Case Study: Cisco Talos achieves real-time, large-scale threat hunting and takedowns with Elastic

Cisco - Customer Case Study

Cisco Talos, Cisco’s threat-intelligence and research arm, faces an enormous and rapidly changing threat landscape — on the order of 1.5 million new malware samples per day, 19.7 billion threat blocks daily (≈3 blocks per person per day), and email/web volumes in the hundreds of billions with spam comprising ~86% of mail. The team must ingest diverse telemetry (customer feeds, honeypots, sandbox runs, IPS/IDS data, open sources) and quickly triage, attribute and track malicious actors across web, email, cloud, network and endpoints.

Talos addresses this with cloud-to-core defenses and data-driven hunting: reputation and URL filtering, ClamAV and FireAMP, Snort rule sets, sandboxing (ThreatGrid/Cuckoo), honeypots, Elasticsearch-based analytics, and coordinated incident response. That stack enables automated detection and clustering of exploit kits and malware families, high-volume IOC-driven hunting, and operational takedowns — for example the coordinated null-routing of the “SSHPsychos” infrastructure with a major ISP/Level 3 that blocked downloads and effectively limited the botnet — contributing to billions of daily threat blocks and measurably improved internet security.

Cisco

Samir Sapra

Research Engineer