1 00:00:00,000 --> 00:00:03,760 Welcome everybody to the latest episode of Security in 45. 2 00:00:03,760 --> 00:00:07,560 Today is Wednesday, February 21st. 3 00:00:07,560 --> 00:00:10,920 Today's topic is Cisco Talos. 4 00:00:10,920 --> 00:00:13,760 And Andres, I've been looking forward to this conversation 5 00:00:13,760 --> 00:00:15,480 for many months. 6 00:00:15,480 --> 00:00:18,840 The Talos organization is very intriguing. 7 00:00:18,840 --> 00:00:20,880 In my simplistic mind, I kind of think of them 8 00:00:20,880 --> 00:00:23,600 as like a bunch of like James Bond type people 9 00:00:23,600 --> 00:00:25,820 all working together, doing all this cool stuff 10 00:00:25,820 --> 00:00:28,160 that we just hear about. 11 00:00:28,160 --> 00:00:31,480 You know, kind of the backbone for Cisco's security products 12 00:00:31,480 --> 00:00:36,040 and is what definitely keeps so much of our industry secure 13 00:00:36,040 --> 00:00:39,320 from businesses, the banks, governments, schools, 14 00:00:39,320 --> 00:00:41,520 our home networks. 15 00:00:41,520 --> 00:00:42,360 Yeah, yeah. 16 00:00:42,360 --> 00:00:46,920 And very excited to be here actually do have a few notes. 17 00:00:46,920 --> 00:00:50,960 So we know and from what we know is that 18 00:00:50,960 --> 00:00:53,640 Talos is the largest commercial threat 19 00:00:53,640 --> 00:00:55,960 intelligence team in the world. 20 00:00:55,960 --> 00:01:00,160 So if guys, if I get any of this wrong, let me know. 21 00:01:00,160 --> 00:01:05,160 What one of the largest in the world. 22 00:01:05,160 --> 00:01:07,160 One of the, oh, okay, okay. 23 00:01:07,160 --> 00:01:08,560 Yeah, I didn't read that one. 24 00:01:08,560 --> 00:01:13,560 And we know it is full of world class data scientists, 25 00:01:14,600 --> 00:01:18,720 researchers, analysts, engineers, and you know, 26 00:01:18,720 --> 00:01:21,840 it's a very, very close group for, you know, 27 00:01:21,840 --> 00:01:23,080 what we've seen so far. 28 00:01:23,080 --> 00:01:28,080 So main idea of Talos is just to keep us safe 29 00:01:28,520 --> 00:01:31,160 from both existing and emerging threats. 30 00:01:31,160 --> 00:01:33,960 So that is super exciting to hear about. 31 00:01:33,960 --> 00:01:38,820 And the other thing to mention is from a Cisco's perspective, 32 00:01:38,820 --> 00:01:41,760 you guys are the underlying security intelligence 33 00:01:41,760 --> 00:01:45,700 behind all Cisco security ecosystem. 34 00:01:45,700 --> 00:01:48,800 So this is gonna be really exciting. 35 00:01:48,800 --> 00:01:50,920 You know, it's a, you know, 36 00:01:50,920 --> 00:01:54,640 we talk about multiple security products here in the show 37 00:01:54,640 --> 00:01:59,200 and just ready to hear more about it, Mike. 38 00:01:59,200 --> 00:02:02,120 Yeah, for me, you know, 39 00:02:02,120 --> 00:02:04,880 a security solution is only gonna be as good 40 00:02:04,880 --> 00:02:07,900 as the intelligence source that it's learning from. 41 00:02:07,900 --> 00:02:10,120 Sound security solutions, 42 00:02:10,120 --> 00:02:12,480 we need accurate threat identification. 43 00:02:12,480 --> 00:02:15,640 We need patches and details about these threats. 44 00:02:15,640 --> 00:02:18,000 And we need them before the attack happens 45 00:02:18,000 --> 00:02:19,680 on our own network. 46 00:02:19,680 --> 00:02:22,760 Now today we are super fortunate and excited 47 00:02:22,760 --> 00:02:26,640 to have two Talos engineers on the show with us here, 48 00:02:26,640 --> 00:02:28,480 Joe Marshall and Martin Lee. 49 00:02:28,480 --> 00:02:30,280 Thank you so much for taking the time 50 00:02:30,280 --> 00:02:32,920 to be here with us today. 51 00:02:32,920 --> 00:02:36,660 We are very excited to have you guys on this conversation. 52 00:02:38,360 --> 00:02:40,360 Now let's kick it off and Joe, 53 00:02:40,360 --> 00:02:42,420 we'll go straight to you here. 54 00:02:42,420 --> 00:02:44,680 Maybe I think the audience would love to hear 55 00:02:44,680 --> 00:02:46,880 a little introduction about yourself, 56 00:02:46,880 --> 00:02:51,400 maybe your background and what you do at Talos. 57 00:02:51,400 --> 00:02:53,520 Yeah, I do wanna make an early clarification 58 00:02:53,520 --> 00:02:55,840 with what Martin and Andre said. 59 00:02:55,840 --> 00:02:56,960 We're one of the largest, 60 00:02:56,960 --> 00:03:01,200 but we're for sure the most handsome security researchers 61 00:03:01,200 --> 00:03:02,960 in all of the world. 62 00:03:02,960 --> 00:03:04,620 We have no peers. 63 00:03:04,620 --> 00:03:07,160 We're devastatingly attractive people, all of us. 64 00:03:07,160 --> 00:03:10,680 All right, so my background, 65 00:03:10,680 --> 00:03:11,520 how did I get started? 66 00:03:11,520 --> 00:03:12,340 All that fun stuff. 67 00:03:12,340 --> 00:03:15,780 So I've been with Talos eight and a half years now. 68 00:03:15,780 --> 00:03:20,780 I originally came from the DOD contractor 69 00:03:21,180 --> 00:03:24,980 and power utility space. 70 00:03:24,980 --> 00:03:27,180 And I was brought in to build 71 00:03:27,180 --> 00:03:32,180 the first hardware reverse engineering team inside of Talos 72 00:03:33,260 --> 00:03:38,260 for taking apart smart meters and other things 73 00:03:39,580 --> 00:03:41,140 that you would see on the side of a house 74 00:03:41,140 --> 00:03:43,100 or on a truck or on a train. 75 00:03:43,100 --> 00:03:45,500 And I would do that for about three years 76 00:03:45,500 --> 00:03:46,340 and then I would transition 77 00:03:46,340 --> 00:03:47,840 into sort of the current team that I am now 78 00:03:47,840 --> 00:03:50,180 where I get to take that threat research 79 00:03:50,180 --> 00:03:52,860 and continue to do threat research 80 00:03:52,860 --> 00:03:55,900 to talk to our communities and our constituents 81 00:03:55,900 --> 00:03:59,200 and our customers about what it is that we do 82 00:03:59,200 --> 00:04:00,820 inside of Talos every single day, 83 00:04:00,820 --> 00:04:02,980 which is fight the bad guys. 84 00:04:02,980 --> 00:04:05,620 And it's such a vast swath of things. 85 00:04:05,620 --> 00:04:08,420 It's not just any one individual thing 86 00:04:08,420 --> 00:04:10,740 that it's almost really tough to zero in. 87 00:04:10,740 --> 00:04:12,440 For instance, prior to this call, 88 00:04:12,440 --> 00:04:14,220 I was talking to a community of interest 89 00:04:14,220 --> 00:04:15,900 for transportation security. 90 00:04:18,020 --> 00:04:19,460 Two days ago or a day ago, 91 00:04:19,460 --> 00:04:22,900 I should say I was talking to a medical sector. 92 00:04:22,900 --> 00:04:25,260 So like there's so many different areas 93 00:04:25,260 --> 00:04:26,700 and all of these are related 94 00:04:26,700 --> 00:04:28,860 to like a Cisco account team usually. 95 00:04:28,860 --> 00:04:30,340 And so we're there to assist them, 96 00:04:30,340 --> 00:04:34,380 make them look smart and give our customers, 97 00:04:34,380 --> 00:04:35,460 constituents, communities, 98 00:04:35,460 --> 00:04:37,700 whomever it happens to be that we're speaking to, 99 00:04:37,700 --> 00:04:40,420 just, I don't know, a better security vocabulary, 100 00:04:40,420 --> 00:04:42,620 understand the threats and what we're doing 101 00:04:42,620 --> 00:04:46,180 to punch those bad guys right in the face. 102 00:04:46,180 --> 00:04:48,260 My background and how I got started, 103 00:04:48,260 --> 00:04:50,660 it's really weird with cybersecurity. 104 00:04:50,660 --> 00:04:52,860 I come from an operations background. 105 00:04:52,860 --> 00:04:54,900 So I was an IT guy, I had my MCSE. 106 00:04:54,900 --> 00:04:56,540 I was just doing sort of run of the mill, 107 00:04:56,540 --> 00:04:58,100 sys admin stuff. 108 00:04:58,100 --> 00:04:59,820 And when you do it for a really 109 00:04:59,820 --> 00:05:01,880 security conscious organization, 110 00:05:01,880 --> 00:05:02,940 you really start to realize 111 00:05:02,940 --> 00:05:04,900 you're really a cybersecurity practitioner, 112 00:05:04,900 --> 00:05:06,740 even if it's not in your title. 113 00:05:06,740 --> 00:05:09,180 So when I would separate from that 114 00:05:09,180 --> 00:05:12,780 and I would go on to the more private sector stuff, 115 00:05:12,780 --> 00:05:16,300 I was an all but native cybersecurity professional. 116 00:05:16,300 --> 00:05:17,660 And then I just needed to get the title 117 00:05:17,660 --> 00:05:19,860 to actually represent that, 118 00:05:19,860 --> 00:05:21,920 which I think is that they're basically saying 119 00:05:21,920 --> 00:05:23,260 everyone's in cybersecurity, 120 00:05:23,260 --> 00:05:24,900 no matter where you are, where you work, 121 00:05:24,900 --> 00:05:26,660 personal or professional, 122 00:05:26,660 --> 00:05:27,820 we're all in this together. 123 00:05:27,820 --> 00:05:32,660 So yeah, that's about it for me. 124 00:05:32,660 --> 00:05:33,700 I kick it over to Martin, 125 00:05:33,700 --> 00:05:36,300 who's got a much more interesting background than I do. 126 00:05:36,300 --> 00:05:39,020 Yes, yeah. 127 00:05:39,020 --> 00:05:43,020 So I'm in cybersecurity by accident, 128 00:05:43,860 --> 00:05:47,100 really through no great design. 129 00:05:47,100 --> 00:05:52,100 I started out my career as a human viral geneticist. 130 00:05:52,380 --> 00:05:55,700 And then I discovered the early internet. 131 00:05:55,700 --> 00:05:57,740 So I thought this, 132 00:05:57,740 --> 00:05:59,980 this is what I'm gonna do with my life. 133 00:05:59,980 --> 00:06:04,260 So I dropped all ambitions of finding a cure for cancer 134 00:06:04,260 --> 00:06:05,980 and stuff like that. 135 00:06:05,980 --> 00:06:09,380 And then jumped into the world of IT, 136 00:06:10,260 --> 00:06:13,020 rose during the.com boom, which was awesome, 137 00:06:13,020 --> 00:06:15,100 crashed during the.com crash. 138 00:06:15,900 --> 00:06:19,940 And then this job came up writing spam filters. 139 00:06:19,940 --> 00:06:22,060 And this was even before spam was a thing. 140 00:06:22,060 --> 00:06:23,100 And I thought, well, hang on, 141 00:06:23,100 --> 00:06:25,300 this is just a pattern matching thing. 142 00:06:25,300 --> 00:06:28,100 And I knew how to do that through my work 143 00:06:28,100 --> 00:06:31,340 working on virus DNA of how to identify patterns 144 00:06:31,340 --> 00:06:32,900 and measure homology. 145 00:06:32,900 --> 00:06:37,260 And so I got that job, which is now 21 years ago, 146 00:06:37,260 --> 00:06:38,820 actually, I believe it's 21 years ago, 147 00:06:38,820 --> 00:06:42,900 this very week that I started. 148 00:06:42,900 --> 00:06:47,900 And then looking at these very, very early cyber attacks, 149 00:06:49,220 --> 00:06:52,460 and we started distinguishing between, 150 00:06:52,460 --> 00:06:56,860 we were getting lots of sort of normal attacks, 151 00:06:56,860 --> 00:07:00,100 and then we'd start getting some really, really rare 152 00:07:00,100 --> 00:07:03,100 and very, very interesting ones going against 153 00:07:03,100 --> 00:07:05,820 some of our customers, not all of the customers, 154 00:07:05,820 --> 00:07:07,580 only a small subset. 155 00:07:07,580 --> 00:07:09,380 And then we're trying to work out, 156 00:07:09,380 --> 00:07:11,460 well, what's going on here? 157 00:07:11,460 --> 00:07:13,580 Why are we getting all these attacks over here? 158 00:07:13,580 --> 00:07:14,700 And we're getting these things 159 00:07:14,700 --> 00:07:17,100 that are really, really different over there. 160 00:07:17,100 --> 00:07:22,100 And trying to work out what was happening, 161 00:07:22,140 --> 00:07:25,980 who were the bad guys, what it is that they're doing. 162 00:07:25,980 --> 00:07:28,860 And then over the years, spending more time at that, 163 00:07:28,860 --> 00:07:31,180 how do we work out what's happening 164 00:07:31,180 --> 00:07:32,420 in the threat landscape? 165 00:07:32,420 --> 00:07:35,500 What kind of attacks are we seeing? 166 00:07:35,500 --> 00:07:36,940 Why are we seeing them? 167 00:07:36,940 --> 00:07:40,140 How do we detect and block those? 168 00:07:40,140 --> 00:07:44,380 And then most important, talking to customers 169 00:07:44,380 --> 00:07:46,300 about what it is that you need to do 170 00:07:46,300 --> 00:07:49,220 to protect yourself against these. 171 00:07:49,220 --> 00:07:53,740 So I've been now with Cisco for 10 years. 172 00:07:54,580 --> 00:07:55,980 I wrote a book. 173 00:07:55,980 --> 00:08:00,980 So when I started out in threat intelligence, 174 00:08:01,460 --> 00:08:02,900 I didn't even know what I was doing 175 00:08:02,900 --> 00:08:04,620 was called cyber threat intelligence. 176 00:08:04,620 --> 00:08:07,620 And I tried to find a textbook 177 00:08:07,620 --> 00:08:09,460 that would tell me how to do it. 178 00:08:09,460 --> 00:08:11,740 Never found what it was that I wanted. 179 00:08:11,740 --> 00:08:16,220 So last year, basically, I sat down 180 00:08:16,220 --> 00:08:20,500 and I wrote that textbook, the book that I wanted to find 181 00:08:20,500 --> 00:08:23,580 when I started out in the domain. 182 00:08:23,580 --> 00:08:27,540 And ultimately, that's what brought me where I am today. 183 00:08:27,540 --> 00:08:30,220 So basically, it's about working out 184 00:08:30,220 --> 00:08:32,460 what the bad guys are up to, 185 00:08:32,460 --> 00:08:33,380 what are the differences, 186 00:08:33,380 --> 00:08:35,780 how the threat landscape is changing, 187 00:08:35,780 --> 00:08:37,940 and then making sure that people are aware of that 188 00:08:37,940 --> 00:08:40,540 and know how to protect themselves. 189 00:08:40,540 --> 00:08:42,780 Hey, Martin, you've been doing this 21 years, dude. 190 00:08:42,780 --> 00:08:43,820 That's crazy. 191 00:08:43,820 --> 00:08:44,780 What was Moses like? 192 00:08:44,780 --> 00:08:45,860 Was he cool? 193 00:08:45,860 --> 00:08:47,300 Oh, yeah, no, he was a great guy. 194 00:08:47,300 --> 00:08:50,300 He was really interested in cyber attacks. 195 00:08:50,300 --> 00:08:51,140 I don't know if you've heard 196 00:08:51,140 --> 00:08:53,300 about the burning bush malware, but wow. 197 00:08:53,300 --> 00:08:55,380 Oh, no, that's wild, man. 198 00:08:55,380 --> 00:08:57,860 Thought to be a false flag and an insider job, 199 00:08:57,860 --> 00:08:59,820 but yeah, awesome. 200 00:08:59,820 --> 00:09:01,340 Actually, interestingly, he was the guy, 201 00:09:01,340 --> 00:09:02,980 the first guy, the VPN tunnel 202 00:09:02,980 --> 00:09:07,460 that he managed to do the parting of the way VPN travel, 203 00:09:07,460 --> 00:09:12,380 tunnel, so you could just tunnel through contested waters. 204 00:09:12,380 --> 00:09:13,620 Awesome guy. 205 00:09:13,620 --> 00:09:15,780 I knew VPNs were an older technology. 206 00:09:15,780 --> 00:09:16,620 I knew it. 207 00:09:19,020 --> 00:09:22,020 Wow, fascinating backgrounds, Martin. 208 00:09:22,020 --> 00:09:24,220 I bet you find a lot of similarities 209 00:09:24,220 --> 00:09:27,660 between the genetics part and honestly, 210 00:09:27,660 --> 00:09:30,300 threat hunting, putting pieces of the puzzle together. 211 00:09:32,620 --> 00:09:35,580 I find the similarities a lot in public health 212 00:09:37,300 --> 00:09:39,980 and the analogy that I use, 213 00:09:39,980 --> 00:09:42,740 we're living in another industrial revolution. 214 00:09:42,740 --> 00:09:45,300 We're living in the digital revolution 215 00:09:45,300 --> 00:09:47,620 in the same way that the industrial revolution 216 00:09:47,620 --> 00:09:51,660 changed everything through the 18th and 19th centuries 217 00:09:51,660 --> 00:09:56,500 and led to all sorts of problems like cholera and disease 218 00:09:56,500 --> 00:09:58,860 and all these things that we didn't have before. 219 00:09:59,740 --> 00:10:02,380 The physicians at the time developed models 220 00:10:02,380 --> 00:10:05,060 to actually try and map all of these problems 221 00:10:05,060 --> 00:10:06,460 and understand what was happening, 222 00:10:06,460 --> 00:10:08,580 even though they didn't know 223 00:10:08,580 --> 00:10:10,980 that germ theory of disease didn't exist, 224 00:10:10,980 --> 00:10:12,380 they didn't know what they were dealing with, 225 00:10:12,380 --> 00:10:15,340 but they could analyze it and start piecing together 226 00:10:15,340 --> 00:10:17,540 bits of the puzzle to understand what's happening 227 00:10:17,540 --> 00:10:19,340 and how do we protect people. 228 00:10:19,340 --> 00:10:24,340 And I really feel that we've got to use the same approach now 229 00:10:24,780 --> 00:10:27,460 that in this digital revolution that we're living in, 230 00:10:27,460 --> 00:10:30,500 suddenly there's all these advantages 231 00:10:30,500 --> 00:10:32,700 from digital technologies, but there's problems as well, 232 00:10:32,700 --> 00:10:35,420 such as cyber insecurity and attacks. 233 00:10:35,420 --> 00:10:38,140 And really it's for ourselves 234 00:10:38,140 --> 00:10:39,900 and other similar organizations 235 00:10:39,900 --> 00:10:41,660 to start piecing those bits together, 236 00:10:41,660 --> 00:10:44,620 understanding what's happening, trying to work out 237 00:10:44,620 --> 00:10:48,740 where do we need to act in order to stop these problems 238 00:10:48,740 --> 00:10:51,340 and what information can we give to people 239 00:10:51,340 --> 00:10:53,580 and organizations to actually protect themselves 240 00:10:53,580 --> 00:10:55,740 and make sure they don't come down 241 00:10:55,740 --> 00:10:58,660 with a breach or an incursion. 242 00:10:58,660 --> 00:11:00,500 But yeah, there's a lot of similarities. 243 00:11:00,500 --> 00:11:02,100 Interesting. 244 00:11:02,100 --> 00:11:04,740 And Joe, with the meter, 245 00:11:04,740 --> 00:11:07,700 I mean, talk about the ultimate BYOD device. 246 00:11:07,700 --> 00:11:11,020 Like can Cisco Ice detect if you bring a meter on? 247 00:11:14,020 --> 00:11:16,100 I don't know, actually. 248 00:11:16,100 --> 00:11:18,060 My inclination is probably not 249 00:11:18,060 --> 00:11:21,060 because they're in a really unique ecosystem 250 00:11:21,060 --> 00:11:23,980 for what's called AMI, advanced mirroring infrastructure. 251 00:11:24,900 --> 00:11:27,140 It's more cellular, to be honest. 252 00:11:27,140 --> 00:11:29,500 So maybe if a product support specialist 253 00:11:29,500 --> 00:11:30,700 could tell me otherwise, 254 00:11:31,620 --> 00:11:33,260 I'd be kind of curious about that. 255 00:11:33,260 --> 00:11:35,300 Yeah, well, the- 256 00:11:35,300 --> 00:11:38,780 The question I have is how much do you pay on power 257 00:11:38,780 --> 00:11:40,700 and electricity in your house 258 00:11:40,700 --> 00:11:42,260 if you have a hack one already? 259 00:11:42,260 --> 00:11:44,380 No, no. 260 00:11:44,380 --> 00:11:47,140 So first, I'm legally required to say 261 00:11:47,140 --> 00:11:50,100 that I pay all my power bills on time 262 00:11:50,940 --> 00:11:52,140 with the diligence required 263 00:11:52,140 --> 00:11:55,780 as a law-abiding citizen of this country. 264 00:11:55,780 --> 00:11:57,860 When I first started working for the power company, 265 00:11:57,860 --> 00:11:58,700 my mom asked me, she's like, 266 00:11:58,700 --> 00:12:00,340 I mean, you get free power now? 267 00:12:00,340 --> 00:12:03,340 And I went, no, mom, I still have to pay my power bills. 268 00:12:03,340 --> 00:12:04,740 I don't get anything for free. 269 00:12:04,740 --> 00:12:06,540 If anything, I'm paying myself now 270 00:12:06,540 --> 00:12:07,940 because I pay my power bills. 271 00:12:09,180 --> 00:12:10,540 So yeah. 272 00:12:10,540 --> 00:12:15,300 I wrote a whole chapter on ethics in this damn book. 273 00:12:15,300 --> 00:12:18,660 I've had people criticize on Amazon reviews 274 00:12:18,660 --> 00:12:20,900 that I wasted a chapter writing about ethics. 275 00:12:20,900 --> 00:12:21,940 No, no, no, no, no. 276 00:12:21,940 --> 00:12:24,700 Ethics is a key part of cybersecurity. 277 00:12:24,700 --> 00:12:28,180 Yeah, yeah, we all pay for our electricity 278 00:12:28,180 --> 00:12:29,380 and utility bills. 279 00:12:29,380 --> 00:12:31,700 Yeah, we use our powers for good. 280 00:12:32,540 --> 00:12:34,180 That's my story I'm sticking to. 281 00:12:34,180 --> 00:12:35,580 We have great responsibility. 282 00:12:37,580 --> 00:12:41,180 Now, yeah, this is already off to a great start. 283 00:12:41,180 --> 00:12:43,180 And I'll raise some love in this episode. 284 00:12:43,180 --> 00:12:45,780 Now, Joe, I'll kick this over to you. 285 00:12:45,780 --> 00:12:48,820 Can you give, describe Kalos to the audience, 286 00:12:48,820 --> 00:12:50,180 maybe those who are not familiar 287 00:12:50,180 --> 00:12:51,660 with what you guys generally do 288 00:12:51,660 --> 00:12:54,340 and what the organization does? 289 00:12:54,340 --> 00:12:55,580 Yeah, sure. 290 00:12:55,580 --> 00:12:56,420 It's a lot. 291 00:12:56,420 --> 00:12:57,260 We do a lot. 292 00:12:58,780 --> 00:13:01,020 So I need to take you back to hallowed antiquity 293 00:13:01,020 --> 00:13:03,300 if I really wanna get to the core nugget 294 00:13:03,300 --> 00:13:04,780 of what it is we do. 295 00:13:04,780 --> 00:13:09,180 So there was a company in the late 90s called Sourcefire 296 00:13:09,180 --> 00:13:13,340 and they had written this TCP IP inspection tool 297 00:13:13,340 --> 00:13:16,300 called Snort invented by a guy named Marty Resch. 298 00:13:16,300 --> 00:13:19,700 And a company was sort of form around that core nuclei 299 00:13:19,700 --> 00:13:21,340 of this tool called Snort. 300 00:13:21,340 --> 00:13:23,180 And they would go on to sell firewalls 301 00:13:23,180 --> 00:13:26,140 and intrusion detection and prevention systems. 302 00:13:26,140 --> 00:13:31,140 And they would form this core hacker collective 303 00:13:31,140 --> 00:13:33,900 called the VRT, the vulnerability research team. 304 00:13:33,900 --> 00:13:37,500 And both understanding adversary behaviors 305 00:13:37,500 --> 00:13:41,020 and then how their tools and products can protect. 306 00:13:41,020 --> 00:13:43,700 Cisco would acquire Sourcefire in 2014. 307 00:13:43,700 --> 00:13:47,700 So the VRT, which was about a core 50 people, 308 00:13:49,420 --> 00:13:52,460 migrated over and we rebranded as Talos. 309 00:13:52,460 --> 00:13:54,220 I came in right after the acquisition 310 00:13:54,220 --> 00:13:58,100 and I think I was like number 70 or 80 311 00:13:58,100 --> 00:13:59,940 or something like that of like the people 312 00:13:59,940 --> 00:14:01,100 that had been added. 313 00:14:01,100 --> 00:14:03,700 And if you take sort of the two separate areas of Talos 314 00:14:03,700 --> 00:14:07,300 as they exist now, we're about 50% of the people 315 00:14:07,300 --> 00:14:10,580 450 to 500 people globally. 316 00:14:10,580 --> 00:14:12,500 We're on four different continents. 317 00:14:12,500 --> 00:14:16,300 We speak well over 30 languages amongst all of us. 318 00:14:16,300 --> 00:14:19,420 And we keep just about every security specialization 319 00:14:19,420 --> 00:14:22,220 you can think of under the sun is something 320 00:14:22,220 --> 00:14:24,580 somewhere that we do inside of Cisco Talos 321 00:14:24,580 --> 00:14:28,460 from malware analysis, reverse engineering of hardware, 322 00:14:28,460 --> 00:14:32,100 software vulnerabilities, threat intelligence 323 00:14:32,100 --> 00:14:36,020 in a more pure sense, like we've got trained linguists 324 00:14:36,020 --> 00:14:38,940 or they speak that language as a other English 325 00:14:38,940 --> 00:14:40,900 as a second language, they speak their native languages 326 00:14:40,900 --> 00:14:44,820 and they surf the dark web looking for malicious activity 327 00:14:44,820 --> 00:14:47,660 and for any kind of tips that we can get. 328 00:14:47,660 --> 00:14:51,660 We've got a small platoon of just data scientists. 329 00:14:52,580 --> 00:14:55,940 We ingest about six petabytes of threat telemetry a day. 330 00:14:55,940 --> 00:15:00,100 So we have to think about how we are able to scrape 331 00:15:00,100 --> 00:15:03,100 that data then automate it to our customers 332 00:15:03,100 --> 00:15:04,260 to keep them protected. 333 00:15:04,260 --> 00:15:06,180 You know, the old Cisco saying, you know, 334 00:15:06,180 --> 00:15:08,900 see once protect everywhere is kind of like our mantra 335 00:15:08,900 --> 00:15:11,900 because if we see malicious URL in email, 336 00:15:11,900 --> 00:15:14,260 I need to know that our XDR solution is gonna catch that. 337 00:15:14,260 --> 00:15:15,540 So on and so on. 338 00:15:15,540 --> 00:15:18,020 So we work tightly with our engineering folks. 339 00:15:19,300 --> 00:15:20,940 There's so much that I'm leaving out, 340 00:15:20,940 --> 00:15:23,500 like just to deliver threat intelligence products 341 00:15:23,500 --> 00:15:26,100 to our customers, like here's a report that we wrote. 342 00:15:26,100 --> 00:15:28,060 And I wanna note that we're not fee for service. 343 00:15:28,060 --> 00:15:30,580 So Martin and myself and the majority of my colleagues 344 00:15:30,580 --> 00:15:33,980 were OPEX, we don't bill our time to anything. 345 00:15:33,980 --> 00:15:36,660 They want us focused on stopping bad people. 346 00:15:36,660 --> 00:15:38,540 So we're given the luxury of, 347 00:15:39,780 --> 00:15:43,580 in runway and to Cisco's credit to be able to go, 348 00:15:43,580 --> 00:15:45,300 let's just go find evil and stop it today, 349 00:15:45,300 --> 00:15:48,220 or let's go find evil and then help make everyone smarter 350 00:15:48,220 --> 00:15:50,220 and safer about knowing what's going on. 351 00:15:51,140 --> 00:15:55,300 I have to say, it just me speaking about my past experiences 352 00:15:55,300 --> 00:15:56,900 and this crazy career I've had, 353 00:15:56,900 --> 00:15:58,820 it's been a privilege to really work here 354 00:15:58,820 --> 00:16:02,340 because you get exposed to things at such a high strata 355 00:16:02,340 --> 00:16:07,340 of importance that you're just sometimes you're flummoxed 356 00:16:07,340 --> 00:16:12,340 at just the enormity of the impact that your organization has, 357 00:16:12,420 --> 00:16:15,380 but the growth and the experiences you're gonna crew 358 00:16:15,380 --> 00:16:17,900 as a cybersecurity professional are very profound. 359 00:16:19,060 --> 00:16:21,060 And yeah. 360 00:16:22,100 --> 00:16:27,100 Yeah, truly a great cause, the organization as a whole. 361 00:16:27,580 --> 00:16:31,020 I mean, just the concept of finding these threats, 362 00:16:31,020 --> 00:16:36,020 stopping bad things that are occurring, amazing. 363 00:16:36,260 --> 00:16:39,620 And like you said, see, yeah, the same see it once, 364 00:16:39,620 --> 00:16:40,820 stop it everywhere. 365 00:16:40,820 --> 00:16:45,820 So as a general example, seeing malware somewhere 366 00:16:46,180 --> 00:16:48,300 and then I guess pushing it out 367 00:16:48,300 --> 00:16:50,340 so that everybody's protected from that point 368 00:16:50,340 --> 00:16:53,580 is a large part of it. 369 00:16:53,580 --> 00:16:54,620 Yeah, so like, I mean, 370 00:16:54,620 --> 00:16:56,180 we're talking about six petabytes of data. 371 00:16:56,180 --> 00:16:58,860 So we're talking URL dispositions, 372 00:16:58,860 --> 00:17:01,420 reputation lookups, talking about emails. 373 00:17:02,300 --> 00:17:04,620 We're talking about binaries, malware. 374 00:17:04,620 --> 00:17:08,900 We're talking about what I call pre-perimeter. 375 00:17:08,900 --> 00:17:12,220 So like DNS resolutions, a record resolutions 376 00:17:12,220 --> 00:17:13,940 like umbrella, our product umbrella. 377 00:17:15,540 --> 00:17:18,100 It's kind of stem to stern and then all the way down 378 00:17:18,100 --> 00:17:21,260 to our firewalls where we have IDS or IDP running. 379 00:17:21,260 --> 00:17:22,540 So sort, right? 380 00:17:23,780 --> 00:17:26,140 And that permeates, we're applicable 381 00:17:26,140 --> 00:17:28,820 because not every product uses every security Intel feed 382 00:17:28,820 --> 00:17:33,780 ingest to be able to say, and to give what I think 383 00:17:33,780 --> 00:17:37,140 the most important thing that any security operations 384 00:17:37,140 --> 00:17:39,460 center analyst, any director of a SOC wants, 385 00:17:39,460 --> 00:17:42,300 which is context, we stopped the bad thing. 386 00:17:42,300 --> 00:17:45,180 Here's why you should care about this bad thing. 387 00:17:45,180 --> 00:17:47,100 If you care to know, right? 388 00:17:47,100 --> 00:17:50,940 And that context, like tying it to the MITRE framework, 389 00:17:50,940 --> 00:17:52,940 we stopped access was a prereconcerns 390 00:17:52,940 --> 00:17:54,620 or a lateral movement activity. 391 00:17:54,620 --> 00:17:57,860 Here's something to help you better understand this threat 392 00:17:57,860 --> 00:17:59,980 is really the core of what it is 393 00:17:59,980 --> 00:18:03,580 because six petabytes is a lot of data. 394 00:18:03,580 --> 00:18:04,580 Our data lake is massive 395 00:18:04,580 --> 00:18:08,220 because we're a very big organization, Cisco and Talos. 396 00:18:08,220 --> 00:18:10,820 But I'll give you a story. 397 00:18:10,820 --> 00:18:13,780 I was at RSA, gosh, five years ago, I guess. 398 00:18:13,780 --> 00:18:17,820 And our Cisco, I had the pleasure of working 399 00:18:17,820 --> 00:18:19,460 at Cisco booths, anyone who's coming by 400 00:18:19,460 --> 00:18:21,660 and talk about security, but across from us 401 00:18:21,660 --> 00:18:23,820 was another vendor's booth. 402 00:18:23,820 --> 00:18:25,700 And they had this marquee going around 403 00:18:25,700 --> 00:18:27,340 the edge of their booth saying, 404 00:18:27,340 --> 00:18:29,500 we see one trillion signals a day. 405 00:18:29,500 --> 00:18:32,540 And I was like, A, that's a big number, 406 00:18:32,540 --> 00:18:34,740 but B, also, what is a signal? 407 00:18:34,740 --> 00:18:37,500 And like, how do you even get to that number, right? 408 00:18:37,500 --> 00:18:39,420 Like, did you just pick a number out of a hat? 409 00:18:39,420 --> 00:18:41,700 Like, what kind of marketing razzle dazzle 410 00:18:41,700 --> 00:18:43,420 did you just sprinkle on that? 411 00:18:43,420 --> 00:18:45,580 And the context that I really took away from that 412 00:18:45,580 --> 00:18:48,580 was when I went back to think about how we talk about it, 413 00:18:48,580 --> 00:18:50,180 numbers are just numbers. 414 00:18:50,180 --> 00:18:53,100 It's what I get from, if it's one or one trillion, 415 00:18:53,100 --> 00:18:56,060 if I can't contextually tell you why that matters, 416 00:18:56,060 --> 00:18:57,900 then I'm not doing my job. 417 00:18:57,900 --> 00:19:00,100 And we're not giving you a quality product. 418 00:19:00,100 --> 00:19:04,700 So that's just kind of like what we think about a lot 419 00:19:04,700 --> 00:19:06,980 inside of Talos, how we interface with our customers 420 00:19:06,980 --> 00:19:08,220 and our communities and things like that. 421 00:19:08,220 --> 00:19:09,460 I'm kind of rambled a little bit, 422 00:19:09,460 --> 00:19:10,460 you see where I'm going? 423 00:19:10,460 --> 00:19:11,580 Yep. 424 00:19:11,580 --> 00:19:12,860 That was great. 425 00:19:12,860 --> 00:19:16,620 That actually, I was thinking about Batman when you said, 426 00:19:16,620 --> 00:19:19,500 just be the good guy and find the bad guys 427 00:19:19,500 --> 00:19:20,860 and punch them in the face. 428 00:19:20,860 --> 00:19:25,460 So I don't know if any of you guys are Marvel or DC Comics 429 00:19:25,460 --> 00:19:28,860 fans just throwing out there. 430 00:19:28,860 --> 00:19:31,060 Yeah, no, it's what we do, man. 431 00:19:31,060 --> 00:19:31,980 I love it. 432 00:19:31,980 --> 00:19:33,220 That's awesome. 433 00:19:33,220 --> 00:19:33,700 Awesome. 434 00:19:33,700 --> 00:19:38,260 So I do have the next question, and this was for you, Martin. 435 00:19:38,260 --> 00:19:41,660 And it goes a lot with the book and everything 436 00:19:41,660 --> 00:19:45,340 that you were just showing to us a few minutes ago. 437 00:19:45,340 --> 00:19:49,380 But how does Talos, what's the process, 438 00:19:49,380 --> 00:19:53,020 if you don't mind going over, how do we detect threats 439 00:19:53,020 --> 00:19:56,660 and how do we identify those, if you don't mind going over that? 440 00:19:56,660 --> 00:20:01,340 The key thing to think about is in this data lake, 441 00:20:01,340 --> 00:20:04,340 with all the visibility that we have as part of Cisco 442 00:20:04,340 --> 00:20:09,300 across the entire internet, it's really, really difficult 443 00:20:09,300 --> 00:20:13,340 for the bad guys to do anything malicious that we 444 00:20:13,340 --> 00:20:15,860 don't have a trace of somewhere. 445 00:20:15,860 --> 00:20:20,140 We will have somewhere in our telemetry the trace 446 00:20:20,140 --> 00:20:23,460 of the bad stuff that they're doing. 447 00:20:23,460 --> 00:20:26,740 And really, our game, if you wish, 448 00:20:26,740 --> 00:20:33,500 is to find what is actually happening in the threat 449 00:20:33,500 --> 00:20:36,540 landscape at the moment that's really important. 450 00:20:36,540 --> 00:20:40,860 So we've got loads and loads of bad stuff in our data, 451 00:20:40,860 --> 00:20:44,220 traces of bad guys doing bad things. 452 00:20:44,220 --> 00:20:48,620 And the question is more, it's not so much finding a needle 453 00:20:48,620 --> 00:20:53,220 in a haystack, it's finding a needle in a pile of needles. 454 00:20:53,220 --> 00:20:55,860 We've got all of these traces. 455 00:20:55,860 --> 00:20:58,340 The vast, vast majority of these traces 456 00:20:58,340 --> 00:20:59,580 are processed automatically. 457 00:20:59,580 --> 00:21:03,580 There's no way that we can analyze the data manually. 458 00:21:03,580 --> 00:21:06,700 But within all of that bad stuff that we find, 459 00:21:06,700 --> 00:21:08,780 the trick really becomes identifying 460 00:21:08,780 --> 00:21:12,980 what's different, what's new, what 461 00:21:12,980 --> 00:21:16,460 is actually significant that we're seeing now 462 00:21:16,460 --> 00:21:19,940 that's different from yesterday or different from last week. 463 00:21:19,940 --> 00:21:24,660 And it's that triage of identifying, OK, this thing here 464 00:21:24,660 --> 00:21:26,180 is different. 465 00:21:26,180 --> 00:21:30,460 And that's the stuff that we'll then pass to an analyst 466 00:21:30,460 --> 00:21:33,500 to go and take apart in great detail 467 00:21:33,500 --> 00:21:35,780 to really understand what's happening. 468 00:21:35,780 --> 00:21:38,180 And then from that, we can look at, OK, 469 00:21:38,180 --> 00:21:42,460 what do we need to change in order to detect this better? 470 00:21:42,460 --> 00:21:45,420 Do we just need a couple more signatures, 471 00:21:45,420 --> 00:21:49,220 or do we need to augment or change our protection 472 00:21:49,220 --> 00:21:51,220 in another way? 473 00:21:51,220 --> 00:21:56,100 So yeah, largely it's about data analysis. 474 00:21:56,100 --> 00:22:00,940 It's about treating large numbers of things 475 00:22:00,940 --> 00:22:04,620 automatically and getting the machines to do the heavy work. 476 00:22:04,620 --> 00:22:08,500 But then also identifying what's new, what's important, 477 00:22:08,500 --> 00:22:12,100 what's special, taking the time to understand that 478 00:22:12,100 --> 00:22:12,700 in detail. 479 00:22:12,700 --> 00:22:16,260 And then moving that security posture forward. 480 00:22:16,260 --> 00:22:18,900 Actually, one of the things that I hear sometimes 481 00:22:18,900 --> 00:22:22,380 and where I sort of see organizations going wrong 482 00:22:22,380 --> 00:22:24,980 is they have alerts on their firewall 483 00:22:24,980 --> 00:22:27,300 when they come through to their SOC. 484 00:22:27,300 --> 00:22:28,860 And then what they're trying to do 485 00:22:28,860 --> 00:22:33,100 is resolve every single one of these alerts. 486 00:22:33,100 --> 00:22:34,780 And their best analyst is the one 487 00:22:34,780 --> 00:22:37,020 that closes the most tickets in a day. 488 00:22:37,020 --> 00:22:39,580 And they'll be ever so proud to say, my best analyst, 489 00:22:39,580 --> 00:22:42,340 he can close a ticket in 30 seconds. 490 00:22:42,340 --> 00:22:43,740 Wow, what a guy, what a guy. 491 00:22:43,740 --> 00:22:45,180 And it's like, do you know what? 492 00:22:45,180 --> 00:22:46,300 Don't bother. 493 00:22:46,300 --> 00:22:47,300 Don't bother. 494 00:22:47,300 --> 00:22:53,380 Find the most important alert that you've had today. 495 00:22:53,380 --> 00:22:57,620 Spend a week working out what really, really happened here, 496 00:22:57,620 --> 00:22:59,340 what's really going on. 497 00:22:59,340 --> 00:23:02,460 Learn from that and move your security posture forward 498 00:23:02,460 --> 00:23:04,700 so you never ever get that alert again, 499 00:23:04,700 --> 00:23:06,820 or you never have to worry about it. 500 00:23:06,820 --> 00:23:09,460 It's really not a numbers game. 501 00:23:09,460 --> 00:23:11,740 It's about identifying what's important 502 00:23:11,740 --> 00:23:14,740 and then responding to that appropriately 503 00:23:14,740 --> 00:23:17,300 and moving the security posture forward, 504 00:23:17,300 --> 00:23:19,020 making the world a safer place, 505 00:23:19,020 --> 00:23:20,940 most importantly, making our customers safer, 506 00:23:20,940 --> 00:23:24,500 which is ultimately what we're about. 507 00:23:24,500 --> 00:23:26,980 The prioritization was one of the questions I had, 508 00:23:26,980 --> 00:23:30,420 and you just touched on that, because everyone listening here 509 00:23:30,420 --> 00:23:35,220 has huge amounts of, you know... 510 00:23:35,220 --> 00:23:39,660 Yeah, we're all just flooded with alerts, 511 00:23:39,660 --> 00:23:41,820 with bad stuff, with bad stuff happening. 512 00:23:41,820 --> 00:23:45,060 You know, we're up to our necks in bad stuff. 513 00:23:45,060 --> 00:23:46,660 Pick one thing. 514 00:23:46,660 --> 00:23:47,460 Prioritize. 515 00:23:47,460 --> 00:23:51,020 Find that one thing that's actually the worst thing 516 00:23:51,020 --> 00:23:53,900 or the most important thing or the most pressing thing. 517 00:23:53,900 --> 00:23:56,100 Fix it. 518 00:23:56,100 --> 00:23:57,660 And then you move forward a little bit, 519 00:23:57,660 --> 00:23:59,260 and it's like you're inching yourself 520 00:23:59,260 --> 00:24:02,140 out of that flood of threats, 521 00:24:02,140 --> 00:24:04,820 and little by little, you can move yourself forward. 522 00:24:04,820 --> 00:24:09,300 Ultimately, we've got to make life difficult for the bad guys. 523 00:24:09,300 --> 00:24:12,180 You know, most of the bad stuff out there, 524 00:24:12,180 --> 00:24:15,020 it isn't that difficult to detect 525 00:24:15,020 --> 00:24:18,180 if you've got the right protections in place. 526 00:24:18,180 --> 00:24:20,540 You know, make the easy stuff easy, 527 00:24:20,540 --> 00:24:23,500 and then the difficult stuff, the stuff that's complex, 528 00:24:23,500 --> 00:24:25,140 where we've got a sophisticated threat act, 529 00:24:25,140 --> 00:24:27,260 and make life difficult for them. 530 00:24:27,260 --> 00:24:30,900 Make them have to work that little bit harder 531 00:24:30,900 --> 00:24:32,860 in the hope that either they'll go 532 00:24:32,860 --> 00:24:35,780 and attack your competitors rather than you 533 00:24:35,780 --> 00:24:37,740 because they'll think that you're difficult, 534 00:24:37,740 --> 00:24:41,500 whereas maybe your competition are an easier target. 535 00:24:41,500 --> 00:24:45,260 And also make it noisy so that you've got a better chance 536 00:24:45,260 --> 00:24:48,980 of actually noticing when something is going wrong, 537 00:24:48,980 --> 00:24:50,100 when there is an incursion. 538 00:24:50,100 --> 00:24:54,900 You know, making it difficult, making it noisy for the bad guys, 539 00:24:54,900 --> 00:24:57,380 reducing their return on investment. 540 00:24:57,380 --> 00:25:00,820 Make it a less profitable activity for them. 541 00:25:00,820 --> 00:25:03,500 But I imagine the behavioral base, like you were saying, 542 00:25:03,500 --> 00:25:07,500 what's different today than there was yesterday, 543 00:25:07,500 --> 00:25:10,180 is that more difficult to detect 544 00:25:10,180 --> 00:25:12,300 than something signature-based where it's like, 545 00:25:12,300 --> 00:25:16,620 this is just a known bad hash and we're, you know... 546 00:25:16,620 --> 00:25:20,580 If someone's using the same malicious tools 547 00:25:20,580 --> 00:25:23,380 time and time and time again without any changing, 548 00:25:23,380 --> 00:25:26,220 wonderful, we can just write a signature 549 00:25:26,220 --> 00:25:29,700 and then we can consign those to history. 550 00:25:29,700 --> 00:25:33,300 In the real world, it doesn't happen like that. 551 00:25:33,300 --> 00:25:35,940 Our best case scenario is they're subtly changing 552 00:25:35,940 --> 00:25:39,300 their tools every single time, so it's got a different hash value. 553 00:25:39,300 --> 00:25:43,500 So we have to look for indicators within a file, 554 00:25:43,500 --> 00:25:46,980 either in the static analysis or the dynamic analysis. 555 00:25:46,980 --> 00:25:51,260 So something that... a test that we can ask it to distinguish 556 00:25:51,260 --> 00:25:55,740 between is this legitimate or is this illegitimate software? 557 00:25:55,740 --> 00:25:58,500 And ultimately, none of those tests can give you... 558 00:25:58,500 --> 00:26:01,180 Well, we're very, very lucky if we find one that says, 559 00:26:01,180 --> 00:26:03,580 yes, absolutely, 100%, this is definitely bad, 560 00:26:03,580 --> 00:26:06,660 or yes, absolutely, 100%, this is definitely good, 561 00:26:06,660 --> 00:26:08,140 which basically becomes a signature. 562 00:26:08,140 --> 00:26:12,020 Mostly we're like, yeah, this is more likely to be bad than good, 563 00:26:12,020 --> 00:26:15,820 or yeah, it kind of looks a bit good, but... 564 00:26:15,820 --> 00:26:19,460 And then ultimately, you have to put all of those different tests 565 00:26:19,460 --> 00:26:22,980 together and look in the context to then decide, 566 00:26:22,980 --> 00:26:25,540 OK, this thing here, we've never seen it before, 567 00:26:25,540 --> 00:26:28,260 but all of the tests we've been able to ask it 568 00:26:28,260 --> 00:26:32,740 are saying, yeah, it really is looking pretty bad. 569 00:26:32,740 --> 00:26:37,780 No single test can give you that response, but many can. 570 00:26:37,780 --> 00:26:41,740 And then we can convict that and declare it bad. 571 00:26:41,740 --> 00:26:44,740 Life becomes a little bit more difficult when the bad guys 572 00:26:44,740 --> 00:26:47,500 are using what's called living off the land binary. 573 00:26:47,500 --> 00:26:53,220 So using the tools, which are an integral part of your operating 574 00:26:53,220 --> 00:26:55,900 system to do bad stuff. 575 00:26:55,900 --> 00:26:58,900 And that really is where the sport is. 576 00:26:58,900 --> 00:27:04,300 How do we detect when someone is using an entirely legitimate tool 577 00:27:04,300 --> 00:27:07,420 maliciously every time? 578 00:27:07,420 --> 00:27:09,100 There are fingerprints. 579 00:27:09,100 --> 00:27:11,460 The analogy I use, at the scene of every crime, 580 00:27:11,460 --> 00:27:14,420 there are big, sticky fingerprints. 581 00:27:14,420 --> 00:27:16,660 It's the same in cybercrime as well. 582 00:27:16,660 --> 00:27:19,100 Those fingerprints are there. 583 00:27:19,100 --> 00:27:20,620 You just have to look for them. 584 00:27:20,620 --> 00:27:23,820 You have to know what they look like, know where you might find it, 585 00:27:23,820 --> 00:27:25,780 and know how you show them up. 586 00:27:25,780 --> 00:27:28,660 But this is what we do. 587 00:27:28,660 --> 00:27:32,820 And if you know how to do it, fingerprints are there every time. 588 00:27:32,820 --> 00:27:33,540 Excellent. 589 00:27:33,540 --> 00:27:35,500 Excellent. 590 00:27:35,500 --> 00:27:36,300 Thank you, Martin. 591 00:27:36,300 --> 00:27:37,660 I'm learning so much on this one. 592 00:27:37,660 --> 00:27:38,180 I know. 593 00:27:38,180 --> 00:27:40,340 Martin, I'm buying your book after this call. 594 00:27:40,340 --> 00:27:41,100 I'm buying the book. 595 00:27:41,100 --> 00:27:41,740 Yeah, absolutely. 596 00:27:41,740 --> 00:27:42,740 Yeah, mate, go for it. 597 00:27:42,740 --> 00:27:45,300 It's on Amazon. 598 00:27:45,300 --> 00:27:48,300 Joe, I think it would be interesting to hear 599 00:27:48,300 --> 00:27:53,100 if you could walk us through just kind of high level the process, 600 00:27:53,100 --> 00:27:55,540 just so I can have it straight in my mind from discovering 601 00:27:55,540 --> 00:27:58,420 what Martin just said, discovering a threat, 602 00:27:58,420 --> 00:28:03,180 to getting something published for that threat on like a Cisco 603 00:28:03,180 --> 00:28:04,620 firewall, for example. 604 00:28:04,620 --> 00:28:06,820 How does TALOS find a threat in the wild 605 00:28:06,820 --> 00:28:09,380 and get us through the update patch? 606 00:28:09,380 --> 00:28:12,100 And if you have an example of a real threat, 607 00:28:12,100 --> 00:28:13,500 that'd be really cool, I think. 608 00:28:13,500 --> 00:28:16,060 But I think that'd be interesting to hear. 609 00:28:16,060 --> 00:28:23,420 Yeah, so this is both science and an art. 610 00:28:23,420 --> 00:28:27,020 We actually, I think last year, maybe the year before, 611 00:28:27,020 --> 00:28:29,700 we published the art and science of detecting 612 00:28:29,700 --> 00:28:33,140 Cobalt Strike, which is an attack framework that exists, 613 00:28:33,140 --> 00:28:35,380 written by one of the most brilliant analysts 614 00:28:35,380 --> 00:28:41,540 that I know, a guy named Nick Mabus, who really, really chewed 615 00:28:41,540 --> 00:28:45,700 down to the bone the nuances of detecting beaconing 616 00:28:45,700 --> 00:28:48,540 and detecting things that our adversaries are going 617 00:28:48,540 --> 00:28:49,860 to utilize inside of a network. 618 00:28:49,860 --> 00:28:51,420 And first and foremost, the thing 619 00:28:51,420 --> 00:28:54,180 that has to happen for like a snort signature, 620 00:28:54,180 --> 00:28:56,980 or one of our IDS or IDP signatures to work is, well, 621 00:28:56,980 --> 00:28:58,420 it has to traverse the network, right? 622 00:28:58,420 --> 00:29:01,340 So it has to move non-encrypted across the network, 623 00:29:01,340 --> 00:29:03,860 which a lot of stuff does. 624 00:29:03,860 --> 00:29:06,420 Then the thing we're going to need is a proof of concept. 625 00:29:06,420 --> 00:29:09,940 So what is this bad thing trying to do? 626 00:29:09,940 --> 00:29:12,820 So like, is it an SMB-based exploit? 627 00:29:12,820 --> 00:29:14,620 Is this a stack-based buffer overflow 628 00:29:14,620 --> 00:29:17,420 that we can catch traversing the network? 629 00:29:17,420 --> 00:29:25,740 Is this a weird URI that is a very, very specific thing 630 00:29:25,740 --> 00:29:27,860 that we can key on? 631 00:29:27,860 --> 00:29:29,260 And then we have to figure out how 632 00:29:29,260 --> 00:29:32,940 we're going to craft the most optimal detection for it. 633 00:29:32,940 --> 00:29:34,180 Snort's open source. 634 00:29:34,180 --> 00:29:35,500 Anyone can learn snort. 635 00:29:35,500 --> 00:29:38,620 Anyone can write a signature if they want. 636 00:29:38,620 --> 00:29:43,460 The levels of finesse and care and quality assurance 637 00:29:43,460 --> 00:29:46,900 we put into our detection is unreal. 638 00:29:46,900 --> 00:29:49,300 Because A, we're the experts in it. 639 00:29:49,300 --> 00:29:50,500 We invented it. 640 00:29:50,500 --> 00:29:53,020 But B, because it's such a popular framework 641 00:29:53,020 --> 00:29:55,860 and such an easy, I think, ingest and use, 642 00:29:55,860 --> 00:29:57,900 and there's great documentation for it, 643 00:29:57,900 --> 00:30:00,380 we actually spent a lot of our time looking at community rules. 644 00:30:00,380 --> 00:30:02,220 And maybe there's something there we can abstract. 645 00:30:02,220 --> 00:30:04,260 And maybe there's something we can give them. 646 00:30:04,260 --> 00:30:06,540 To say you cannot reverse engineer a snort 647 00:30:06,540 --> 00:30:08,980 will learn exactly what the exploit is 648 00:30:08,980 --> 00:30:11,820 doesn't quite work that way. 649 00:30:11,820 --> 00:30:15,380 But it's built upon a community that I 650 00:30:15,380 --> 00:30:18,620 shared knowledge over 2 and 1 half decades now, I guess, 651 00:30:18,620 --> 00:30:20,820 or three decades early. 652 00:30:20,820 --> 00:30:22,340 So once we have the proof of concept, 653 00:30:22,340 --> 00:30:24,700 then we need to figure out that optimal way to detection. 654 00:30:24,700 --> 00:30:27,180 And there's a lot of ways to write detection in snort. 655 00:30:27,180 --> 00:30:31,100 But we want to write the most efficient thing that 656 00:30:31,100 --> 00:30:34,980 triggers on the most precise element of that exploit 657 00:30:34,980 --> 00:30:37,300 that we're trying to catch going across the wire. 658 00:30:37,300 --> 00:30:39,340 And the reason for it is real simple 659 00:30:39,340 --> 00:30:42,660 that we're working in a finite state of resources, 660 00:30:42,660 --> 00:30:45,420 say for a firewall or whatever is doing that detection. 661 00:30:45,420 --> 00:30:47,940 And if it has the inspectors turned on 662 00:30:47,940 --> 00:30:50,140 for a specific protocol, and it's 663 00:30:50,140 --> 00:30:53,260 doing the process of parsing as a HTTP 664 00:30:53,260 --> 00:30:56,260 or whatever is traversing across that firewall, 665 00:30:56,260 --> 00:30:58,260 well, we need to be conscious of the resources 666 00:30:58,260 --> 00:30:59,700 inside that machine. 667 00:30:59,700 --> 00:31:02,620 So if you were to turn on, and I don't ever recommend 668 00:31:02,620 --> 00:31:04,580 you do this, if you were to turn on every snort 669 00:31:04,580 --> 00:31:08,300 rule we've ever given you inside of our firewalls, 670 00:31:08,300 --> 00:31:11,900 congratulations, you've just got a very hot paperweight 671 00:31:11,900 --> 00:31:14,460 inside of you that you've just racked. 672 00:31:14,460 --> 00:31:18,340 Because it's a fine example of shooting yourself in the foot, 673 00:31:18,340 --> 00:31:21,540 but also demonstrating that turning all your inspectors 674 00:31:21,540 --> 00:31:24,780 and then looking at every single packet in a gazillion ways 675 00:31:24,780 --> 00:31:26,660 is just not efficient. 676 00:31:26,660 --> 00:31:28,580 So what you really want to do here 677 00:31:28,580 --> 00:31:30,460 is we want to just be the best we 678 00:31:30,460 --> 00:31:34,380 can be while utilizing the most effective way. 679 00:31:34,380 --> 00:31:35,980 And it really is an art. 680 00:31:35,980 --> 00:31:37,980 It absolutely is an art. 681 00:31:37,980 --> 00:31:40,300 I'll give you a specific example like you asked for. 682 00:31:40,300 --> 00:31:43,700 I was at a conference and a really nasty vulnerability 683 00:31:43,700 --> 00:31:45,180 dropped, and I was with one of the guys 684 00:31:45,180 --> 00:31:48,340 that I had hired, a brilliant reverse engineer named Jared. 685 00:31:48,340 --> 00:31:51,940 And we didn't have much to go on. 686 00:31:51,940 --> 00:31:53,300 We knew that it was a thing. 687 00:31:53,300 --> 00:31:57,060 We knew the researcher who had announced the vulnerability. 688 00:31:57,060 --> 00:31:59,140 But what you typically see in this space 689 00:31:59,140 --> 00:32:01,220 is people will announce the bad thing 690 00:32:01,220 --> 00:32:04,020 and then give you no technical or forensic details around it. 691 00:32:04,020 --> 00:32:05,900 And you're like, I can't do anything 692 00:32:05,900 --> 00:32:08,300 with without forensic details, right? 693 00:32:08,300 --> 00:32:10,940 Well, we found a presentation this guy gave, 694 00:32:10,940 --> 00:32:13,580 and he didn't list the entire attack chain, 695 00:32:13,580 --> 00:32:17,980 but he did list the hex string he used to exploit this device. 696 00:32:17,980 --> 00:32:23,140 I found it on a Slido competitor from five years prior. 697 00:32:23,140 --> 00:32:25,060 I took that string out, that hex string. 698 00:32:25,060 --> 00:32:26,180 I gave it to my guy. 699 00:32:26,180 --> 00:32:29,060 He was actually able to write a Python environment 700 00:32:29,060 --> 00:32:31,660 and script it where that hex string would then 701 00:32:31,660 --> 00:32:34,620 pass across the wire unencrypted. 702 00:32:34,620 --> 00:32:36,660 And then we would get a snort word for that 703 00:32:36,660 --> 00:32:39,100 if anyone attempted to exploit that. 704 00:32:39,100 --> 00:32:41,660 It was a Siemens PLC, programmable logic controller. 705 00:32:41,660 --> 00:32:43,340 We're actually able to catch that. 706 00:32:43,340 --> 00:32:47,220 But to do that, find it, quasi-weaponize it 707 00:32:47,220 --> 00:32:51,060 so we can detect it was just the ridiculous layers 708 00:32:51,060 --> 00:32:54,620 of reverse engineering we had to do to be able to craft that 709 00:32:54,620 --> 00:32:56,220 and to detect it. 710 00:32:56,220 --> 00:32:58,940 Detection, mind you. 711 00:32:58,940 --> 00:33:00,500 We were working completely separate. 712 00:33:00,500 --> 00:33:03,220 And this is an example of what an analyst, they 713 00:33:03,220 --> 00:33:07,020 might be given an absolute rotten potato of a proof 714 00:33:07,020 --> 00:33:10,540 of concept and very little data to go off of. 715 00:33:10,540 --> 00:33:13,180 And they'll have to figure out how to recreate that, 716 00:33:13,180 --> 00:33:15,860 get that into an environment, and then test the heck out 717 00:33:15,860 --> 00:33:16,380 of it. 718 00:33:16,380 --> 00:33:18,180 If it's going to false positive a lot, 719 00:33:18,180 --> 00:33:20,340 so it's going to trigger illegitimate traffic, 720 00:33:20,340 --> 00:33:22,140 it just might not be a good signature. 721 00:33:22,140 --> 00:33:23,640 And we're going to have to bend it. 722 00:33:23,640 --> 00:33:24,900 We can't keep it, right? 723 00:33:24,900 --> 00:33:28,260 So we have to think about how do we do all of these things 724 00:33:28,260 --> 00:33:30,140 in the most sane way? 725 00:33:30,140 --> 00:33:32,540 We don't err always on the side of detection 726 00:33:32,540 --> 00:33:34,820 because we have to think about our customers, the customer 727 00:33:34,820 --> 00:33:35,380 experience. 728 00:33:35,380 --> 00:33:38,660 And are they getting the best possible product 729 00:33:38,660 --> 00:33:41,940 for our detection every single time they enable a signature? 730 00:33:41,940 --> 00:33:44,260 Yeah. 731 00:33:44,260 --> 00:33:45,100 That was crazy. 732 00:33:45,100 --> 00:33:47,020 A lot of detail on that one. 733 00:33:47,020 --> 00:33:47,520 Yes. 734 00:33:50,460 --> 00:33:53,300 Yeah. 735 00:33:53,300 --> 00:33:54,340 Actually, hold on. 736 00:33:54,340 --> 00:33:54,840 Hold on. 737 00:33:54,840 --> 00:33:55,340 Hold on. 738 00:33:55,340 --> 00:33:57,700 I have my notes here. 739 00:33:57,700 --> 00:34:00,660 So that was crazy detail. 740 00:34:00,660 --> 00:34:04,380 I just want to say that the process that goes behind it, 741 00:34:04,380 --> 00:34:06,980 I think, doesn't get talked too much about. 742 00:34:06,980 --> 00:34:09,260 And that was really good. 743 00:34:09,260 --> 00:34:10,940 I appreciate the level of detail. 744 00:34:10,940 --> 00:34:16,660 I know the people that come to our webinar 745 00:34:16,660 --> 00:34:18,740 is highly technical. 746 00:34:18,740 --> 00:34:23,540 And this is something that they will appreciate as well. 747 00:34:23,540 --> 00:34:26,460 It's wild, the example, just finding that hex string. 748 00:34:26,460 --> 00:34:29,380 And what you said is from like five years ago 749 00:34:29,380 --> 00:34:31,180 on some PowerPoint slide, man. 750 00:34:31,180 --> 00:34:33,580 Dude, we got so lucky that I found that. 751 00:34:33,580 --> 00:34:36,140 Because I looked at it, and I'm like, this is Greek to me. 752 00:34:36,140 --> 00:34:38,740 And the guy that I brought with me for this conference 753 00:34:38,740 --> 00:34:41,140 looks at me and goes, I think I can do this. 754 00:34:41,140 --> 00:34:46,020 And because we hire just some smart, smart hackers 755 00:34:46,020 --> 00:34:49,300 inside of Talos, he had that thing literally 756 00:34:49,300 --> 00:34:52,420 in a Python script simulating network traffic 757 00:34:52,420 --> 00:34:55,460 and a signature written within an hour. 758 00:34:55,460 --> 00:34:59,620 And I'm like, that was one of those hires 759 00:34:59,620 --> 00:35:00,380 when I hired the guy. 760 00:35:00,380 --> 00:35:01,380 I'm like, high five, Joe. 761 00:35:01,380 --> 00:35:01,980 You did a good job. 762 00:35:01,980 --> 00:35:02,580 Yes. 763 00:35:02,580 --> 00:35:03,340 Yeah. 764 00:35:03,340 --> 00:35:06,060 So I was like, yeah, this was awesome. 765 00:35:06,060 --> 00:35:09,020 But we just got very lucky. 766 00:35:09,020 --> 00:35:10,940 So a good example would be, let's 767 00:35:10,940 --> 00:35:13,860 say, the manufacturer of this meter. 768 00:35:13,860 --> 00:35:15,060 Who made this meter? 769 00:35:15,060 --> 00:35:15,980 I don't remember. 770 00:35:15,980 --> 00:35:17,180 I don't want to out anybody. 771 00:35:17,180 --> 00:35:18,260 Landis Gear. 772 00:35:18,260 --> 00:35:20,220 Landis Gear makes this meter. 773 00:35:20,220 --> 00:35:22,740 Let's say a bad vulnerability, a zero day, something really 774 00:35:22,740 --> 00:35:24,260 nasty drops. 775 00:35:24,260 --> 00:35:27,980 They're not going to give you the complete forensic details, 776 00:35:27,980 --> 00:35:29,940 but they will say, you should probably 777 00:35:29,940 --> 00:35:32,940 go patch your device because this is bad. 778 00:35:32,940 --> 00:35:35,020 That doesn't help us in Talos because we 779 00:35:35,020 --> 00:35:38,500 need technical specificity to make sure our customers, 780 00:35:38,500 --> 00:35:41,220 our communities, our open source communities, and our customers 781 00:35:41,220 --> 00:35:42,580 are protected. 782 00:35:42,580 --> 00:35:44,780 So there's sometimes you're just going to catch an L 783 00:35:44,780 --> 00:35:46,860 and you're going to be like, without any details, 784 00:35:46,860 --> 00:35:47,980 I can't do this. 785 00:35:47,980 --> 00:35:52,180 We do have information sharing agreements all enshrined 786 00:35:52,180 --> 00:35:55,820 legally in NDAs that lets us swap information with others 787 00:35:55,820 --> 00:35:58,740 to make sure that we can get the technical details. 788 00:35:58,740 --> 00:36:00,380 Sometimes you just strike out. 789 00:36:00,380 --> 00:36:01,780 There's no guarantees you're going 790 00:36:01,780 --> 00:36:02,780 to find that information. 791 00:36:02,780 --> 00:36:05,220 And it can be pretty frustrating, unfortunately. 792 00:36:05,220 --> 00:36:07,700 But that's basically how it kind of works. 793 00:36:07,700 --> 00:36:09,780 Yeah. 794 00:36:09,780 --> 00:36:11,380 Fascinating. 795 00:36:11,380 --> 00:36:12,260 Yeah. 796 00:36:12,260 --> 00:36:16,620 And I'm going to jump right into another question 797 00:36:16,620 --> 00:36:17,820 that I have right here. 798 00:36:17,820 --> 00:36:21,380 And this one's for you, Martin. 799 00:36:21,380 --> 00:36:22,860 NCN response. 800 00:36:22,860 --> 00:36:25,620 This is in the minds of all our customers and everybody 801 00:36:25,620 --> 00:36:28,460 that is in the show. 802 00:36:28,460 --> 00:36:36,620 And more likely into the reactive scenarios, 803 00:36:36,620 --> 00:36:41,260 let's take, for example, a quick example about what 804 00:36:41,260 --> 00:36:44,700 do we see in NCN response, reactive services. 805 00:36:44,700 --> 00:36:46,940 What do we do from the Talos perspective? 806 00:36:46,940 --> 00:36:49,340 And if you don't mind talking a little bit about that, 807 00:36:49,340 --> 00:36:50,980 that would be awesome. 808 00:36:50,980 --> 00:36:54,700 The Talos incident response retainer 809 00:36:54,700 --> 00:36:58,340 is basically where the customers buy a certain number 810 00:36:58,340 --> 00:37:02,140 of our analysts' hours. 811 00:37:02,140 --> 00:37:06,060 And you can save up these hours for a rainy day 812 00:37:06,060 --> 00:37:09,220 when you have an incident, when you have an emergency. 813 00:37:09,220 --> 00:37:12,340 The trick, really, and I'll bypass your question 814 00:37:12,340 --> 00:37:16,340 a little bit, the best thing that can happen 815 00:37:16,340 --> 00:37:19,380 is that you don't ever have an incident. 816 00:37:19,380 --> 00:37:22,020 And what you can do is you can use these hours 817 00:37:22,020 --> 00:37:25,420 for our proactive services, where 818 00:37:25,420 --> 00:37:31,540 you can talk to our analysts who will help you or test 819 00:37:31,540 --> 00:37:35,580 your systems to make sure that you're in a very, very good 820 00:37:35,580 --> 00:37:39,940 position and you're less likely to experience an incident. 821 00:37:39,940 --> 00:37:42,700 If you do experience an incident, 822 00:37:42,700 --> 00:37:45,500 you've got those hours on hand that you 823 00:37:45,500 --> 00:37:49,220 can use to talk with our analysts. 824 00:37:49,220 --> 00:37:51,260 They can take charge of the incident 825 00:37:51,260 --> 00:37:53,380 because for the customers experiencing the incident, 826 00:37:53,380 --> 00:37:58,820 ideally, this should be a once in a career event. 827 00:37:58,820 --> 00:38:01,340 You're having a breach, having something go wrong. 828 00:38:01,340 --> 00:38:04,100 This is going to happen to you once in your career. 829 00:38:04,100 --> 00:38:06,820 For our analysts, for our incident response analysts, 830 00:38:06,820 --> 00:38:10,100 this is what we do every day of the year. 831 00:38:10,100 --> 00:38:12,420 So our analysts know exactly what to do, 832 00:38:12,420 --> 00:38:16,140 exactly how to respond, exactly where to find the bad guy, 833 00:38:16,140 --> 00:38:17,980 exactly how to kick them out. 834 00:38:17,980 --> 00:38:21,340 So for the reactive services, you 835 00:38:21,340 --> 00:38:24,660 call on the help of our analysts. 836 00:38:24,660 --> 00:38:26,300 They will come in. 837 00:38:26,300 --> 00:38:30,420 They'll resolve the incident, find where the bad guy is, 838 00:38:30,420 --> 00:38:33,140 kick them out, tell you what happened, 839 00:38:33,140 --> 00:38:38,020 and then also harden the system so the bad guy can't come in. 840 00:38:38,020 --> 00:38:43,180 We're used to working with any kind of environment. 841 00:38:43,180 --> 00:38:47,460 I mean, it would be lovely if everyone bought only Cisco gear. 842 00:38:47,460 --> 00:38:51,500 The reality is, no, people are buying from other vendors. 843 00:38:51,500 --> 00:38:53,060 But that's absolutely fine. 844 00:38:53,060 --> 00:38:57,180 We're used to working in these heterogeneous environments 845 00:38:57,180 --> 00:38:59,420 where there's all sorts of tools, all sorts of systems, 846 00:38:59,420 --> 00:39:02,020 for all sorts of different vendors. 847 00:39:02,020 --> 00:39:05,500 We'll come in, resolve the situation, 848 00:39:05,500 --> 00:39:08,140 identify what's happened, kick the bad guy out, 849 00:39:08,140 --> 00:39:11,620 and remediate your systems, and then harden them 850 00:39:11,620 --> 00:39:13,420 so the bad guy doesn't come back. 851 00:39:13,420 --> 00:39:17,700 This is what our responsive services are all about. 852 00:39:17,700 --> 00:39:19,740 But I think, I mean, to anyone on the call, 853 00:39:19,740 --> 00:39:24,820 really the ones to look for are the proactive services. 854 00:39:24,820 --> 00:39:28,900 You know, you want to minimize the number of emergencies 855 00:39:28,900 --> 00:39:31,100 you have, and you can use the hours 856 00:39:31,100 --> 00:39:32,500 that you're buying for the retainer 857 00:39:32,500 --> 00:39:34,340 for those proactive services, which 858 00:39:34,340 --> 00:39:39,220 is going to make those emergencies less likely. 859 00:39:39,220 --> 00:39:40,180 That's awesome. 860 00:39:40,180 --> 00:39:40,860 That's good. 861 00:39:40,860 --> 00:39:44,820 I mean, we see customers call every day, Mike, right? 862 00:39:44,820 --> 00:39:48,180 That they have questions about this. 863 00:39:48,180 --> 00:39:52,420 This really helps understand what really is 864 00:39:52,420 --> 00:39:54,100 that we're talking about. 865 00:39:54,100 --> 00:39:57,260 That's so true about the proactive services, Martin. 866 00:39:57,260 --> 00:40:00,060 You can prevent getting to the point of the emergency. 867 00:40:00,060 --> 00:40:02,420 Like I said, that's great. 868 00:40:02,420 --> 00:40:04,060 And I guess, Martin, would that be 869 00:40:04,060 --> 00:40:08,220 some of the tabletop exercises and the telestill? 870 00:40:08,220 --> 00:40:09,140 Yeah, absolutely. 871 00:40:09,140 --> 00:40:12,860 Yeah, the tabletop, so working through what a bad guy's 872 00:40:12,860 --> 00:40:17,820 likely to do and how you would respond to that. 873 00:40:17,820 --> 00:40:19,980 We can also check your playbooks, 874 00:40:19,980 --> 00:40:25,420 so the procedures that you have ready for a bad day. 875 00:40:25,420 --> 00:40:29,100 You know, how are you going to detect if there's a breach? 876 00:40:29,100 --> 00:40:31,860 You know, the bad guy's not necessarily going to tell you. 877 00:40:31,860 --> 00:40:34,300 How are you going to detect if there's a breach or you 878 00:40:34,300 --> 00:40:35,420 have an incursion? 879 00:40:35,420 --> 00:40:38,300 What are you going to do when that happens? 880 00:40:38,300 --> 00:40:40,180 How do you respond? 881 00:40:40,180 --> 00:40:43,820 What other groups do you need to do to involve? 882 00:40:43,820 --> 00:40:45,700 For our instant response analysts, 883 00:40:45,700 --> 00:40:46,620 this is what they do. 884 00:40:46,620 --> 00:40:47,780 They've seen it all. 885 00:40:47,780 --> 00:40:49,580 So they can help the customers. 886 00:40:49,580 --> 00:40:52,220 One, I mean, it might really help to say, actually, 887 00:40:52,220 --> 00:40:52,900 do you know what? 888 00:40:52,900 --> 00:40:55,140 These instant response procedures that you got here, 889 00:40:55,140 --> 00:40:56,460 this is as good as it gets. 890 00:40:56,460 --> 00:40:59,220 You know, you guys are doing really, really well. 891 00:40:59,220 --> 00:41:01,780 Or working through it and say, OK, you know, 892 00:41:01,780 --> 00:41:04,740 all of your coordination is built around email. 893 00:41:04,740 --> 00:41:05,620 This is great. 894 00:41:05,620 --> 00:41:08,020 What happens if the bad guy hits your email server? 895 00:41:08,020 --> 00:41:11,380 And you can no longer send and receive email? 896 00:41:11,380 --> 00:41:12,500 Do you have a backup? 897 00:41:12,500 --> 00:41:14,780 What else are you going to do? 898 00:41:14,780 --> 00:41:17,300 This is the kind of scenarios that we've come across. 899 00:41:17,300 --> 00:41:21,100 We can use that knowledge of real world examples, 900 00:41:21,100 --> 00:41:23,540 helping the customers, working it through, 901 00:41:23,540 --> 00:41:25,660 improving their posture. 902 00:41:25,660 --> 00:41:29,740 I think a very good way to think of it is like the fire service. 903 00:41:29,740 --> 00:41:33,140 You know, if you've got a fire actually happening now 904 00:41:33,140 --> 00:41:35,780 in your office, of course, here, you're going to call the fire 905 00:41:35,780 --> 00:41:36,220 service. 906 00:41:36,220 --> 00:41:37,020 They're going to rush around. 907 00:41:37,020 --> 00:41:38,580 They're going to put the fire out. 908 00:41:38,580 --> 00:41:42,620 What you really want to do is talk to your fire prevention 909 00:41:42,620 --> 00:41:46,580 services before then and start talking about, you know, 910 00:41:46,580 --> 00:41:48,220 do you have the fire extinguishers? 911 00:41:48,220 --> 00:41:49,660 Where are the fire extinguishers? 912 00:41:49,660 --> 00:41:50,900 Have you tested them? 913 00:41:50,900 --> 00:41:53,900 You know, are they suitable fire extinguishers for all the stuff 914 00:41:53,900 --> 00:41:54,660 that you're working with? 915 00:41:54,660 --> 00:41:55,980 Do you have a fire alarm? 916 00:41:55,980 --> 00:41:56,940 Do you practice? 917 00:41:56,940 --> 00:41:58,140 Do you have rehearsals? 918 00:41:58,140 --> 00:41:59,820 Do you have a smoke detector? 919 00:41:59,820 --> 00:42:03,580 It's these questions that actually you 920 00:42:03,580 --> 00:42:08,340 want to resolve early so that if there is an incident, one, 921 00:42:08,340 --> 00:42:10,140 you're detecting it early. 922 00:42:10,140 --> 00:42:12,420 You're also responding early, so you're 923 00:42:12,420 --> 00:42:14,220 minimizing the consequences. 924 00:42:14,220 --> 00:42:17,900 But then when you are bringing in that response, 925 00:42:17,900 --> 00:42:20,860 it's not a major problem and everything's on fire 926 00:42:20,860 --> 00:42:22,300 and nobody knows what to do. 927 00:42:22,300 --> 00:42:24,180 It's like, OK, we've got a problem, 928 00:42:24,180 --> 00:42:25,580 but we think we've contained it. 929 00:42:25,580 --> 00:42:28,020 And we think that we're on top of this. 930 00:42:28,020 --> 00:42:31,540 You know, so much in any form of engineering, 931 00:42:31,540 --> 00:42:34,660 it's about thinking what can possibly go wrong? 932 00:42:34,660 --> 00:42:37,660 How can I minimize the chances of this happening 933 00:42:37,660 --> 00:42:40,300 and minimize the consequences if it does happen? 934 00:42:40,300 --> 00:42:42,420 And really, this is what our incident response 935 00:42:42,420 --> 00:42:45,220 services are all about. 936 00:42:45,220 --> 00:42:46,100 Excellent. 937 00:42:46,100 --> 00:42:49,540 And I know it's got to save so much more money investing 938 00:42:49,540 --> 00:42:51,660 in some fire extinguishers, talking to the fire safety 939 00:42:51,660 --> 00:42:55,780 teams, opposed to rebuilding your office, 940 00:42:55,780 --> 00:42:57,700 paying for all the fire truck service. 941 00:42:57,700 --> 00:43:00,820 So great point there, Martin. 942 00:43:00,820 --> 00:43:02,980 Yeah, and rehearse. 943 00:43:02,980 --> 00:43:06,460 Have those rehearsals so that when a bad day happens, 944 00:43:06,460 --> 00:43:08,540 and it does happen, it will happen, 945 00:43:08,540 --> 00:43:10,060 everyone knows what to do. 946 00:43:10,060 --> 00:43:12,140 And it's just, yeah, yeah, yeah, we practiced it. 947 00:43:12,140 --> 00:43:13,460 We practiced this last month. 948 00:43:13,460 --> 00:43:15,140 We practiced this six months ago. 949 00:43:15,140 --> 00:43:19,020 And it's just a simple something that you go through. 950 00:43:19,020 --> 00:43:20,180 Everyone knows what to do. 951 00:43:20,180 --> 00:43:21,700 Everyone knows how to respond. 952 00:43:21,700 --> 00:43:23,220 And it just becomes, yeah, it's something 953 00:43:23,220 --> 00:43:24,780 that somebody didn't want to happen, 954 00:43:24,780 --> 00:43:27,620 but we dealt with it rather than, oh, my god, 955 00:43:27,620 --> 00:43:29,820 this is an absolute disaster. 956 00:43:29,820 --> 00:43:30,940 Everything's falling down. 957 00:43:30,940 --> 00:43:33,420 We don't know what to do. 958 00:43:33,420 --> 00:43:35,100 Great. 959 00:43:35,100 --> 00:43:36,460 So let's see. 960 00:43:36,460 --> 00:43:37,820 Andres, what do we got here? 961 00:43:37,820 --> 00:43:41,300 I could talk with you guys all day. 962 00:43:41,300 --> 00:43:43,100 This is awesome. 963 00:43:43,100 --> 00:43:45,420 We got one more question for each of you. 964 00:43:45,420 --> 00:43:47,900 Maybe we'll have time for the dad jokes one or two. 965 00:43:47,900 --> 00:43:50,900 We'll see. 966 00:43:50,900 --> 00:43:53,980 Joe, maybe quickly, for the audience listening in, 967 00:43:53,980 --> 00:43:55,580 this is all very fascinating. 968 00:43:55,580 --> 00:43:57,140 And we're talking about fingerprints 969 00:43:57,140 --> 00:44:02,140 and being proactive versus reactive as possible. 970 00:44:02,140 --> 00:44:05,820 What do you guys in Talo see as some of the most common ways 971 00:44:05,820 --> 00:44:07,820 our customers are getting attacked? 972 00:44:07,820 --> 00:44:09,180 Is there any low hanging fruit? 973 00:44:09,180 --> 00:44:10,900 Someone in the audience listening, 974 00:44:10,900 --> 00:44:15,340 like, I need to be a little more invested in my own security. 975 00:44:15,340 --> 00:44:19,380 Any high level recommendations about what you guys see 976 00:44:19,380 --> 00:44:22,500 would be a good place to start? 977 00:44:22,500 --> 00:44:26,260 Yeah, tough question, actually, because the threat risk model 978 00:44:26,260 --> 00:44:29,900 is different for personal versus corporate, right? 979 00:44:29,900 --> 00:44:35,260 So if you're a professional, if you're a security practitioner 980 00:44:35,260 --> 00:44:40,060 in that corporate environment, there's a number of ways. 981 00:44:40,060 --> 00:44:41,860 Phishing is always going to be great, 982 00:44:41,860 --> 00:44:44,460 primarily because it's cheap. 983 00:44:44,460 --> 00:44:45,820 The adversaries can do it. 984 00:44:45,820 --> 00:44:49,020 It's spend fractions of a penny, blast out emails. 985 00:44:49,020 --> 00:44:52,580 Someone will open the email and click something they should not. 986 00:44:52,580 --> 00:44:55,220 If it's dumb and it works, it is not dumb. 987 00:44:55,220 --> 00:44:59,140 What I kind of see, there's a pivot there. 988 00:44:59,140 --> 00:45:01,580 They're going more to QR code based attacks 989 00:45:01,580 --> 00:45:03,060 and so those emails. 990 00:45:03,060 --> 00:45:05,260 And we can detect the QR codes, 991 00:45:05,260 --> 00:45:07,980 but there's evasion tactics around that as well, 992 00:45:07,980 --> 00:45:10,060 because what if I access it on my mobile device? 993 00:45:10,060 --> 00:45:12,340 How do I protect myself yet again? 994 00:45:12,340 --> 00:45:16,460 So the threat vectors are always changing from a corporate way, 995 00:45:16,460 --> 00:45:19,940 so like with phishing, but also like we have unpatched, 996 00:45:19,940 --> 00:45:22,060 unmanaged devices on my perimeter. 997 00:45:22,060 --> 00:45:24,660 And I've got a firewall. 998 00:45:24,660 --> 00:45:26,140 I haven't patched in three years. 999 00:45:26,140 --> 00:45:27,900 Will an adversary, a nation state, 1000 00:45:27,900 --> 00:45:30,060 can exploit that to gain a foothold 1001 00:45:30,060 --> 00:45:31,700 and then pivot either intercept traffic 1002 00:45:31,700 --> 00:45:35,860 or pivot deeper into your network and do damage, right? 1003 00:45:35,860 --> 00:45:38,660 And whether you're a nation state or what I call like, you know, 1004 00:45:38,660 --> 00:45:40,260 crimeware or commodity based, 1005 00:45:40,260 --> 00:45:43,260 like ransomware attacks or cartel, 1006 00:45:43,260 --> 00:45:45,500 like these things truly don't change 1007 00:45:45,500 --> 00:45:47,700 because they're going to throw the kitchen sink at you 1008 00:45:47,700 --> 00:45:49,260 to find a way to get in. 1009 00:45:49,260 --> 00:45:52,300 What might change is the level of noise they want to make 1010 00:45:52,300 --> 00:45:55,700 once they're inside of your network. 1011 00:45:55,700 --> 00:45:58,900 I would say those are two of the most common ways, 1012 00:45:58,900 --> 00:46:01,300 high level, what we see, and I could drill down into both, 1013 00:46:01,300 --> 00:46:03,860 but I'm not going to for the time. 1014 00:46:03,860 --> 00:46:08,260 I will say this, like if we want to talk about low hanging fruit 1015 00:46:08,260 --> 00:46:11,860 and sort of tacking onto what Martin was saying earlier 1016 00:46:11,860 --> 00:46:15,500 about our incident response stuff that we do is, 1017 00:46:15,500 --> 00:46:18,460 30% of all our emergency response cases, 1018 00:46:18,460 --> 00:46:21,300 like so something's on fire and we're coming to help you put out, 1019 00:46:21,300 --> 00:46:24,860 the victim did not have MFA solutions installed. 1020 00:46:24,860 --> 00:46:28,420 So having a multifactor authentication solution, 1021 00:46:28,420 --> 00:46:31,220 both personally and from a professional perspective 1022 00:46:31,220 --> 00:46:34,820 is absolutely invaluable. 1023 00:46:34,820 --> 00:46:38,700 Having a password manager, a password vault, 1024 00:46:38,700 --> 00:46:41,900 I'm like one pass, last pass, I don't care who you use, 1025 00:46:41,900 --> 00:46:46,100 is also an A plus way to protect yourself. 1026 00:46:46,100 --> 00:46:47,620 Don't reuse your passwords 1027 00:46:47,620 --> 00:46:50,700 because data breaches are multiplicative. 1028 00:46:50,700 --> 00:46:52,900 If I get breached here, I can read those credentials 1029 00:46:52,900 --> 00:46:55,300 perhaps somewhere else and create more damage for you 1030 00:46:55,300 --> 00:46:57,900 or attack your environment, your corporate environment. 1031 00:46:57,900 --> 00:47:01,220 So like those two things to me are low hanging fruit, 1032 00:47:01,220 --> 00:47:04,820 low investment dollars, high return on value 1033 00:47:04,820 --> 00:47:09,300 that I would highly recommend to help prevent and mitigate 1034 00:47:09,300 --> 00:47:12,820 some of those attacks, but of course there's no fantasy, 1035 00:47:12,820 --> 00:47:14,500 there's no silver bullet. 1036 00:47:14,500 --> 00:47:15,500 Yeah. 1037 00:47:15,500 --> 00:47:18,700 Read our Year in Review report. 1038 00:47:18,700 --> 00:47:21,100 This is where we talk about everything that we see, 1039 00:47:21,100 --> 00:47:23,300 we talk about the vulnerabilities, 1040 00:47:23,300 --> 00:47:25,700 we talk about the attack techniques. 1041 00:47:25,700 --> 00:47:28,100 Yeah, read our reports. 1042 00:47:28,100 --> 00:47:30,500 This is where we talk about this. 1043 00:47:30,500 --> 00:47:32,100 And the vulnerability reports, Mark, 1044 00:47:32,100 --> 00:47:33,700 those would be posted on the... 1045 00:47:33,700 --> 00:47:39,100 So yeah, on our blog, so blog.talosintelligence.com, 1046 00:47:39,100 --> 00:47:41,620 read the Year in Review report 1047 00:47:41,620 --> 00:47:44,500 and also the quarterly threat reports that we make. 1048 00:47:44,500 --> 00:47:48,900 This is exactly what we do and what we talk about. 1049 00:47:48,900 --> 00:47:49,900 Great. 1050 00:47:49,900 --> 00:47:50,900 That's awesome. 1051 00:47:50,900 --> 00:47:56,100 You heard it folks, that's a good place to spend some dollars 1052 00:47:56,100 --> 00:47:58,700 to have that high return on security. 1053 00:47:58,700 --> 00:48:02,500 So the MFA and then a simple password manager. 1054 00:48:02,500 --> 00:48:04,100 You said roughly 30%. 1055 00:48:04,100 --> 00:48:06,300 Great, thank you. 1056 00:48:06,300 --> 00:48:10,300 Yeah, and we'll make sure we update on the page. 1057 00:48:10,300 --> 00:48:13,500 Yeah, we're going to list all that for sure. 1058 00:48:13,500 --> 00:48:15,300 That's great. 1059 00:48:15,300 --> 00:48:17,100 That's great, that's great. 1060 00:48:17,100 --> 00:48:21,300 I think I do have the last question for you, Martin, 1061 00:48:21,300 --> 00:48:24,500 and this one's going to be super simple, I hope. 1062 00:48:24,500 --> 00:48:30,700 But where can we learn more about Talos Intelligence? 1063 00:48:30,700 --> 00:48:37,100 So www.talosintelligence.com is the simple answer. 1064 00:48:37,100 --> 00:48:41,300 On our blog, which you'll find a tab on the website, 1065 00:48:41,300 --> 00:48:44,100 or just go to blog.talosintelligence.com, 1066 00:48:44,100 --> 00:48:47,100 this is where we publish everything that we think 1067 00:48:47,100 --> 00:48:49,900 that you need to know. 1068 00:48:49,900 --> 00:48:52,300 So we've got our various reports. 1069 00:48:52,300 --> 00:48:56,900 We've got our newsletter, which is a very, very good place to start. 1070 00:48:56,900 --> 00:49:00,300 Some of the reports go into more detail than others. 1071 00:49:00,300 --> 00:49:05,700 Some stuff is sort of written for an audience of security researchers, 1072 00:49:05,700 --> 00:49:10,900 but very simply the Year in Review and the quarterly reports 1073 00:49:10,900 --> 00:49:14,500 and the newsletter are the places to start. 1074 00:49:14,500 --> 00:49:18,900 But everything that we think you need to know is published on our blog. 1075 00:49:18,900 --> 00:49:20,900 Excellent. 1076 00:49:20,900 --> 00:49:24,300 That's awesome. 1077 00:49:24,300 --> 00:49:27,300 Those last two questions, one kind of quick. 1078 00:49:27,300 --> 00:49:31,700 We're a little bit over, but do you guys want to run through the Dad Joke contest? 1079 00:49:31,700 --> 00:49:34,300 Hey, yeah, let's go through the Dad Jokes. 1080 00:49:34,300 --> 00:49:35,100 I'm happy, bro. 1081 00:49:35,100 --> 00:49:36,500 So happy to hear that, Martin. 1082 00:49:36,500 --> 00:49:38,900 Some of these are pretty good. 1083 00:49:38,900 --> 00:49:43,100 So what we'll do is I'll just start it at 90 seconds here. 1084 00:49:43,100 --> 00:49:48,500 You each are going to get asked four Valentine's Day specific Dad Jokes. 1085 00:49:48,500 --> 00:49:51,700 Just see if you can come up with the correct answer. 1086 00:49:51,700 --> 00:49:55,900 If you say skip, we can always come back to it. 1087 00:49:55,900 --> 00:50:03,700 Let's see, Andres, I think you're asking to Martin first. 1088 00:50:03,700 --> 00:50:04,300 Let's do it. 1089 00:50:04,300 --> 00:50:04,900 I'll start it. 1090 00:50:04,900 --> 00:50:07,300 When he gets about 10 seconds, I'll say 10. 1091 00:50:07,300 --> 00:50:08,200 All right. 1092 00:50:08,200 --> 00:50:10,300 Ready, set, go. 1093 00:50:10,300 --> 00:50:11,000 All right. 1094 00:50:11,000 --> 00:50:13,000 So I'll go first. 1095 00:50:13,000 --> 00:50:14,700 Go ahead. 1096 00:50:14,700 --> 00:50:15,900 I'm already eating your time. 1097 00:50:15,900 --> 00:50:17,300 So here's the one. 1098 00:50:17,300 --> 00:50:24,500 If the letters Q and T were dating, what would be their celebrity name? 1099 00:50:24,500 --> 00:50:29,400 OK, what I would do, I would have a good hard talk with T, 1100 00:50:29,400 --> 00:50:32,700 because everyone knows you've got to mind your P's and Q's. 1101 00:50:35,500 --> 00:50:38,000 No point for that one, Mike. 1102 00:50:38,000 --> 00:50:39,100 That was great. 1103 00:50:39,100 --> 00:50:41,300 Oh, love it. 1104 00:50:41,300 --> 00:50:43,300 Let's do the next one. 1105 00:50:43,300 --> 00:50:45,400 This one is we thought it was super fun. 1106 00:50:45,400 --> 00:50:50,600 How did the telephone propose to his girlfriend? 1107 00:50:50,600 --> 00:50:55,800 So initially, my thoughts are something to do with rotary dial action and finger 1108 00:50:55,800 --> 00:50:58,100 strength, but I think we probably don't want to go there. 1109 00:50:58,100 --> 00:51:04,100 So I would imagine it's more to do with could it be giving her a ring? 1110 00:51:04,100 --> 00:51:05,400 Oh. 1111 00:51:05,400 --> 00:51:06,900 That was good. 1112 00:51:06,900 --> 00:51:09,800 That's actually the answer. 1113 00:51:09,800 --> 00:51:11,400 It's killing it. 1114 00:51:11,400 --> 00:51:12,300 All right. 1115 00:51:12,300 --> 00:51:16,000 And the answer for the previous one was cutie. 1116 00:51:20,200 --> 00:51:21,300 All right, the next one. 1117 00:51:21,300 --> 00:51:25,200 What did the paper clip say to the magnet? 1118 00:51:25,200 --> 00:51:30,600 OK, this is another red flag for dating, because magnets are attracted to anything 1119 00:51:30,600 --> 00:51:31,600 ferrous. 1120 00:51:31,600 --> 00:51:33,700 They are never going to be faithful to you. 1121 00:51:33,700 --> 00:51:36,400 A magnet is not going to be a faithful partner. 1122 00:51:36,400 --> 00:51:40,700 And if you do get into that relationship, it's going to be very, very difficult to pull 1123 00:51:40,700 --> 00:51:41,200 it apart. 1124 00:51:41,200 --> 00:51:42,300 They're very clingy. 1125 00:51:42,300 --> 00:51:44,400 Never data magnet. 1126 00:51:44,400 --> 00:51:47,900 That's actually the answer. 1127 00:51:47,900 --> 00:51:48,900 All right, the next one. 1128 00:51:48,900 --> 00:51:55,700 What did the what did one cat say to the other cat on Valentine's Day? 1129 00:51:55,700 --> 00:52:01,600 I can't believe that you forgot again. 1130 00:52:01,600 --> 00:52:07,000 No, no, said you're perfect. 1131 00:52:07,000 --> 00:52:12,200 No, it would be definitely you've forgotten again. 1132 00:52:12,200 --> 00:52:13,900 These are awesome. 1133 00:52:13,900 --> 00:52:15,200 That was great. 1134 00:52:15,200 --> 00:52:20,300 I would get Martin extra points for coming up with the Ps and Qs and then the meow one. 1135 00:52:20,300 --> 00:52:21,800 Oh my gosh, that is great. 1136 00:52:21,800 --> 00:52:24,900 I'm trying not to turn red over here laughing. 1137 00:52:24,900 --> 00:52:28,000 All right, Joe, are you ready? 1138 00:52:28,000 --> 00:52:28,900 I suck at these. 1139 00:52:28,900 --> 00:52:29,700 Come at me, man. 1140 00:52:29,700 --> 00:52:31,600 Let's just get the bandaid off. 1141 00:52:31,600 --> 00:52:32,100 Shall we? 1142 00:52:32,100 --> 00:52:32,900 Here we go. 1143 00:52:32,900 --> 00:52:34,400 Time is starting now. 1144 00:52:34,400 --> 00:52:37,700 What did the dark closet say to the light bulb? 1145 00:52:43,100 --> 00:52:45,700 How much is this power bill going to cost me? 1146 00:52:45,700 --> 00:52:46,200 I don't know. 1147 00:52:46,200 --> 00:52:47,700 I've got nothing. 1148 00:52:47,700 --> 00:52:48,700 All right, we could skip that one. 1149 00:52:48,700 --> 00:52:49,600 Come back to it. 1150 00:52:49,600 --> 00:52:52,700 What what is Cupid's favorite rock band? 1151 00:52:54,800 --> 00:52:56,200 Heart. 1152 00:52:56,200 --> 00:52:57,200 Good one. 1153 00:52:57,200 --> 00:52:58,300 That okay, that's not it. 1154 00:52:58,300 --> 00:52:59,300 But that would count. 1155 00:52:59,300 --> 00:53:00,200 That's amazing. 1156 00:53:00,200 --> 00:53:04,900 What what did the puzzle say on Valentine's Day? 1157 00:53:04,900 --> 00:53:06,300 You complete me. 1158 00:53:06,300 --> 00:53:07,300 Got it. 1159 00:53:07,300 --> 00:53:09,900 Knock. 1160 00:53:09,900 --> 00:53:10,900 What's that? 1161 00:53:10,900 --> 00:53:12,700 Knock knock. 1162 00:53:12,700 --> 00:53:15,000 Oh, you're thankful. 1163 00:53:15,000 --> 00:53:17,500 This is a PG. 1164 00:53:17,500 --> 00:53:19,100 Who's there? 1165 00:53:19,100 --> 00:53:22,300 Olive. 1166 00:53:22,300 --> 00:53:27,100 I hate olives. 1167 00:53:27,100 --> 00:53:28,500 You got to say London food. 1168 00:53:28,500 --> 00:53:33,600 All of who all of who sorry. 1169 00:53:33,600 --> 00:53:37,100 And then could you complete the rest? 1170 00:53:37,100 --> 00:53:38,400 I love all of you. 1171 00:53:38,400 --> 00:53:38,900 I don't know. 1172 00:53:38,900 --> 00:53:39,600 I don't know. 1173 00:53:39,600 --> 00:53:44,700 Oh Joe, all of you all of who to. 1174 00:53:44,700 --> 00:53:45,700 Okay, there you go. 1175 00:53:45,700 --> 00:53:46,500 You got it. 1176 00:53:46,500 --> 00:53:47,700 So little help from a friend. 1177 00:53:47,700 --> 00:53:48,300 You got it. 1178 00:53:48,300 --> 00:53:48,900 Let's go quick. 1179 00:53:48,900 --> 00:53:49,800 It's back to the first one. 1180 00:53:49,800 --> 00:53:51,800 What did the dark closet say to the light bulb? 1181 00:53:51,800 --> 00:53:57,200 You still got 15 seconds. 1182 00:53:57,200 --> 00:54:00,100 And the honor and I'll come out of the closet. 1183 00:54:00,100 --> 00:54:00,900 Light me up. 1184 00:54:00,900 --> 00:54:01,500 I don't know. 1185 00:54:01,500 --> 00:54:02,100 I got you. 1186 00:54:02,100 --> 00:54:03,200 You light up my world. 1187 00:54:03,200 --> 00:54:03,900 Ding ding ding. 1188 00:54:03,900 --> 00:54:05,500 I was well guys. 1189 00:54:05,500 --> 00:54:08,600 Well, I was I was I. 1190 00:54:08,600 --> 00:54:10,700 Oh, I bring you shut down. 1191 00:54:10,700 --> 00:54:11,500 That was good. 1192 00:54:11,500 --> 00:54:13,800 You guys got more than I would have and when we were coming up 1193 00:54:13,800 --> 00:54:17,300 these questions, we were like we know these guys are going to 1194 00:54:17,300 --> 00:54:18,400 be smart. 1195 00:54:18,400 --> 00:54:20,600 You know, we knew you guys are going to do a great job. 1196 00:54:20,600 --> 00:54:23,500 So, well, that was fun. 1197 00:54:23,500 --> 00:54:26,000 I'm glad we got some got those in. 1198 00:54:26,000 --> 00:54:30,000 Andres, how about we summarize this and let's close it out. 1199 00:54:30,000 --> 00:54:30,600 Let's do it. 1200 00:54:30,600 --> 00:54:31,200 Let's do it. 1201 00:54:31,200 --> 00:54:32,800 I know we went a little bit over. 1202 00:54:32,800 --> 00:54:36,000 So we're going to slide through through this quick section on 1203 00:54:36,000 --> 00:54:37,000 the summary. 1204 00:54:37,000 --> 00:54:41,600 So a few things that stuck in my mind and I'm thinking about, 1205 00:54:41,600 --> 00:54:46,800 you know, is understand what Talos is doing as an organization. 1206 00:54:46,800 --> 00:54:47,800 What do they do? 1207 00:54:47,800 --> 00:54:54,100 How they help our customers and how they help us also just, 1208 00:54:54,100 --> 00:54:57,800 you know, understanding how we detect threats. 1209 00:54:57,800 --> 00:55:02,700 A lot of information right now in in the Talos blog. 1210 00:55:02,700 --> 00:55:05,800 I see, you know, there's a lot of information, indications of 1211 00:55:05,800 --> 00:55:09,800 compromise, any tool that you're using for threat hunting. 1212 00:55:09,800 --> 00:55:13,700 It's going to be it's going to leverage that information as well. 1213 00:55:13,700 --> 00:55:17,200 We learn also discovery and publishing for new rules. 1214 00:55:17,200 --> 00:55:20,300 That was actually awesome doubt that, you know, I probably have 1215 00:55:20,300 --> 00:55:23,800 to go back and recheck some of that information. 1216 00:55:23,800 --> 00:55:27,500 And, you know, we're here to fight the good fight. 1217 00:55:27,500 --> 00:55:31,000 I know, you know, that's one of the things that Talos says a lot. 1218 00:55:31,000 --> 00:55:34,400 So that's that's my takeaway, I guess. 1219 00:55:34,400 --> 00:55:39,400 Right for me, the proactive security and the reactive security 1220 00:55:39,400 --> 00:55:42,600 huge components Martin you were talking about vesting and things 1221 00:55:42,600 --> 00:55:45,400 like it about days going to happen. 1222 00:55:45,400 --> 00:55:51,100 Let's try and fine-tune that as much as we can and prepare for 1223 00:55:51,100 --> 00:55:51,200 it. 1224 00:55:51,200 --> 00:55:53,400 Stop making the bad day worse. 1225 00:55:53,400 --> 00:55:54,300 Yes. 1226 00:55:54,300 --> 00:55:55,400 Yes. 1227 00:55:55,400 --> 00:55:59,500 And then that reactive portion of it to hate when that bad day 1228 00:55:59,500 --> 00:56:00,300 does happen. 1229 00:56:00,300 --> 00:56:04,400 We can step in and help incident response as an example as opposed 1230 00:56:04,400 --> 00:56:08,600 to this tabletop exercises for the proactive Joey covered that 1231 00:56:08,600 --> 00:56:13,000 low-hanging fruit, you know, we talked about the MFA and then 1232 00:56:13,000 --> 00:56:16,300 the the simple password managers like cost-effective ways to 1233 00:56:16,300 --> 00:56:21,100 decrease the chances of us being attacked and then Martin, what 1234 00:56:21,100 --> 00:56:23,200 is the website again? 1235 00:56:23,200 --> 00:56:26,900 So blog.talosintelligence.com. 1236 00:56:27,000 --> 00:56:28,100 Okay, great. 1237 00:56:28,800 --> 00:56:32,800 And then I know you guys and Talos have the beers with Talos 1238 00:56:32,900 --> 00:56:35,800 podcast, which is super cool as well as Talos takes. 1239 00:56:37,200 --> 00:56:41,400 Andres and I are huge promoters of what you guys do for the 1240 00:56:41,400 --> 00:56:42,200 good in the world. 1241 00:56:42,200 --> 00:56:46,700 So thank you for having jobs that are so meaningful to the 1242 00:56:46,700 --> 00:56:50,100 point that you're truly out stopping bad guys and keeping us 1243 00:56:50,100 --> 00:56:50,500 all safe. 1244 00:56:50,500 --> 00:56:53,500 So and of course, thank you so much for your time on the show 1245 00:56:53,500 --> 00:56:54,400 Joe and Martin. 1246 00:56:55,100 --> 00:56:58,100 Andres our next call March 19th. 1247 00:56:58,600 --> 00:57:01,800 We're going to be talking about a brand-new Cisco security 1248 00:57:01,800 --> 00:57:04,300 solution called secure access. 1249 00:57:04,700 --> 00:57:09,400 That's a sassy solution, which is meshing security with connectivity. 1250 00:57:10,500 --> 00:57:13,000 I have thoroughly enjoyed today's show something. 1251 00:57:13,000 --> 00:57:15,300 I've been looking forward to a long time Martin Joe. 1252 00:57:15,800 --> 00:57:19,300 We hope I hope everybody else out there enjoy this show as much 1253 00:57:19,300 --> 00:57:22,500 as we have we will see everyone on the next show. 1254 00:57:22,600 --> 00:57:24,500 Have a fantastic day Martin Joe. 1255 00:57:24,500 --> 00:57:25,300 Thank you again. 1256 00:57:25,800 --> 00:57:26,200 Thank you. 1257 00:57:26,200 --> 00:57:26,800 Thank you. 1258 00:57:27,500 --> 00:57:28,300 It's right guys. 1259 00:57:28,300 --> 00:57:56,300 Take care.