The data your RiskAnalytics service delivers is an indispensable tool to you and your team.  Understanding what the data means will help you improve your network's security posture and reduce the risk your company faces.  In this article, we discuss the difference between inbound and outbound shuns (blocks).

Inbound Blocks

Inbound blocks occur when your network is being attacked from the outside.  Your RiskAnalytics service detects the attack and shuns the attacker, protecting your network.

Unfortunately, your network will almost always have inbound attack traffic.  However, you can significantly improve your security posture (and reduce your number of inbound attacks) by reducing your network's surface area.  This includes turning off unnecessary services, tightening up network firewall rules, and confirming the accuracy of your network's equipment configurations.

Outbound Blocks

Outbound blocks occur when malicious traffic is attempting to leave your network.  Your RiskAnalytics service detects and shuns the malicious traffic, protecting your network from the effects of the traffic.

Outbound block counts should be monitored closely, because high outbound block counts may indicate that you have devices on your network that are infected with malware.  Once it infects a device, malware often uses the internet to "call home" to feed information to the malware's creator or to attack other devices as part of a botnet.  Special attention and quick response to these blocks and their potential sources can save you many headaches down the road.

If you have high numbers of outbound blocks and are concerned about the security of your network, you should consider purchasing a RiskAnalytics Threatsweep.  The RA Threatsweep provides bidirectional shunning and advanced internal network visibility into threats and policy violations, which can help you identify issues before they wreak havoc on your network.  For more information about the RA Threatsweep, visit RiskAnalytics' website or call us at 1-855-639-4427.