Lumen DefenderSM Powered by Black Lotus Labs® Service Guide

Version: July 24, 2024


This Service Guide (“Service Guide”) for Lumen DefenderSM Powered by Block Lotus Labs® (“Lumen Defender” or “Service”) is subject to and incorporated into the Agreement between the parties.


1. Lumen Defender Service. Lumen Defender provides automated network threat detection and response capabilities to proactively detect and block evolving threats at the Lumen network edge. Lumen Defender uses Black Lotus Labs technology to identify potentially malicious host IP addresses and blocks traffic from those IP addresses which Lumen believes to be malicious. Customer may use the Lumen Defender portal to view blocked threats and manage all aspects of the Service. Lumen Defender is available for select Lumen Internet Services and Internet On‑Demand (IoD), with availability determined by Lumen. Capitalized terms will have the meaning assigned to them in the ‘Definitions’ section.


  • 1.1 Lumen Defender is available in two Service Tiers, further outlined below:


  • 1.1.1 Lumen Defender Essentials.
    • Monitors Customer inbound internet traffic as it passes through Lumen internet infrastructure and correlates that traffic against a list of potential threats.
    • Proactively blocks certain malicious IP‑based threats on the Lumen network based on risk levels designated by Black Lotus Labs threat intelligence.
    • Portal access to view threat data captured by Lumen, including category, frequency, and destination. Please note: Defender Essentials data displayed is based on sampled data only and will not represent every threat that has been detected or blocked.
  • 1.1.2 Lumen Defender Plus.
    • All features included in the Lumen Defender Essentials Service.
    • Ability to select monitoring and/or blocking of threat risk levels categorized as Severe, Very High and High (Severe is selected by default), and ability to permit a unique threat by IP Address.
    • Ability to set up and send end user alerts via email and/or text; create, modify custom allow, deny, monitor, and block certain threats, provided the IP addresses are displayed in the threat list. Ability to filter, view and/export certain reports, including lists of Active Threats and Blocked Threats (and associated Threat Category) for up to a rolling 12 month period; provided that Lumen Defender Plus is active continuously during the 12 month period. 


  • 1.2 Pricing and Billing.

Service pricing is determined by the selected Service Tier (Essentials or Plus) and is displayed on the order. For Lumen Defender associated with Internet On‑Demand, the pricing will be displayed as an hourly charge. The one‑time non‑recurring charge (NRC) will be waived if Lumen Defender is added at the time a new IoD connection is activated. All other adds or changes, including adding Lumen Defender to an existing IoD service ‑ are subject to the one‑time NRC. Billing will commence and hourly charges will begin to accrue immediately after Customer receives notice that the Service is activated. Customer will continue to be billed the hourly rate for each consecutive hour, rounded up to the next whole hour, until the Service is disconnected. Lumen Defender will be automatically disconnected if Customer disconnects the underlying internet Service.


  • 1.3 Lumen Defender Interface.

Customer may use an online Lumen Defender Portal (“Portal”) to view threats and manage the Service. Customer will have access to the Portal solely for use with the Service, and Customer will be responsible for any unauthorized access to or use thereof. The Service uses two‑factor authentication (“2FA”) for access to the Portal. Customer must install two‑factor authentication software to be used for validating identity while interacting with the Portal. In addition, as part of any support requested by Customer, Lumen may need to access Customer information within the Portal and Customer’s request for support constitutes its consent for Lumen to access the Portal information as needed.


  • Portal features include:
    • Ability to view threats by category, count and destination.
    • Ability to turn off blocking by selecting “Monitor Mode.” Service becomes view‑only and Customer is solely responsible for initiating blocking in order for blocking to resume.
    • Ability to disable the product from a specific internet connection.
    • Initiate upgrade from Lumen Defender Essentials to Lumen Defender Plus.
    • Download records via CSV or print interface.


  • For Lumen Defender Plus Customers, the administrators have the following additional capabilities:
    • Modify the monitor, block and allow list for a particular IP (but only those viewed within display)
    • Modify alert notification policies, including enabling SMS alert capabilities
    • Downgrade from Lumen Defender Plus to Lumen Defender Essentials


  • For Lumen Defender Plus Customers, the analyst has the following capabilities:
    • Modify the monitor, block and allow list for a particular IP address (for those IP addresses viewable within the display)
    • Modify alert notification policies


  • For Lumen Defender Plus Customers, the read‑only role has the following capabilities:
    • Download records


  • 1.4 Disconnecting Lumen Defender.

Disconnecting Lumen Defender from a specific internet connection, (or “Service ID”) will result in the inability to access Lumen Defender threat configurations, reporting, and settings that are available within the Portal and related to that Service ID. If the Service ID being disconnected is the only Service ID associated with Lumen Defender, Customer will also lose access to the Lumen Defender Portal.


If Customer is downgrading Lumen Defender Plus to Essentials, all threat information and settings (e.g., custom lists, alerts and notifications) associated with Lumen Defender Plus will no longer be available to view or download. Customers must download all applicable reports prior to any downgrades or disconnects in order to retain any threat information available within the Portal.


  • 2.0 Customer Responsibilities.

Customer will provide a point of contact for the order. The point of contact will also serve as the ordering contact and will be designated as the Administrator in the Portal. For Lumen Defender Essentials, only Severe Risk Level threats are blocked. Customer may view threats from a different threat category, but Customer is solely responsible for blocking threats from other threat categories in accordance with Customer’s own security policies. For Lumen Defender Plus, Customer may experience additional latency depending on the threat source origination.


  • 2.1 Change Request & Records Retention.

Customer is responsible for downloading all applicable reports related to available threat information prior to downgrading Service Tiers or disconnecting Service. Lumen will not maintain nor have access to Customer records immediately upon downgrading or disconnecting Service. Only the Lumen Defender designated administrator will be able to perform this action.


  • If Customer downgrades from Plus to Essentials, or if Service is disconnected:
    • Customer will not be able to view previously identified threats.
    • There will be downtime between disconnecting a Service Tier and activating a new Service Tier during which time the applicable internet connection will not be protected by Lumen Defender. Customer will not have access to customized threat alerting or text notifications during the downgrade process. Once the downgrade or disconnect order is submitted by the Customer, the applicable records and settings will no longer be available. Customer is solely responsible for backing up all relevant data.


  • 3. Definitions.

Monitor mode: Threats are displayed in the Portal as view‑only. The proactive blocking feature is disabled. Customer is solely responsible for initiating blocking activities.


Threat Risk Levels: Categorization of risk assigned by Lumen based on Severity of a threat and the Confidence in the fidelity of the information provided for that threat. Threat Risk Levels can be Low, Medium, High, Very High, or Severe.


Threat Risk Level

Description

Low

Threat poses a small degree of risk

Medium

Threat poses a moderate degree of risk

High

Threat poses a high degree of risk

Very High

Threat poses a very high degree of risk

Severe

Threat poses a severe degree of risk



Asset: the IP Address(es) of Customer and associated with a Service ID. Only identified Assets are in scope for Lumen Defender.


Severity: Based on categorization of a threat and Data Source. Categorization of threat is based upon activity a malicious host may be exhibiting.


Confidence: Metric based on how confident Lumen is that the IP Address is exhibiting the behavior of a specific Threat Category. Metrics are validated through observed activity using various types of automated or manual analysis.


Threat: An IP address that Lumen believes to be malicious and is included in Lumen Threat IP List.


Data Source: A feed of Reputation Data, either external or internal, that provides some reputation information about an entity on the Internet. External Threat sources typically emanate from a cyber defense organization that researches and tracks cyber threats globally. Internal sources are typically algorithms developed by the ATI Threat Research Team to track and confirm new cyber threats.


Reputation Data: Any information associated with an entity (IP, domain) on the public Internet. This data can be threat‑based, positive, or neutral and is used to compute the overall Risk Score of an entity.


Threat Categories

Threat Category

Description

C2

C2 is shorthand for “command and control”. Each botnet has C2 entities that manage the activities of the botnet.

Attack

Entities attempting to penetrate the peripheral defenses of an enterprise typically use “dictionary” attacks to crack passwords on publicly addressable assets.

Bot

Entities that have been compromised to participate in the activities of a botnet.

Malware

Entities that distribute malware for the purpose of compromising assets to gain access to intellectual property.

Phish

Entities that proliferate communications for the purpose of collecting credentials to valuable assets. Phishing can use email, phone calls, text, IM and other vectors for this purpose.

Reflector

A host with an open service, often UDP‑based, with the intent to commit DoS attacks.

Scan

Entities that probe the peripheral defenses of an enterprise for the purpose of discovering accessibility, typically pinholes in firewalls.

Spam

Entities that distribute communications for the purpose of attracting attention to services that are generally considered irrelevant to the business of the enterprise targeted. 

Anonymous Proxy

Also known as “Proxy” or “TOR (The Onion Router).” Adversaries typically attempt to obfuscate their presence on the internet by positioning behind an anonymous proxy service.


  • Ability to view threats by category, count and destination.
    • Ability to turn off blocking by selecting “Monitor Mode.” Service becomes view‑only and Customer is solely responsible for initiating blocking in order for blocking to resume.
    • Ability to disable the product from a specific internet connection.
    • Initiate upgrade from Lumen Defender Essentials to Lumen Defender Plus.
    • Download records via CSV or print interface.
  • Modify the monitor, block and allow list for a particular IP (but only those viewed within display).
    • Modify alert notification policies, including enabling SMS alert capabilities.
    • Downgrade from Lumen Defender Plus to Lumen Defender Essentials.
  • Modify the monitor, block and allow list for a particular IP address (for those IP addresses viewable within the display).
    • Modify alert notification policies.
  • Download records.
  • Customer will not be able to view previously identified threats.
    • There will be downtime between disconnecting a Service Tier and activating a new Service Tier during which time the applicable internet connection will not be protected by Lumen Defender. Customer will not have access to customized threat alerting or text notifications during the downgrade process. Once the downgrade or disconnect order is submitted by the Customer, the applicable records and settings will no longer be available. Customer is solely responsible for backing up all relevant data.