Inside the World’s Leading Security-Research Team
If a car is stolen, there is a thief to find. If a bank is robbed, there’s a robber to chase. But when it comes to cybercrime, law enforcement is far less often involved. Modern cybercriminals rarely leave a physical trace. Even when crimes are clearly committed, jurisdiction can be less clear. As a result, fighting cybercrime is largely done by dedicated security researchers like the more than 250 members of Cisco Talos.
“That’s a heavy burden to bear, but it’s a responsibility the team relishes,” says Nick Biasini, a Talos outreach engineer based in Austin, Texas.
The industry’s leading threat-intelligence organization, Talos analyzes 1.5 million malware events every day, ultimately handling 7.2 trillion threats a year. “A lot of our job is trying to find the needle in the haystack. When you have a massive dataset of information, the hard part is finding what’s interesting, unique, or new,” says Senior Director Matt Watchinski, who leads the entire Talos team from Columbia, Maryland.
Talos researchers are concentrated in Columbia and Austin as well as San Jose, California, along with smaller sites around the world. The group is divided into five teams. The first four are threat intelligence, detection research, engine development, and outreach.
“Threat Intelligence powers everything by helping to consolidate and make sense of the data we receive on a continual basis,” explains Craig Williams, who leads the outreach team from Austin and acts as a spokesman of sorts for Talos.
The detection-research team then uses that data to fuel all supported security. “This team includes reverse engineers, malware analysts, and domain-reputation and spam experts. They take that distilled data and turn it into something actionable,” Williams explains.
The engine-development team does just what its name implies – works on engines that help deliver intelligence to all platforms. “These can be either APIs, backend engines that detect threats, or actual in-field detection engines that are deployed on platforms,” Williams continues.
The fifth, more elusive, team within Talos is known as Vulnerability R&D. It has a different charter altogether. These experts find what’re called zero day vulnerabilities, or previously unknown security issues that could be exploited at any time by attackers. Zero day implies that an issue has never been seen before, making it potentially more dangerous because nothing has yet been done to thwart it.
“These guys help us secure the platforms we all depend on by finding new threats before the bad guys do, and making sure our products cover the issues as quickly as possible,” says Williams. “They also develop new ways to mitigate classes of vulnerabilities to help protect customers.”
Talos traces its roots in large part to the storied vulnerability research team (VRT) at Sourcefire, one of the very first firms focused on network intrusion. Sourcefire, which we acquired in 2013, was founded in 2001 by Martin Roesch, who is now a Cisco vice president and the chief architect of the Security Business Group.
“Most of the original Sourcefire VRT employees are with us today,” says Talos Threat Intelligence Manager Joel Esler, an original VRT member and military veteran based in Delaware. “This is a smart, tight-knit team – dedicated beyond belief.”
When Sourcefire joined the company, Watchinski, Esler and the rest of the VRT connected with like-minded security researchers within Cisco, like Williams, to form Talos.
The team takes its name from Talos, the mythical man of bronze created by Zeus to circle the island of Crete three times daily to protect its citizens. Watchinski and other leaders wanted to create an entirely new organization that put the just-acquainted teams on equal footing. This started with the naming process, in which everyone had a say.
The various teams have embraced the new integrated culture, which grows continuously stronger, the sum seemingly greater than its parts. Today, Talos plays a leading role in global security research, and represents our growing commitment to helping customers – and the rest of the world – secure their networks.
“I have seen it first hand,” says Biasini, a recent addition to the Talos team who was previously a customer of both Sourcefire and Cisco. “There have been gigantic strides in security over the last couple of years and it’s been great to see how Cisco has evolved.”