In today's threat landscape, cyber attacks are evolving faster than most organizations can respond. From zero-day vulnerabilities to sophisticated multi-stage attacks, the gap between threat discovery and defense deployment has become a critical vulnerability in itself. That's where organizations like Cisco Talos come in—serving as an early warning system that turns raw threat data into actionable intelligence. Understanding what threat intelligence teams do and how to leverage their research is no longer optional for security-conscious enterprises; it's essential infrastructure.

What This Episode Covers

  • The mission and core functions of Cisco Talos threat intelligence group
  • How threat research translates into protection for enterprise networks
  • The vulnerability management lifecycle and patch coordination
  • Security advisories: their role in keeping organizations informed
  • Incident response services and breach containment strategies
  • The broader importance of threat intelligence in modern security operations
  • How organizations can leverage threat intelligence in their own defense strategies

Deep Dive

Understanding Cisco Talos: The Eyes and Ears of the Security Community

Cisco Talos operates as a dedicated threat intelligence organization within one of the world’s largest networking and security companies. But their impact extends far beyond Cisco’s own customer base. Talos functions as a public-facing security research team that publishes findings, maintains threat databases, and contributes to the broader security community’s understanding of emerging threats.

The organization’s legitimacy comes from scale and perspective. Talos monitors traffic and threat activity across millions of endpoints, networks, and security appliances globally. This vantage point allows them to detect patterns that isolated organizations might miss entirely. When a new malware variant appears in one region, Talos can correlate it with similar activity elsewhere, building a comprehensive picture of threat campaigns that might otherwise appear unrelated.

What makes Talos particularly valuable is their commitment to transparency. They regularly publish detailed threat research, including technical analyses of malware, vulnerability exploits, and attack methodologies. This public-facing research serves both as a service to the security community and as a validation mechanism—peers can review, test, and validate findings independently.

Threat Research: Investigating the Unknown

At the heart of Talos’s mission is threat research—the systematic investigation of new and emerging cyber threats. This isn’t a reactive exercise; it’s proactive intelligence gathering aimed at understanding threat actors’ capabilities, motivations, and methods before they cause widespread damage.

Threat researchers at Talos analyze malware samples to understand their behavior, purpose, and potential impact. They study attack techniques to identify patterns and predict where threats might strike next. They investigate vulnerability exploits to understand how attackers weaponize weaknesses in software and systems. This work requires deep technical expertise in reverse engineering, network analysis, malware behavior, and vulnerability assessment.

In practice, when a new malware sample emerges, Talos researchers will execute it in controlled environments, document its actions, identify any command-and-control infrastructure it communicates with, and determine what systems it targets. If the malware appears to be part of a larger campaign, researchers will correlate it with other indicators of compromise to build a complete picture of the attack. This analysis might reveal which organizations are being targeted, what data is at risk, and what defensive measures are most effective.

The challenge in modern threat research is volume and sophistication. Attackers continuously iterate on their methods, making small variations to evade detection. Legitimate security researchers must stay ahead of these changes, often spending weeks analyzing a single sophisticated threat. Additionally, the rise of polymorphic malware—code that changes itself with each infection—means researchers must understand underlying attack logic rather than relying on signature-based analysis.

Threat Intelligence: Turning Analysis into Action

While threat research is about understanding threats, threat intelligence is about operationalizing that understanding. Threat intelligence is the processed, analyzed information that helps organizations make informed security decisions.

Talos collects raw data from multiple sources: malware samples, network traffic, vulnerability disclosures, dark web monitoring, and partnerships with other organizations. They analyze this data to identify threat actors, attribute attacks to specific groups, predict likely targets, and recommend mitigations. This intelligence is then packaged into digestible formats and distributed to Cisco customers and the broader security community.

Effective threat intelligence answers critical questions: What threats should we be most concerned about? Which vulnerabilities are being actively exploited? What indicators of compromise should we monitor for? What has worked against similar threats in the past?

In practice, an organization might receive intelligence indicating that a specific threat group is targeting companies in their industry. This intelligence would include technical indicators (IP addresses, domains, malware hashes) they can feed into their security tools, behavioral patterns they can watch for, and recommended detection techniques. Armed with this information, they can proactively harden their defenses rather than waiting to be compromised.

The challenge is relevance and timeliness. A massive intelligence report covering hundreds of threat actors is less useful than a targeted briefing on the three groups most likely to attack your organization. Additionally, threat intelligence expires—indicators become stale, threat actors change tactics, and yesterday’s intelligence can become misleading. Organizations need intelligence that’s not just accurate but current.

Vulnerability Management: The Systematic Approach to Risk

Vulnerabilities are the entry points attackers use to breach networks. Vulnerability management is the process of systematically identifying, evaluating, treating, and reporting on software vulnerabilities—with the goal of reducing risk to an acceptable level.

Talos’s role in vulnerability management is multifaceted. They track vulnerabilities across Cisco’s product portfolio, work with researchers who discover them, and coordinate the disclosure process. When a vulnerability is discovered in a Cisco product, Talos determines its severity, designs fixes, tests patches, and helps coordinate release timing to maximize adoption while giving attackers minimal time to weaponize the flaw.

In practice, vulnerability management follows a structured lifecycle. First, a vulnerability is discovered—either by Cisco security researchers, external researchers, or attackers. The organization must quickly determine what systems are affected, how exploitable the vulnerability is, and how much risk it poses. They then develop a fix, test it thoroughly, release it, and track adoption across customer installations.

One critical aspect Talos manages is responsible disclosure. When external researchers discover vulnerabilities, Talos works with them to allow reasonable time for patches to be developed and distributed before public disclosure. This balanced approach—transparency for the security community while protecting customers from premature exposure—requires careful coordination and timing.

The real-world challenge is that patching at enterprise scale is complex. A patch that fixes one vulnerability might introduce new issues. Older systems might not be compatible with patches. Emergency patches must be prioritized over routine updates. Organizations must balance security improvements against operational stability, and Talos helps by providing clear guidance on which vulnerabilities pose the greatest risk.

Security Advisories: Communicating Risk and Mitigation

Security advisories are formal communications about known vulnerabilities and their fixes. They’re how Talos keeps the broader security community informed about threats and solutions.

A well-crafted security advisory provides the context needed to understand and respond to a vulnerability. It typically includes technical details about what the vulnerability is and how it works, which products and versions are affected, what an attacker could do if they exploited it, and detailed steps for remediation. The advisory also often includes information about available mitigations for customers who can’t immediately patch.

The format and content of security advisories matter significantly. An advisory that’s too technical might be ignored by busy security teams. One that’s too vague won’t provide sufficient guidance for remediation. Talos balances these concerns by providing clear severity ratings (often using the CVSS—Common Vulnerability Scoring System), explicit statements about exploitability, and prioritized remediation guidance.

In practice, when a critical advisory is released, security teams must quickly determine whether they’re affected, prioritize patching based on risk, and deploy fixes across their environment. Talos’s advisories help them make these decisions confidently by providing comprehensive context and clear recommendations.

Incident Response: When Detection Isn’t Enough

Despite preventive measures, breaches happen. When they do, incident response—the coordinated effort to detect, contain, and recover from security incidents—becomes critical.

Talos provides incident response services to Cisco customers who’ve been compromised. This involves deploying specialized expertise to the affected organization, helping to identify what systems were accessed, what data was compromised, how the attacker got in, and what steps are needed to contain the threat and prevent recurrence.

In practice, incident response is a high-stakes, high-pressure activity. Attackers may still be active in the compromised network. Data may be exfiltrating. The organization must remain operational while investigation occurs. Talos responds with experienced responders who bring knowledge of common attack patterns, tools that attackers commonly use, and methods for identifying attacker presence in complex environments.

The challenge is that every incident is unique. The initial infection vector that worked against one company might have been patched at another. Attackers adapt tactics based on detected defenses. And while organizations need to investigate thoroughly, they also need to recover quickly. Talos’s experience across many incidents helps them quickly identify the most likely root causes and remediation strategies.

Implementation Considerations

For organizations looking to leverage threat intelligence in their security operations, several practical considerations apply:

Establish Clear Intelligence Consumption Processes. Threat intelligence is only valuable if it’s actually used. Designate a team responsible for receiving intelligence, evaluating its relevance to your organization, and distributing it to appropriate teams. Create workflows for how indicators of compromise get fed into detection tools and how behavioral intelligence translates into detection rules.

Integrate Multiple Intelligence Sources. While Cisco Talos is valuable, it shouldn’t be your only source. Supplement with industry-specific intelligence (from ISACs or industry associations), open-source intelligence communities, and vendor threat research from other reputable security organizations. Cross-reference intelligence from multiple sources to validate findings. Platforms like XDR can help correlate threat intelligence across multiple security domains.

Prioritize Vulnerability Management Infrastructure. Implement systems to track your installed software, monitor vulnerability disclosures relevant to your environment, and manage patch deployment. Modern vulnerability management platforms can correlate installed software with known vulnerabilities, threat intelligence about active exploitation, and patch availability to help prioritize what to fix first.

Develop Incident Response Capabilities. Pair threat intelligence with endpoint detection and response tools. Determine whether you’ll maintain incident response expertise in-house, contract with a managed security service provider, or establish relationships with incident response firms that can be engaged when needed. Even if you contract externally, your team should understand incident response fundamentals.

Stay Current on Threat Landscape Changes. Subscribe to relevant threat briefings, attend security conferences, and maintain connections with the security community. The threat landscape changes continuously, and what’s critical today might be obsolete in six months.

Key Takeaways

  • Threat intelligence is foundational infrastructure for modern security operations, not optional for organizations serious about defense.
  • Talos’s research extends beyond Cisco products, contributing valuable public-facing threat analysis that benefits the entire security community.
  • Vulnerability management requires systematic processes, not just ad-hoc patching, to effectively reduce organizational risk.
  • Security advisories provide the intelligence context needed to prioritize patching and remediation efforts across complex environments.
  • Incident response expertise, whether in-house or contracted, is essential because prevention alone is insufficient for complete risk management.
  • Effective threat intelligence use requires organizational process, not just access to reports—intelligence must be actively consumed and operationalized.
  • Threat intelligence timelines matter critically—intelligence must be current and relevant to your organization to drive defensible decisions.

Why This Matters

The security landscape has fundamentally shifted. Organizations can no longer rely solely on perimeter defense and signature-based detection. A zero trust approach is increasingly essential. Modern threat actors—from financially motivated cybercriminals to nation-state groups—are sophisticated, well-resourced, and persistent. They’re continuously developing new techniques, finding new vulnerabilities, and adapting to defensive measures. In this environment, organizations that wait until they’re attacked to understand threats are already behind.

Threat intelligence organizations like Talos level the playing field by bringing specialized expertise, global threat visibility, and rigorous research to organizations that couldn’t possibly develop these capabilities independently. They provide early warning about emerging threats, actionable guidance on protection, and expert assistance when things go wrong. Understanding how these organizations work and how to effectively use the intelligence they produce has become a critical competency for security professionals.

For IT professionals and network engineers, this means building relationships with trusted intelligence sources, integrating intelligence consumption into regular processes, and using intelligence to inform both strategic risk management decisions and tactical day-to-day operations. For cybersecurity practitioners, it means understanding that security isn’t just about deploying tools—it’s about making informed decisions based on the best available intelligence about what threats are most likely to target your organization and what defensive measures have proven most effective against them.

    ---

    Listen to the full episode on [YouTube](https://youtube.com/@SecurityIn45) or subscribe via [RSS](https://media.rss.com/security-in-45/feed.xml).

Full Transcript

Click to expand the full episode transcript

Welcome everybody to the latest episode of Security in 45. Today is Wednesday, February 21st. Today’s topic is Cisco Talos. And Andres, I’ve been looking forward to this conversation for many months.

The Talos organization is very intriguing. In my simplistic mind, I kind of think of them as like a bunch of like James Bond type people all working together, doing all this cool stuff that we just hear about. You know, kind of the backbone for Cisco’s security products and is what definitely keeps so much of our industry secure from businesses, the banks, governments, schools, our home networks. Yeah, yeah.

And very excited to be here actually do have a few notes. So we know and from what we know is that Talos is the largest commercial threat intelligence team in the world. So if guys, if I get any of this wrong, let me know. What one of the largest in the world.

One of the, oh, okay, okay. Yeah, I didn’t read that one. And we know it is full of world class data scientists, researchers, analysts, engineers, and you know, it’s a very, very close group for, you know, what we’ve seen so far. So main idea of Talos is just to keep us safe from both existing and emerging threats.

So that is super exciting to hear about. And the other thing to mention is from a Cisco’s perspective, you guys are the underlying security intelligence behind all Cisco security ecosystem. So this is gonna be really exciting. You know, it’s a, you know, we talk about multiple security products here in the show and just ready to hear more about it, Mike.

Yeah, for me, you know, a security solution is only gonna be as good as the intelligence source that it’s learning from. Sound security solutions, we need accurate threat identification. We need patches and details about these threats. And we need them before the attack happens on our own network.

Now today we are super fortunate and excited to have two Talos engineers on the show with us here, Joe Marshall and Martin Lee. Thank you so much for taking the time to be here with us today. We are very excited to have you guys on this conversation. Now let’s kick it off and Joe, we’ll go straight to you here.

Maybe I think the audience would love to hear a little introduction about yourself, maybe your background and what you do at Talos. Yeah, I do wanna make an early clarification with what Martin and Andre said. We’re one of the largest, but we’re for sure the most handsome security researchers in all of the world. We have no peers.

We’re devastatingly attractive people, all of us. All right, so my background, how did I get started? All that fun stuff. So I’ve been with Talos eight and a half years now.

I originally came from the DOD contractor and power utility space. And I was brought in to build the first hardware reverse engineering team inside of Talos for taking apart smart meters and other things that you would see on the side of a house or on a truck or on a train. And I would do that for about three years and then I would transition into sort of the current team that I am now where I get to take that threat research and continue to do threat research to talk to our communities and our constituents and our customers about what it is that we do inside of Talos every single day, which is fight the bad guys. And it’s such a vast swath of things.

It’s not just any one individual thing that it’s almost really tough to zero in. For instance, prior to this call, I was talking to a community of interest for transportation security. Two days ago or a day ago, I should say I was talking to a medical sector. So like there’s so many different areas and all of these are related to like a Cisco account team usually.

And so we’re there to assist them, make them look smart and give our customers, constituents, communities, whomever it happens to be that we’re speaking to, just, I don’t know, a better security vocabulary, understand the threats and what we’re doing to punch those bad guys right in the face. My background and how I got started, it’s really weird with cybersecurity. I come from an operations background. So I was an IT guy, I had my MCSE.

I was just doing sort of run of the mill, sys admin stuff. And when you do it for a really security conscious organization, you really start to realize you’re really a cybersecurity practitioner, even if it’s not in your title. So when I would separate from that and I would go on to the more private sector stuff, I was an all but native cybersecurity professional. And then I just needed to get the title to actually represent that, which I think is that they’re basically saying everyone’s in cybersecurity, no matter where you are, where you work, personal or professional, we’re all in this together.

So yeah, that’s about it for me. I kick it over to Martin, who’s got a much more interesting background than I do. Yes, yeah. So I’m in cybersecurity by accident, really through no great design.

I started out my career as a human viral geneticist. And then I discovered the early internet. So I thought this, this is what I’m gonna do with my life. So I dropped all ambitions of finding a cure for cancer and stuff like that.

And then jumped into the world of IT, rose during the.com boom, which was awesome, crashed during the.com crash. And then this job came up writing spam filters. And this was even before spam was a thing. And I thought, well, hang on, this is just a pattern matching thing.

And I knew how to do that through my work working on virus DNA of how to identify patterns and measure homology. And so I got that job, which is now 21 years ago, actually, I believe it’s 21 years ago, this very week that I started. And then looking at these very, very early cyber attacks, and we started distinguishing between, we were getting lots of sort of normal attacks, and then we’d start getting some really, really rare and very, very interesting ones going against some of our customers, not all of the customers, only a small subset. And then we’re trying to work out, well, what’s going on here?

Why are we getting all these attacks over here? And we’re getting these things that are really, really different over there. And trying to work out what was happening, who were the bad guys, what it is that they’re doing. And then over the years, spending more time at that, how do we work out what’s happening in the threat landscape?

What kind of attacks are we seeing? Why are we seeing them? How do we detect and block those? And then most important, talking to customers about what it is that you need to do to protect yourself against these.

So I’ve been now with Cisco for 10 years. I wrote a book. So when I started out in threat intelligence, I didn’t even know what I was doing was called cyber threat intelligence. And I tried to find a textbook that would tell me how to do it.

Never found what it was that I wanted. So last year, basically, I sat down and I wrote that textbook, the book that I wanted to find when I started out in the domain. And ultimately, that’s what brought me where I am today. So basically, it’s about working out what the bad guys are up to, what are the differences, how the threat landscape is changing, and then making sure that people are aware of that and know how to protect themselves.

Hey, Martin, you’ve been doing this 21 years, dude. That’s crazy. What was Moses like? Was he cool?

Oh, yeah, no, he was a great guy. He was really interested in cyber attacks. I don’t know if you’ve heard about the burning bush malware, but wow. Oh, no, that’s wild, man.

Thought to be a false flag and an insider job, but yeah, awesome. Actually, interestingly, he was the guy, the first guy, the VPN tunnel that he managed to do the parting of the way VPN travel, tunnel, so you could just tunnel through contested waters. Awesome guy. I knew VPNs were an older technology.

I knew it. Wow, fascinating backgrounds, Martin. I bet you find a lot of similarities between the genetics part and honestly, threat hunting, putting pieces of the puzzle together. I find the similarities a lot in public health and the analogy that I use, we’re living in another industrial revolution.

We’re living in the digital revolution in the same way that the industrial revolution changed everything through the 18th and 19th centuries and led to all sorts of problems like cholera and disease and all these things that we didn’t have before. The physicians at the time developed models to actually try and map all of these problems and understand what was happening, even though they didn’t know that germ theory of disease didn’t exist, they didn’t know what they were dealing with, but they could analyze it and start piecing together bits of the puzzle to understand what’s happening and how do we protect people. And I really feel that we’ve got to use the same approach now that in this digital revolution that we’re living in, suddenly there’s all these advantages from digital technologies, but there’s problems as well, such as cyber insecurity and attacks. And really it’s for ourselves and other similar organizations to start piecing those bits together, understanding what’s happening, trying to work out where do we need to act in order to stop these problems and what information can we give to people and organizations to actually protect themselves and make sure they don’t come down with a breach or an incursion.

But yeah, there’s a lot of similarities. Interesting. And Joe, with the meter, I mean, talk about the ultimate BYOD device. Like can Cisco Ice detect if you bring a meter on?

I don’t know, actually. My inclination is probably not because they’re in a really unique ecosystem for what’s called AMI, advanced mirroring infrastructure. It’s more cellular, to be honest. So maybe if a product support specialist could tell me otherwise, I’d be kind of curious about that.

Yeah, well, the- The question I have is how much do you pay on power and electricity in your house if you have a hack one already? No, no. So first, I’m legally required to say that I pay all my power bills on time with the diligence required as a law-abiding citizen of this country. When I first started working for the power company, my mom asked me, she’s like, I mean, you get free power now?

And I went, no, mom, I still have to pay my power bills. I don’t get anything for free. If anything, I’m paying myself now because I pay my power bills. So yeah.

I wrote a whole chapter on ethics in this damn book. I’ve had people criticize on Amazon reviews that I wasted a chapter writing about ethics. No, no, no, no, no. Ethics is a key part of cybersecurity.

Yeah, yeah, we all pay for our electricity and utility bills. Yeah, we use our powers for good. That’s my story I’m sticking to. We have great responsibility.

Now, yeah, this is already off to a great start. And I’ll raise some love in this episode. Now, Joe, I’ll kick this over to you. Can you give, describe Kalos to the audience, maybe those who are not familiar with what you guys generally do and what the organization does?

Yeah, sure. It’s a lot. We do a lot. So I need to take you back to hallowed antiquity if I really wanna get to the core nugget of what it is we do.

So there was a company in the late 90s called Sourcefire and they had written this TCP IP inspection tool called Snort invented by a guy named Marty Resch. And a company was sort of form around that core nuclei of this tool called Snort. And they would go on to sell firewalls and intrusion detection and prevention systems. And they would form this core hacker collective called the VRT, the vulnerability research team.

And both understanding adversary behaviors and then how their tools and products can protect. Cisco would acquire Sourcefire in 2014. So the VRT, which was about a core 50 people, migrated over and we rebranded as Talos. I came in right after the acquisition and I think I was like number 70 or 80 or something like that of like the people that had been added.

And if you take sort of the two separate areas of Talos as they exist now, we’re about 50% of the people 450 to 500 people globally. We’re on four different continents. We speak well over 30 languages amongst all of us. And we keep just about every security specialization you can think of under the sun is something somewhere that we do inside of Cisco Talos from malware analysis, reverse engineering of hardware, software vulnerabilities, threat intelligence in a more pure sense, like we’ve got trained linguists or they speak that language as a other English as a second language, they speak their native languages and they surf the dark web looking for malicious activity and for any kind of tips that we can get.

We’ve got a small platoon of just data scientists. We ingest about six petabytes of threat telemetry a day. So we have to think about how we are able to scrape that data then automate it to our customers to keep them protected. You know, the old Cisco saying, you know, see once protect everywhere is kind of like our mantra because if we see malicious URL in email, I need to know that our XDR solution is gonna catch that.

So on and so on. So we work tightly with our engineering folks. There’s so much that I’m leaving out, like just to deliver threat intelligence products to our customers, like here’s a report that we wrote. And I wanna note that we’re not fee for service.

So Martin and myself and the majority of my colleagues were OPEX, we don’t bill our time to anything. They want us focused on stopping bad people. So we’re given the luxury of, in runway and to Cisco’s credit to be able to go, let’s just go find evil and stop it today, or let’s go find evil and then help make everyone smarter and safer about knowing what’s going on. I have to say, it just me speaking about my past experiences and this crazy career I’ve had, it’s been a privilege to really work here because you get exposed to things at such a high strata of importance that you’re just sometimes you’re flummoxed at just the enormity of the impact that your organization has, but the growth and the experiences you’re gonna crew as a cybersecurity professional are very profound.

And yeah. Yeah, truly a great cause, the organization as a whole. I mean, just the concept of finding these threats, stopping bad things that are occurring, amazing. And like you said, see, yeah, the same see it once, stop it everywhere.

So as a general example, seeing malware somewhere and then I guess pushing it out so that everybody’s protected from that point is a large part of it. Yeah, so like, I mean, we’re talking about six petabytes of data. So we’re talking URL dispositions, reputation lookups, talking about emails. We’re talking about binaries, malware.

We’re talking about what I call pre-perimeter. So like DNS resolutions, a record resolutions like umbrella, our product umbrella. It’s kind of stem to stern and then all the way down to our firewalls where we have IDS or IDP running. So sort, right?

And that permeates, we’re applicable because not every product uses every security Intel feed ingest to be able to say, and to give what I think the most important thing that any security operations center analyst, any director of a SOC wants, which is context, we stopped the bad thing. Here’s why you should care about this bad thing. If you care to know, right? And that context, like tying it to the MITRE framework, we stopped access was a prereconcerns or a lateral movement activity.

Here’s something to help you better understand this threat is really the core of what it is because six petabytes is a lot of data. Our data lake is massive because we’re a very big organization, Cisco and Talos. But I’ll give you a story. I was at RSA, gosh, five years ago, I guess.

And our Cisco, I had the pleasure of working at Cisco booths, anyone who’s coming by and talk about security, but across from us was another vendor’s booth. And they had this marquee going around the edge of their booth saying, we see one trillion signals a day. And I was like, A, that’s a big number, but B, also, what is a signal? And like, how do you even get to that number, right?

Like, did you just pick a number out of a hat? Like, what kind of marketing razzle dazzle did you just sprinkle on that? And the context that I really took away from that was when I went back to think about how we talk about it, numbers are just numbers. It’s what I get from, if it’s one or one trillion, if I can’t contextually tell you why that matters, then I’m not doing my job.

And we’re not giving you a quality product. So that’s just kind of like what we think about a lot inside of Talos, how we interface with our customers and our communities and things like that. I’m kind of rambled a little bit, you see where I’m going? Yep.

That was great. That actually, I was thinking about Batman when you said, just be the good guy and find the bad guys and punch them in the face. So I don’t know if any of you guys are Marvel or DC Comics fans just throwing out there. Yeah, no, it’s what we do, man.

I love it. That’s awesome. Awesome. So I do have the next question, and this was for you, Martin.

And it goes a lot with the book and everything that you were just showing to us a few minutes ago. But how does Talos, what’s the process, if you don’t mind going over, how do we detect threats and how do we identify those, if you don’t mind going over that? The key thing to think about is in this data lake, with all the visibility that we have as part of Cisco across the entire internet, it’s really, really difficult for the bad guys to do anything malicious that we don’t have a trace of somewhere. We will have somewhere in our telemetry the trace of the bad stuff that they’re doing.

And really, our game, if you wish, is to find what is actually happening in the threat landscape at the moment that’s really important. So we’ve got loads and loads of bad stuff in our data, traces of bad guys doing bad things. And the question is more, it’s not so much finding a needle in a haystack, it’s finding a needle in a pile of needles. We’ve got all of these traces.

The vast, vast majority of these traces are processed automatically. There’s no way that we can analyze the data manually. But within all of that bad stuff that we find, the trick really becomes identifying what’s different, what’s new, what is actually significant that we’re seeing now that’s different from yesterday or different from last week. And it’s that triage of identifying, OK, this thing here is different.

And that’s the stuff that we’ll then pass to an analyst to go and take apart in great detail to really understand what’s happening. And then from that, we can look at, OK, what do we need to change in order to detect this better? Do we just need a couple more signatures, or do we need to augment or change our protection in another way? So yeah, largely it’s about data analysis.

It’s about treating large numbers of things automatically and getting the machines to do the heavy work. But then also identifying what’s new, what’s important, what’s special, taking the time to understand that in detail. And then moving that security posture forward. Actually, one of the things that I hear sometimes and where I sort of see organizations going wrong is they have alerts on their firewall when they come through to their SOC.

And then what they’re trying to do is resolve every single one of these alerts. And their best analyst is the one that closes the most tickets in a day. And they’ll be ever so proud to say, my best analyst, he can close a ticket in 30 seconds. Wow, what a guy, what a guy.

And it’s like, do you know what? Don’t bother. Don’t bother. Find the most important alert that you’ve had today.

Spend a week working out what really, really happened here, what’s really going on. Learn from that and move your security posture forward so you never ever get that alert again, or you never have to worry about it. It’s really not a numbers game. It’s about identifying what’s important and then responding to that appropriately and moving the security posture forward, making the world a safer place, most importantly, making our customers safer, which is ultimately what we’re about.

The prioritization was one of the questions I had, and you just touched on that, because everyone listening here has huge amounts of, you know… Yeah, we’re all just flooded with alerts, with bad stuff, with bad stuff happening. You know, we’re up to our necks in bad stuff. Pick one thing.

Prioritize. Find that one thing that’s actually the worst thing or the most important thing or the most pressing thing. Fix it. And then you move forward a little bit, and it’s like you’re inching yourself out of that flood of threats, and little by little, you can move yourself forward.

Ultimately, we’ve got to make life difficult for the bad guys. You know, most of the bad stuff out there, it isn’t that difficult to detect if you’ve got the right protections in place. You know, make the easy stuff easy, and then the difficult stuff, the stuff that’s complex, where we’ve got a sophisticated threat act, and make life difficult for them. Make them have to work that little bit harder in the hope that either they’ll go and attack your competitors rather than you because they’ll think that you’re difficult, whereas maybe your competition are an easier target.

And also make it noisy so that you’ve got a better chance of actually noticing when something is going wrong, when there is an incursion. You know, making it difficult, making it noisy for the bad guys, reducing their return on investment. Make it a less profitable activity for them. But I imagine the behavioral base, like you were saying, what’s different today than there was yesterday, is that more difficult to detect than something signature-based where it’s like, this is just a known bad hash and we’re, you know…

If someone’s using the same malicious tools time and time and time again without any changing, wonderful, we can just write a signature and then we can consign those to history. In the real world, it doesn’t happen like that. Our best case scenario is they’re subtly changing their tools every single time, so it’s got a different hash value. So we have to look for indicators within a file, either in the static analysis or the dynamic analysis.

So something that… a test that we can ask it to distinguish between is this legitimate or is this illegitimate software? And ultimately, none of those tests can give you… Well, we’re very, very lucky if we find one that says, yes, absolutely, 100%, this is definitely bad, or yes, absolutely, 100%, this is definitely good, which basically becomes a signature.

Mostly we’re like, yeah, this is more likely to be bad than good, or yeah, it kind of looks a bit good, but… And then ultimately, you have to put all of those different tests together and look in the context to then decide, OK, this thing here, we’ve never seen it before, but all of the tests we’ve been able to ask it are saying, yeah, it really is looking pretty bad. No single test can give you that response, but many can. And then we can convict that and declare it bad.

Life becomes a little bit more difficult when the bad guys are using what’s called living off the land binary. So using the tools, which are an integral part of your operating system to do bad stuff. And that really is where the sport is. How do we detect when someone is using an entirely legitimate tool maliciously every time?

There are fingerprints. The analogy I use, at the scene of every crime, there are big, sticky fingerprints. It’s the same in cybercrime as well. Those fingerprints are there.

You just have to look for them. You have to know what they look like, know where you might find it, and know how you show them up. But this is what we do. And if you know how to do it, fingerprints are there every time.

Excellent. Excellent. Thank you, Martin. I’m learning so much on this one.

I know. Martin, I’m buying your book after this call. I’m buying the book. Yeah, absolutely.

Yeah, mate, go for it. It’s on Amazon. Joe, I think it would be interesting to hear if you could walk us through just kind of high level the process, just so I can have it straight in my mind from discovering what Martin just said, discovering a threat, to getting something published for that threat on like a Cisco firewall, for example. How does TALOS find a threat in the wild and get us through the update patch?

And if you have an example of a real threat, that’d be really cool, I think. But I think that’d be interesting to hear. Yeah, so this is both science and an art. We actually, I think last year, maybe the year before, we published the art and science of detecting Cobalt Strike, which is an attack framework that exists, written by one of the most brilliant analysts that I know, a guy named Nick Mabus, who really, really chewed down to the bone the nuances of detecting beaconing and detecting things that our adversaries are going to utilize inside of a network.

And first and foremost, the thing that has to happen for like a snort signature, or one of our IDS or IDP signatures to work is, well, it has to traverse the network, right? So it has to move non-encrypted across the network, which a lot of stuff does. Then the thing we’re going to need is a proof of concept. So what is this bad thing trying to do?

So like, is it an SMB-based exploit? Is this a stack-based buffer overflow that we can catch traversing the network? Is this a weird URI that is a very, very specific thing that we can key on? And then we have to figure out how we’re going to craft the most optimal detection for it.

Snort’s open source. Anyone can learn snort. Anyone can write a signature if they want. The levels of finesse and care and quality assurance we put into our detection is unreal.

Because A, we’re the experts in it. We invented it. But B, because it’s such a popular framework and such an easy, I think, ingest and use, and there’s great documentation for it, we actually spent a lot of our time looking at community rules. And maybe there’s something there we can abstract.

And maybe there’s something we can give them. To say you cannot reverse engineer a snort will learn exactly what the exploit is doesn’t quite work that way. But it’s built upon a community that I shared knowledge over 2 and 1 half decades now, I guess, or three decades early. So once we have the proof of concept, then we need to figure out that optimal way to detection.

And there’s a lot of ways to write detection in snort. But we want to write the most efficient thing that triggers on the most precise element of that exploit that we’re trying to catch going across the wire. And the reason for it is real simple that we’re working in a finite state of resources, say for a firewall or whatever is doing that detection. And if it has the inspectors turned on for a specific protocol, and it’s doing the process of parsing as a HTTP or whatever is traversing across that firewall, well, we need to be conscious of the resources inside that machine.

So if you were to turn on, and I don’t ever recommend you do this, if you were to turn on every snort rule we’ve ever given you inside of our firewalls, congratulations, you’ve just got a very hot paperweight inside of you that you’ve just racked. Because it’s a fine example of shooting yourself in the foot, but also demonstrating that turning all your inspectors and then looking at every single packet in a gazillion ways is just not efficient. So what you really want to do here is we want to just be the best we can be while utilizing the most effective way. And it really is an art.

It absolutely is an art. I’ll give you a specific example like you asked for. I was at a conference and a really nasty vulnerability dropped, and I was with one of the guys that I had hired, a brilliant reverse engineer named Jared. And we didn’t have much to go on.

We knew that it was a thing. We knew the researcher who had announced the vulnerability. But what you typically see in this space is people will announce the bad thing and then give you no technical or forensic details around it. And you’re like, I can’t do anything with without forensic details, right?

Well, we found a presentation this guy gave, and he didn’t list the entire attack chain, but he did list the hex string he used to exploit this device. I found it on a Slido competitor from five years prior. I took that string out, that hex string. I gave it to my guy.

He was actually able to write a Python environment and script it where that hex string would then pass across the wire unencrypted. And then we would get a snort word for that if anyone attempted to exploit that. It was a Siemens PLC, programmable logic controller. We’re actually able to catch that.

But to do that, find it, quasi-weaponize it so we can detect it was just the ridiculous layers of reverse engineering we had to do to be able to craft that and to detect it. Detection, mind you. We were working completely separate. And this is an example of what an analyst, they might be given an absolute rotten potato of a proof of concept and very little data to go off of.

And they’ll have to figure out how to recreate that, get that into an environment, and then test the heck out of it. If it’s going to false positive a lot, so it’s going to trigger illegitimate traffic, it just might not be a good signature. And we’re going to have to bend it. We can’t keep it, right?

So we have to think about how do we do all of these things in the most sane way? We don’t err always on the side of detection because we have to think about our customers, the customer experience. And are they getting the best possible product for our detection every single time they enable a signature? Yeah.

That was crazy. A lot of detail on that one. Yes. Yeah.

Actually, hold on. Hold on. Hold on. I have my notes here.

So that was crazy detail. I just want to say that the process that goes behind it, I think, doesn’t get talked too much about. And that was really good. I appreciate the level of detail.

I know the people that come to our webinar is highly technical. And this is something that they will appreciate as well. It’s wild, the example, just finding that hex string. And what you said is from like five years ago on some PowerPoint slide, man.

Dude, we got so lucky that I found that. Because I looked at it, and I’m like, this is Greek to me. And the guy that I brought with me for this conference looks at me and goes, I think I can do this. And because we hire just some smart, smart hackers inside of Talos, he had that thing literally in a Python script simulating network traffic and a signature written within an hour.

And I’m like, that was one of those hires when I hired the guy. I’m like, high five, Joe. You did a good job. Yes.

Yeah. So I was like, yeah, this was awesome. But we just got very lucky. So a good example would be, let’s say, the manufacturer of this meter.

Who made this meter? I don’t remember. I don’t want to out anybody. Landis Gear.

Landis Gear makes this meter. Let’s say a bad vulnerability, a zero day, something really nasty drops. They’re not going to give you the complete forensic details, but they will say, you should probably go patch your device because this is bad. That doesn’t help us in Talos because we need technical specificity to make sure our customers, our communities, our open source communities, and our customers are protected.

So there’s sometimes you’re just going to catch an L and you’re going to be like, without any details, I can’t do this. We do have information sharing agreements all enshrined legally in NDAs that lets us swap information with others to make sure that we can get the technical details. Sometimes you just strike out. There’s no guarantees you’re going to find that information.

And it can be pretty frustrating, unfortunately. But that’s basically how it kind of works. Yeah. Fascinating.

Yeah. And I’m going to jump right into another question that I have right here. And this one’s for you, Martin. NCN response.

This is in the minds of all our customers and everybody that is in the show. And more likely into the reactive scenarios, let’s take, for example, a quick example about what do we see in NCN response, reactive services. What do we do from the Talos perspective? And if you don’t mind talking a little bit about that, that would be awesome.

The Talos incident response retainer is basically where the customers buy a certain number of our analysts’ hours. And you can save up these hours for a rainy day when you have an incident, when you have an emergency. The trick, really, and I’ll bypass your question a little bit, the best thing that can happen is that you don’t ever have an incident. And what you can do is you can use these hours for our proactive services, where you can talk to our analysts who will help you or test your systems to make sure that you’re in a very, very good position and you’re less likely to experience an incident.

If you do experience an incident, you’ve got those hours on hand that you can use to talk with our analysts. They can take charge of the incident because for the customers experiencing the incident, ideally, this should be a once in a career event. You’re having a breach, having something go wrong. This is going to happen to you once in your career.

For our analysts, for our incident response analysts, this is what we do every day of the year. So our analysts know exactly what to do, exactly how to respond, exactly where to find the bad guy, exactly how to kick them out. So for the reactive services, you call on the help of our analysts. They will come in.

They’ll resolve the incident, find where the bad guy is, kick them out, tell you what happened, and then also harden the system so the bad guy can’t come in. We’re used to working with any kind of environment. I mean, it would be lovely if everyone bought only Cisco gear. The reality is, no, people are buying from other vendors.

But that’s absolutely fine. We’re used to working in these heterogeneous environments where there’s all sorts of tools, all sorts of systems, for all sorts of different vendors. We’ll come in, resolve the situation, identify what’s happened, kick the bad guy out, and remediate your systems, and then harden them so the bad guy doesn’t come back. This is what our responsive services are all about.

But I think, I mean, to anyone on the call, really the ones to look for are the proactive services. You know, you want to minimize the number of emergencies you have, and you can use the hours that you’re buying for the retainer for those proactive services, which is going to make those emergencies less likely. That’s awesome. That’s good.

I mean, we see customers call every day, Mike, right? That they have questions about this. This really helps understand what really is that we’re talking about. That’s so true about the proactive services, Martin.

You can prevent getting to the point of the emergency. Like I said, that’s great. And I guess, Martin, would that be some of the tabletop exercises and the telestill? Yeah, absolutely.

Yeah, the tabletop, so working through what a bad guy’s likely to do and how you would respond to that. We can also check your playbooks, so the procedures that you have ready for a bad day. You know, how are you going to detect if there’s a breach? You know, the bad guy’s not necessarily going to tell you.

How are you going to detect if there’s a breach or you have an incursion? What are you going to do when that happens? How do you respond? What other groups do you need to do to involve?

For our instant response analysts, this is what they do. They’ve seen it all. So they can help the customers. One, I mean, it might really help to say, actually, do you know what?

These instant response procedures that you got here, this is as good as it gets. You know, you guys are doing really, really well. Or working through it and say, OK, you know, all of your coordination is built around email. This is great.

What happens if the bad guy hits your email server? And you can no longer send and receive email? Do you have a backup? What else are you going to do?

This is the kind of scenarios that we’ve come across. We can use that knowledge of real world examples, helping the customers, working it through, improving their posture. I think a very good way to think of it is like the fire service. You know, if you’ve got a fire actually happening now in your office, of course, here, you’re going to call the fire service.

They’re going to rush around. They’re going to put the fire out. What you really want to do is talk to your fire prevention services before then and start talking about, you know, do you have the fire extinguishers? Where are the fire extinguishers?

Have you tested them? You know, are they suitable fire extinguishers for all the stuff that you’re working with? Do you have a fire alarm? Do you practice?

Do you have rehearsals? Do you have a smoke detector? It’s these questions that actually you want to resolve early so that if there is an incident, one, you’re detecting it early. You’re also responding early, so you’re minimizing the consequences.

But then when you are bringing in that response, it’s not a major problem and everything’s on fire and nobody knows what to do. It’s like, OK, we’ve got a problem, but we think we’ve contained it. And we think that we’re on top of this. You know, so much in any form of engineering, it’s about thinking what can possibly go wrong?

How can I minimize the chances of this happening and minimize the consequences if it does happen? And really, this is what our incident response services are all about. Excellent. And I know it’s got to save so much more money investing in some fire extinguishers, talking to the fire safety teams, opposed to rebuilding your office, paying for all the fire truck service.

So great point there, Martin. Yeah, and rehearse. Have those rehearsals so that when a bad day happens, and it does happen, it will happen, everyone knows what to do. And it’s just, yeah, yeah, yeah, we practiced it.

We practiced this last month. We practiced this six months ago. And it’s just a simple something that you go through. Everyone knows what to do.

Everyone knows how to respond. And it just becomes, yeah, it’s something that somebody didn’t want to happen, but we dealt with it rather than, oh, my god, this is an absolute disaster. Everything’s falling down. We don’t know what to do.

Great. So let’s see. Andres, what do we got here? I could talk with you guys all day.

This is awesome. We got one more question for each of you. Maybe we’ll have time for the dad jokes one or two. We’ll see.

Joe, maybe quickly, for the audience listening in, this is all very fascinating. And we’re talking about fingerprints and being proactive versus reactive as possible. What do you guys in Talo see as some of the most common ways our customers are getting attacked? Is there any low hanging fruit?

Someone in the audience listening, like, I need to be a little more invested in my own security. Any high level recommendations about what you guys see would be a good place to start? Yeah, tough question, actually, because the threat risk model is different for personal versus corporate, right? So if you’re a professional, if you’re a security practitioner in that corporate environment, there’s a number of ways.

Phishing is always going to be great, primarily because it’s cheap. The adversaries can do it. It’s spend fractions of a penny, blast out emails. Someone will open the email and click something they should not.

If it’s dumb and it works, it is not dumb. What I kind of see, there’s a pivot there. They’re going more to QR code based attacks and so those emails. And we can detect the QR codes, but there’s evasion tactics around that as well, because what if I access it on my mobile device?

How do I protect myself yet again? So the threat vectors are always changing from a corporate way, so like with phishing, but also like we have unpatched, unmanaged devices on my perimeter. And I’ve got a firewall. I haven’t patched in three years.

Will an adversary, a nation state, can exploit that to gain a foothold and then pivot either intercept traffic or pivot deeper into your network and do damage, right? And whether you’re a nation state or what I call like, you know, crimeware or commodity based, like ransomware attacks or cartel, like these things truly don’t change because they’re going to throw the kitchen sink at you to find a way to get in. What might change is the level of noise they want to make once they’re inside of your network. I would say those are two of the most common ways, high level, what we see, and I could drill down into both, but I’m not going to for the time.

I will say this, like if we want to talk about low hanging fruit and sort of tacking onto what Martin was saying earlier about our incident response stuff that we do is, 30% of all our emergency response cases, like so something’s on fire and we’re coming to help you put out, the victim did not have MFA solutions installed. So having a multifactor authentication solution, both personally and from a professional perspective is absolutely invaluable. Having a password manager, a password vault, I’m like one pass, last pass, I don’t care who you use, is also an A plus way to protect yourself. Don’t reuse your passwords because data breaches are multiplicative.

If I get breached here, I can read those credentials perhaps somewhere else and create more damage for you or attack your environment, your corporate environment. So like those two things to me are low hanging fruit, low investment dollars, high return on value that I would highly recommend to help prevent and mitigate some of those attacks, but of course there’s no fantasy, there’s no silver bullet. Yeah. Read our Year in Review report.

This is where we talk about everything that we see, we talk about the vulnerabilities, we talk about the attack techniques. Yeah, read our reports. This is where we talk about this. And the vulnerability reports, Mark, those would be posted on the…

So yeah, on our blog, so blog.talosintelligence.com, read the Year in Review report and also the quarterly threat reports that we make. This is exactly what we do and what we talk about. Great. That’s awesome.

You heard it folks, that’s a good place to spend some dollars to have that high return on security. So the MFA and then a simple password manager. You said roughly 30%. Great, thank you.

Yeah, and we’ll make sure we update on the page. Yeah, we’re going to list all that for sure. That’s great. That’s great, that’s great.

I think I do have the last question for you, Martin, and this one’s going to be super simple, I hope. But where can we learn more about Talos Intelligence? So www.talosintelligence.com is the simple answer. On our blog, which you’ll find a tab on the website, or just go to blog.talosintelligence.com, this is where we publish everything that we think that you need to know.

So we’ve got our various reports. We’ve got our newsletter, which is a very, very good place to start. Some of the reports go into more detail than others. Some stuff is sort of written for an audience of security researchers, but very simply the Year in Review and the quarterly reports and the newsletter are the places to start.

But everything that we think you need to know is published on our blog. Excellent. That’s awesome. Those last two questions, one kind of quick.

We’re a little bit over, but do you guys want to run through the Dad Joke contest? Hey, yeah, let’s go through the Dad Jokes. I’m happy, bro. So happy to hear that, Martin.

Some of these are pretty good. So what we’ll do is I’ll just start it at 90 seconds here. You each are going to get asked four Valentine’s Day specific Dad Jokes. Just see if you can come up with the correct answer.

If you say skip, we can always come back to it. Let’s see, Andres, I think you’re asking to Martin first. Let’s do it. I’ll start it.

When he gets about 10 seconds, I’ll say 10. All right. Ready, set, go. All right.

So I’ll go first. Go ahead. I’m already eating your time. So here’s the one.

If the letters Q and T were dating, what would be their celebrity name? OK, what I would do, I would have a good hard talk with T, because everyone knows you’ve got to mind your P’s and Q’s. No point for that one, Mike. That was great.

Oh, love it. Let’s do the next one. This one is we thought it was super fun. How did the telephone propose to his girlfriend?

So initially, my thoughts are something to do with rotary dial action and finger strength, but I think we probably don’t want to go there. So I would imagine it’s more to do with could it be giving her a ring? Oh. That was good.

That’s actually the answer. It’s killing it. All right. And the answer for the previous one was cutie.

All right, the next one. What did the paper clip say to the magnet? OK, this is another red flag for dating, because magnets are attracted to anything ferrous. They are never going to be faithful to you.

A magnet is not going to be a faithful partner. And if you do get into that relationship, it’s going to be very, very difficult to pull it apart. They’re very clingy. Never data magnet.

That’s actually the answer. All right, the next one. What did the what did one cat say to the other cat on Valentine’s Day? I can’t believe that you forgot again.

No, no, said you’re perfect. No, it would be definitely you’ve forgotten again. These are awesome. That was great.

I would get Martin extra points for coming up with the Ps and Qs and then the meow one. Oh my gosh, that is great. I’m trying not to turn red over here laughing. All right, Joe, are you ready?

I suck at these. Come at me, man. Let’s just get the bandaid off. Shall we?

Here we go. Time is starting now. What did the dark closet say to the light bulb? How much is this power bill going to cost me?

I don’t know. I’ve got nothing. All right, we could skip that one. Come back to it.

What what is Cupid’s favorite rock band? Heart. Good one. That okay, that’s not it.

But that would count. That’s amazing. What what did the puzzle say on Valentine’s Day? You complete me.

Got it. Knock. What’s that? Knock knock.

Oh, you’re thankful. This is a PG. Who’s there? Olive.

I hate olives. You got to say London food. All of who all of who sorry. And then could you complete the rest?

I love all of you. I don’t know. I don’t know. Oh Joe, all of you all of who to.

Okay, there you go. You got it. So little help from a friend. You got it.

Let’s go quick. It’s back to the first one. What did the dark closet say to the light bulb? You still got 15 seconds.

And the honor and I’ll come out of the closet. Light me up. I don’t know. I got you.

You light up my world. Ding ding ding. I was well guys. Well, I was I was I.

Oh, I bring you shut down. That was good. You guys got more than I would have and when we were coming up these questions, we were like we know these guys are going to be smart. You know, we knew you guys are going to do a great job.

So, well, that was fun. I’m glad we got some got those in. Andres, how about we summarize this and let’s close it out. Let’s do it.

Let’s do it. I know we went a little bit over. So we’re going to slide through through this quick section on the summary. So a few things that stuck in my mind and I’m thinking about, you know, is understand what Talos is doing as an organization.

What do they do? How they help our customers and how they help us also just, you know, understanding how we detect threats. A lot of information right now in in the Talos blog. I see, you know, there’s a lot of information, indications of compromise, any tool that you’re using for threat hunting.

It’s going to be it’s going to leverage that information as well. We learn also discovery and publishing for new rules. That was actually awesome doubt that, you know, I probably have to go back and recheck some of that information. And, you know, we’re here to fight the good fight.

I know, you know, that’s one of the things that Talos says a lot. So that’s that’s my takeaway, I guess. Right for me, the proactive security and the reactive security huge components Martin you were talking about vesting and things like it about days going to happen. Let’s try and fine-tune that as much as we can and prepare for it.

Stop making the bad day worse. Yes. Yes. And then that reactive portion of it to hate when that bad day does happen.

We can step in and help incident response as an example as opposed to this tabletop exercises for the proactive Joey covered that low-hanging fruit, you know, we talked about the MFA and then the the simple password managers like cost-effective ways to decrease the chances of us being attacked and then Martin, what is the website again? So blog.talosintelligence.com. Okay, great. And then I know you guys and Talos have the beers with Talos podcast, which is super cool as well as Talos takes.

Andres and I are huge promoters of what you guys do for the good in the world. So thank you for having jobs that are so meaningful to the point that you’re truly out stopping bad guys and keeping us all safe. So and of course, thank you so much for your time on the show Joe and Martin. Andres our next call March 19th.

We’re going to be talking about a brand-new Cisco security solution called secure access. That’s a sassy solution, which is meshing security with connectivity. I have thoroughly enjoyed today’s show something. I’ve been looking forward to a long time Martin Joe.

We hope I hope everybody else out there enjoy this show as much as we have we will see everyone on the next show. Have a fantastic day Martin Joe. Thank you again. Thank you.

Thank you. It’s right guys. Take care.