Cisco Talos' integration of threat feeds from other vendors in ESA

liying.liu · ‎01-24-2022

We are aware that Cisco Talos has been continuously integrating public threat feeds into its own threat feed library as part of the built-in feeds on-prem ESA. Is there a way to know which threat feeds of which vendor are integrated? With this info, we will be able to evaluate how much value the ETF feature would bring on ESA.

Thanks!

Ken Stieers · ‎01-24-2022

This information is not forthcoming. I've been in a few different forums where this question has been asked, and nobody would answer it...
Basically they have agreements in place with the various feeds that preclude them from telling us. I had the same argument, loudly, with product managers and engineering managers and beta managers all in the room.
So, you have to look at it this way... public feeds.. they probably get it... do they get it back into the product FASTER than you might... maybe? Maybe not...
The main use case is for those feeds that you get that they can't get... various ISACs that are industry owned... they aren't in fintech, so they don't get the fintech feed, etc.

liying.liu · ‎01-24-2022

I see..., thanks!

Then Ken, would you be able to recommend some external threat feed sources, fintech or not?

At the same time, if we can hear any feedback from Cisco employee as well, that would be great.

Ken Stieers · ‎01-24-2022

I use Alienvault OTX, I keep meaning to dig into Anomali Limo.

liying.liu · ‎01-24-2022

Thanks, Ken!!