Cisco Blogs

Creating a “Kill Switch” in the Cybersecurity “Kill Chain”

- September 28, 2016 - 3 Comments

“Kill chain,” a cybersecurity term coined by Lockheed Martin, is shorthand for how cyber criminals target, recon, develop, and eventually penetrate their targets.  It’s among the hottest buzzwords in the cybersecurity industry right now, with many security products talking about how they address the kill chain.  But playing buzzword bingo in tech often results in nothing novel or useful… it just puts a new name on concepts that have existed for some time.

The Cisco Security Technical Alliances (CSTA) program focuses on use-case driven cross-vendor solutions, delivering over 120 engineered security integrations with our technical alliance partners.  And among our most prolific integration partners across our portfolio is Splunk.  We are pleased to have been named recipient of Splunk’s Revolution Award for “technology partner of the year” a few days back.  In our latest work together, we are working to address the “kill chain” in a practical fashion.

Today, we announced that Cisco is collaborating with Splunk in their Adaptive Response program, which targets the kill chain through coordinated mitigation actions.  Splunk Adaptive Response leverages the Cisco network for threat response and investigation via integration with Cisco pxGrid and also extends into the cloud for threat investigation with OpenDNS Investigate.  Combining this on- and off-network breadth provides a far-reaching “kill switch” in the kill chain.

Taking Action on a Threat Event

Let’s take closer look at how this would work in practice.  It all starts with an actionable security event in the Splunk console.  “Actionable” can mean a couple things.  It may mean you know the event is malicious and want to immediately take a mitigation action.  If that’s the case, then:

  • Splunk Adaptive Response makes a call via Cisco pxGrid to Cisco’s Rapid Threat Containment (RTC) function
  • RTC will then orchestrate a policy-based network response to the threat that decreases the level of network privilege associated with the offending device/user on the network

But often “actionable” means further investigation is needed to see if the event is malicious.  In that case:

  • For on-network, Cisco RTC can route the suspicious traffic through a specific security inspection chain, such as a packet capture engine or a deeper Cisco IPS inspection routine
  • For internet based threats, the OpenDNS Investigate API can be called to provide additional context such as domain ownership, co-occurring requests, related domains, geolocation, categorization, blocked requests, and reputation scores

While network security often focuses on threat detection, this joint effort between Splunk and Cisco brings more focus to what happens after detection.  Clearly detection is the first step of enforcing security.  But that next step… actually taking action on a threat… is still nascent in cybersecurity.  Together Cisco and Splunk are bringing together actionable pieces of threat context and mitigation capabilities to form an effective and practical “kill switch” for the kill chain.

Learn more: Cisco Rapid Threat Containment and OpenDNS Investigate




In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


    Excellent blog post. Thanks for the links and further recommendations. Always, in a timely manner from Cisco and teams. Deeply appreciated. As I always comment to my colleagues, regarding collaboration, support, products and innovation: "In Cisco We Trust"

      Dr. Wong-Perez: Thanks for the kind comments. Glad the article was of value for you. --S

    Thank you for the article!