Cisco Talos

Uploaded by

minhlilili

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

32 views

Cisco Talos

Uploaded by

minhlilili

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 4

Cisco Talos – Cisco’s Threat Intelligence Organization

Cisco Talos is Cisco Security’s threat intelligence organization. Cisco Talos intelligence group is comprised
of security experts, world-class researchers, analysts, and engineers, who provide state-of-the-art
international security research, technologies, techniques, and services that protect their customers
against known and emerging threats. Aside from protecting the Cisco customers’ networks from the bad
guys, they also stop any detected threats to protect the Internet in general.

Cisco Talos Teams and the Talos 7 Key Areas

The Cisco Talos team was formed through the unity of the following Cisco security research teams:

1. IronPort Security Applications (SecApps)

2. Sourcefire Vulnerability Research Team (VRT)

3. Threat Research, Analysis, and Communications (TRAC) Team

Cisco Talos incorporates the following seven key areas:

1. Threat Intelligence & Interdiction – correlates and tracks threats.

2. Detection Research – detects and analyzes malware and vulnerabilities.

3. Engineering & Development – updates and maintains inspection engines, develops security
systems and tools.

4. Vulnerability Research & Discovery – develops programmatic and replicable methods to

determine high-priority vulnerabilities.

5. Communities – handles education and knowledge, marketing and media, and Talos websites.

6. Global Outreach – conducts specialized research and disseminates Talos intelligence.

7. Talos Incident Response – offers proactive and reactive services to assist their customers in
preparing, responding, and recovering from a breach.

Threat Intelligence

Cisco Talos security experts are actively locating, reporting, and assisting vendors to eliminate
vulnerabilities detected in the customers’ software. This feat is achieved through numerous industry
partnerships, customer feedbacks, and threat intelligence analysis, aside from product telemetry and
proactive discovery. It receives intelligence from the following intelligence feeds that no other
cybersecurity research team can match:

 Advanced Microsoft and industry disclosures

 Advanced Malware Protection (AMP) community

 ClamAV, Immunet, SenderBase, Snort, SpamCop, Talos user communities, and Cisco Threat Grid
 Honeypots

 Sourcefire Awareness, Education, Guidance, and Intelligence Sharing (AEGIS) program

Cisco Talos Telemetry

Cisco Talos supports two-way telemetry and protection across prime security solutions, both open
source and commercial, which includes Cisco’s Advanced Malware Protection (AMP), Cloud Email
Security (CES), Cloud Web Security (CWS), Email Security Appliance (ESA), Next-Generation Intrusion
Prevention System (NGIPS), Next-Generation Firewall (NGFW), Web Security Appliance (WSA),
Stealthwatch, ThreatGrid, and Umbrella.

Talos’ comprehensive and integrated portfolio encompasses endpoint, network, cloud, edge, data center,
desktop, mobile, IPS, firewall, DNS, and a lot more. This unfolds an understanding of the biggest threats
to the smallest threats, their root causes, and scopes of outbreaks.

All of the collected data from various media is utilized to build an extensive threat intelligence that is
incorporated into security products and solutions to provide protection against a wide range of threats.
Cisco Talos provides coverage protecting against newly discovered vulnerabilities while the affected
vendors develop and test their patches.

Advanced Microsoft and industry disclosures

A vulnerability disclosure, as the term is used in the Microsoft Security Intelligence Report, is the
revelation of a software vulnerability to the public at large. Disclosures can come from a variety of
sources, including publishers of the affected software, security software vendors, independent security
researchers, and even malware creators.

The vulnerability disclosure data in the Security Intelligence Report is compiled from vulnerability
disclosure data that is published in the National Vulnerability Database (NVD). This database is the US
government’s repository of standards-based vulnerability management data. The NVD represents all
disclosures that have a published Common Vulnerabilities and Exposures (CVE) identifier.

Industry-wide vulnerability disclosures trending upwards

Figure 1 illustrates the vulnerability disclosure trend across the entire industry since 2011. Between 2011
and the end of 2013 vulnerability disclosure counts ranged from a low of 1,926 in the second half of
2011 to a high of 2,588 in the first half of 2012; there were more than 4,000 vulnerability disclosures
across the entire industry each year during this period. For additional context, the peak period for
industrywide vulnerability disclosures was 2006-2007 when 6,000 – 7,000 vulnerabilities were disclosed
each year. Vulnerability disclosures across the industry in the second half of 2013 (2H13) were up 6.5
percent from the first half of the year, and up 12.6 percent from the second half of 2012.

Not all vulnerabilities are equal – there are differences in severity and access complexity.
Vulnerability severity trends

The Common Vulnerability Scoring System (CVSS) is a standardized, platform-independent scoring

system for rating IT vulnerabilities. The CVSS base metric assigns a numeric value between 0 and 10 to
vulnerabilities according to severity, with higher scores representing greater severity. Vulnerabilities that
scored 9.9 or greater represented 6.2 percent of all vulnerabilities disclosed in the second half of 2013.
This percentage represents a significant decrease from the first half of the year, when vulnerabilities that
scored 9.9 or greater accounted for 12.4 percent of all vulnerabilities. Medium severity vulnerability
disclosures increased 19.1 percent between the first half and second half of 2013, and accounted for
59.3 percent of total disclosures in the second half of the year. In general, mitigating the most severe
vulnerabilities first is a security best practice. Vulnerabilities that scored 9.9 or greater represent 6.2
percent of all vulnerabilities disclosed in the second half of 2013, as Figure 3 illustrates.

This percentage represents a significant decrease from the first half of the year, when vulnerabilities that
scored 9.9 or greater accounted for 12.4 percent of all vulnerabilities. Vulnerabilities that scored
between 7.0 and 9.8 increased to 25.3 percent in the second half of 2013 from 24.4 percent in the first
half of the year.

Vulnerability access complexity trends

Some vulnerabilities are easier to exploit than others. This is a characteristic that’s not captured in the
aforementioned severity ratings. Vulnerability complexity is an important factor to consider in
determining the magnitude of the threat that a vulnerability poses. A high-severity vulnerability that can
only be exploited under very specific and rare circumstances might require less immediate attention
than a lower-severity vulnerability that can be exploited more easily.

The CVSS assigns each vulnerability a complexity ranking of Low, Medium, or High. Figure 4 shows
complexity trends for vulnerabilities disclosed since the first half of 2011 (1H11). Note that Low
complexity in Figure 4 indicates greater risk, just as High severity indicates greater risk.

Disclosures of those vulnerabilities that are the easiest to exploit, low-complexity vulnerabilities,
accounted for 43.5 percent of all disclosures in the second half of 2013, a decrease from 52.9 percent in
the first half of the year. Disclosures of medium-complexity vulnerabilities accounted for 51.9 percent of
all disclosures in the second half of 2013, an increase from 41.9 percent in the first half of the year.
Disclosures of high-complexity vulnerabilities decreased to 4.6 percent of all disclosures in the second
half of 2013, down from 5.3 percent in the first half of the year.

Operating system, browser, and application vulnerabilities

Comparing operating system vulnerabilities to non-operating system vulnerabilities that affect other
components requires determining whether a particular program or component should be considered
part of an operating system. This determination is not always simple and straightforward, given the
componentized nature of modern operating systems. Some programs (media players, for example) ship
by default with some operating system softwar