicious sources via a threat events. This function allows us to create a dynamic database of threatening sources while building a strong community.

Note: No confidential information is passed between customer databases, just the source IP/domain found to be malicious.

Configuration

1. By default, blocking and threat feeds are disabled.To enable blocking navigate to Infrastructure > Blocklists

2. Click Configure on the upper right side, and check “Blocking” in the sidebar.

3. Select which device class you would like to implement the DBL on and the length of days you would like to block by default

4. To populate the Threatlist URLs, select what level you would like to use. You can also select if you would like to enable the automated or community features here.

5. When you return to the page after saving, they will be displayed on the Blocklists page. These URLS will be added into your NGFW.

Note: The Zendesk login is specific to the Support page and is not part of the Blumira application. You may need to register if you’ve not previously accessed it.

6. When IP addresses and domains are blocked you will see them on the Blocklists console.

If anything mentioned above sounds like something your company would like to enable, please feel free to navigate to the appropriate page on https://app.blumira.com, and if you have any questions or issues we can be contacted at (877) BLUMIRA or reach out online.