Since launching our web
classification service in 2006, we’ve seen tremendous interest in our threat
and web classification services, along with an evolution of the types and sizes
of cybersecurity vendors and service providers looking to integrate this type
of curated data into their product or service. Over the years, we’ve had the good
fortune to work with partners of all sizes, from global networking and security
vendors to innovative and dynamic start-ups across the world.
With the end-of-life of Broadcom’s Symantec RuleSpace OEM Web Classification service, we’ve received numerous inquiries from their former customers evaluating alternative solutions. Here we’ll outline the things to consider in a replacement. For more on why Webroot is poised to fill the gap left by the Broadcom, you can read the complete whitepaper here.
Your use case: how well does it align
with the vendor?
Each use case is
unique. Every vendor or service provider brings its own benefit to market and
has its own idea about how their service or solution adds value for customers,
clients or prospects. That’s why our adaptive business model focuses on
consulting with partners on technical implementation options, spending the time
to understand each business and how it may benefit from a well-architected
integration of classification and/or intelligence services.
Longevity and track record
A key factor
influencing change on the internet is innovation. Every service provider is continuously
enhancing and improving its services to keep pace with changes in the threat
landscape, and with general changes to the internet itself. As well as keeping up
with this change, it’s important that a vendor brings a historical perspective to
the partnership. This experience will come in handy in many ways. Scalability,
reliability and overall business resilience should be expected from a well-established
evaluations of web classification and threat intelligence providers are difficult
to achieve. We can offer guidance to prospective partners, but it’s often more reassuring
to simply see the strong partner relationships we have today. Many of these we’ve
worked with for well over a decade. When evaluating a vendor, we recommend looking
closely at current partners and imagining the investments each have made in
their integrated solutions. This speaks volumes about integration performance and
the quality of the partnership.
A classification or
threat dataset is only as good its sources and the analytics used to parse it. Many
companies offer classification and/or threat intelligence data, but the quality
of that data varies significantly.
Threat Intelligence Capabilities
Not all our partners’ use
cases require threat intelligence, but for those that do it’s critical they
understand where their threat data comes from. There are now a great many sources
of threat data, but again these are far from equal. Worse still, comparing
source is often no simple task.
Ease of integration
As mentioned, every
use case is unique. So are the platforms into which web classification, malware
detection and threat intelligence services are integrated. It’s therefore crucial
that a vendor provide flexible integration options to accommodate any
pioneering partner, service provider or systems integrator. Simply providing
data via an API is useful, but will it always deliver the performance required
for real-time applications? Delivering a
local database of threats or classifications may help with performance, but
what about new threats? Achieving a balance of flexible delivery, performance
and security is crucial, so take time to discuss with potential vendors how
they plan to deliver.
Phishing sites are
some of the most dynamic and short-lived attack platforms on the web, so intelligence
sources must be capable of detecting and tracking them in real-time. Most
phishing intelligence sources depend on manual submissions of phishing sites by
end users. This is far from ideal. Users are prone to error, and for every 10,000
users who click on a phishing site only one will report it to an authority or
tracking service, leading to massive under-reporting of this threat vector.
Category coverage: beware category overload
There are various
approaches to classifying the web and different vendors specialize in different
areas. In many cases, this is determined by the data sources they have access
to or the markets in which they operate. Again, it’s important to evaluate the
partners to whom the vendor is delivering services and to consider how the
vendor may or may not add value to the partnership.
Efficacy and performance
fundamental to web classification or threat detection capabilities, so it
should be a core criterion when evaluating a vendor. Depending on the use case,
false positives or false negatives may be the primary concern when making
determinations. Potential vendors should be evaluated for performance in these
areas and asked how they approach continuous improvement.
third-party service or solution into a product, platform or service entails
risk. There’s always the chance the new dependency negatively affects the
performance or user experience of a service. So it’s importance to ensure a
vendor can reliably deliver consistent performance. Examine each’s track record
and customers base, along with the use cases they’ve previously implemented. Do
the vendor’s claims match the available evidence? Can current customers be
contacted about their experiences with the vendor?
In assessing vendors,
it can be difficult to determine the level of scalability possible with their
platform. It helps to ask questions about how they build and operate their
services and looking for examples where they’ve responded to unexpected growth
events that can help demonstrate the scaling capabilities of their platform. Be
wary of smaller or upstart vendors that may have difficulty when their platform
is heavily loaded or when called upon to grow faster than their existing
Some solutions may look
technically sound, easily accessible and well-documented while a mutually
agreeable business model remains elusive. Conversely, an agreeable business
model may not be backed by the efficacy or quality of service that desired from
a chosen vendor.
Feedback loops: making the best
We’re often approached
by contacts asking us for a “feed” of some kind. It may be a feed of threat
data, malware information or classifications. In fact, many of our competitors simply
push data for customers or partners to consume as their “product.” But this
approach has inherent weaknesses.
Partnership: not just a customer relationship
As mentioned, we seek to
build strong partnerships with mutual long-term benefit. Look for this approach
when considering a vendor, knowing you’ll likely be working with them for a
long time and fewer changes to your vendor lineup mean more time optimizing your
products and services. Ask yourself: Who will we be working with? Do we trust them?
How easy are they to get ahold of? These are critical considerations when
selecting a vendor for your business.
We hope to have provided some food for thought
when it comes to selecting an integration partner. To read the full whitepaper
version of this blog, please click here. We’re always standing by to
discuss prospective clients’ needs and to provide any possible guidance regarding
our services. We’re here to help you craft the best possible solutions and
services. Please contact us to take the next step towards an even more