2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 1 of 13
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 2 of 13
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 3 of 13
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 4 of 13
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 5 of 13
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 6 of 13
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 7 of 13
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 8 of 13
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 9 of 13
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 10 of 13
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 11 of 13
Summary (41:52)
One, in order to be effective at understanding the threat environment, you have
to look at live threats. You--lab work is great. Honeynets are fantastic, and, you
know, that's the sort of standard duty of care that we engage in on a regular-- on
a regular day-to-day basis, but to be effective, we have to look at the live threats
in live deployments. That's the source of real, true security intelligence now, and I
think that's where the security industry is going and, you know, as I've illustrated
today, where we're focusing our efforts and investments.
The second thing I want to hit on is, but once you have that data, combining it is
all about comparing multiple types of data and parameterizing that information.
So you want to look at all of the different vectors of a blended threat so that you
can view the timeline of that threat. You know, we track for over 26 million public
entities on the internet. We track the entire security history that we have seen
associated with that entity, and that's a number that increases every day, but
that's what's necessary to really understand, end to end, that threat history.
And then the last thing that I want to touch on is, it's not about casting a broad
net and looking for the biggest fish, because increasingly, that's a behavior that
those engaged in a cybercrime economy have identified and are using those
same approaches to make their threats fly under the radar, so moving away from
what I was calling earlier sort of the big, dumb, loud activity and going to things
that are a little bit more tailored, specifically tailoring those threats for the types of
compromised host that you're looking for, right? You want to find those alwayson-- those always-on installs in specific areas with high bandwidth, so specific
type of users, and if you're going to compromise them for the purposes of
gathering information, you want to make sure that they have access to that
information that you might like, as we were talking about earlier with the
government employees targeted through Facebook.
So that's given you a feel for how we gather our intelligence and some of the
intelligence that we've gathered. This type of information, we provide over 20
publications throughout the year and also a number of different forums where we
discuss these threats with you. We'll be talking here in, you know, various RSA
discussions in more detail about some of these threats, so if you're interested in
learning more, please reach out to us in those locations or, you know, reach out
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 12 of 13
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public
Page 13 of 13