Insights from CSA Partner Cisco Talos

In conversation with...

Don Owens

Don is an architect for the Talos engines that produce email and web verdicts for Cisco security products, as well as the systems that produce the security intelligence behind those verdicts. He is known as the reputation expert within Talos, and is often involved in acquiring 3rd party data to augment the data Talos generates from its own honey pots and telemetry. Don has delivered a number presentations on best practices (and the reasons behind them) for email senders to distraught customers, as well as in industry forums, such as CSA and M³AAWG.

What are you currently working on in improving email?

One of the things I am working on at the moment is improving the speed at which Talos protects Cisco customers from new threats. Every second counts for zero-day or hailstorm attacks. If it takes 15 minutes to generate a feed and make that content available to protect customers, then a hailstorm attack could have come and gone during that time, meaning the entire attack would be missed. Converting the remaining old-style updates from feed files to streaming data in order to avoid latencies across our internal infrastructure, as well as convincing our data partners to do so, is a challenge. Local caching for on-premises products must be eliminated in order to avoid missing emerging threats, which has implications on cloud infrastructure, cost-to-serve, and throughput of on-premises devices.

What are your current challenges with keeping the bad guys out?

One of the biggest challenges in the email security world nowadays is targeted phish. To best stop highly targeted phish without blocking legitimate email, the security vendor needs to know some additional information about the customer's network, users, etc., and to track who sends email to whom. However, customers (understandably) tend to be reluctant to give up that kind of privacy, which presents a challenge to security vendors.

What are your top 3 recommendations for email senders?

  • Most importantly, confirm opt-ins, and ensure that you are sending email that your recipients actually want.
  • Use authentication (DKIM aligned with the From header) for all email and publish a rejection policy (DMARC).
  • Align all (or as many as possible) of the domains in your email.

Where is email going to be in 10 years? Do you see any major changes coming?

Email is being used for marketing, broad discussions, reports, confirmations, and receipts, while one-on-one communication is occurring more and more over instant messaging services. Email will still be around in another 10 years, though perhaps with further changes.

Spam will always be a problem. Spammers will continue to change their tactics, in an attempt to get around spam filters. And spam filters will continue to evolve to block spam. So senders and anti-spam vendors working together in the war against spam will continue to be key for getting the email that users want into the inbox.

New and improved standards around sender authentication will likely be formulated, and sender reputation will be related to those authentication standards. Sender authentication will become increasingly important, perhaps to the point where unauthenticated mail simply will not be delivered.

About Cisco Talos:

Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers. These teams are supported by unrivaled telemetry and sophisticated systems to create accurate, rapid and actionable threat intelligence for Cisco customers, products and services. Talos defends Cisco customers against known and emerging threats, discovers new vulnerabilities in common software, and interdicts threats in the wild before they can further harm the internet at large. Talos maintains the official rule sets of Snort.orgClamAV , and  SpamCop , in addition to releasing many open-source research and analysis tools.

Talos encompasses six key areas: Threat Intelligence & Interdiction, Detection Research, Engine Development, Vulnerability Research & Discovery, Communities, and Global Outreach.



    Get in touch with us