November 14, 2017
RSA Conference 2015 Afterthoughts
Posted May 10, 2015
It’s now been almost two weeks since the RSA Conference 2015 finished and it gave me some time to reflect. The RSA Conference is always a great opportunity to catch up with a lot of friends and peers in the industry. Additionally, it also provides a snapshot of where we are as an industry.
The following items stood out for me.
The mood at the RSA Conference was very positive. The exhibition halls were buzzing with people, VC companies are pouring record amounts of money into new security startups and IT budgets seem to be increasing for security related spending. These are truly interesting times to be involved in Internet security and I don’t think it will stop any time soon.
The motto of this year’s RSA Conference – “Where The World Talks Security” – couldn’t be more topical and outdated at the same time.
I think every single year over the past 10 years, we have been lamenting about the ineffectiveness of our industry and this year was no different. Amit Yoran, president of RSA, said:
“2014 was yet another reminder that we are losing this contest,” Yoran said in his keynote remarks to more than 30,000 cyber industry executives. “The adversaries are out-maneuvering the industry … and winning by every measure.”
He compared the industry’s current approach to a mindset stuck in the Dark Ages, whereby companies employ security strategies and solutions that no longer map to the business and threat environment we face. “To keep the barbarians away, we’re simply building taller castle walls and digging deeper moats. Taller walls won’t solve our problem.”
I think it is a widely accepted fact that this statement holds true – just look at the antivirus industry that has failed to make any difference in preventing malware from causing havoc over the last 10 years. The threat from malware is ever increasing with malware targeting point-of-sale (POS) devices and targeted malware being successful with almost a 100% certainty.
Another good example is SIEM. It’s a noble idea where you collect all the relevant information into one repository to be able to cross-correlate various security incidents so that you are alerted early on that there may be a security problem.
Unfortunatley, I have yet to find someone who can wholeheartedly tell me that his/her SIEM installation is working as expected. Not a single person.
There are a few companies out there that try to apply behavioral machine learning methods on top of existing SIEM installations, although the question is whether this falls into the taller walls category or whether that truly makes a difference. But it is certainly an interesting space to watch as the idea of all data coming together to make some sense out of it is not a bad approach. We need to make sure that we don’t just collect a lot of data for the sake of collecting (increasing the haystack) and that we have more than “just” behavioral solutions to find the needle.
It seems that there is a resurgence of threat intelligence companies out there which is an interesting déjà vu for us as ThreatMetrix® started out as an IP intelligence company.
The underlying principle is awesome and I attribute the resurgence of threat intelligence to the fact that organizations are now in a much better position to consume external data feeds into their internal systems due to advancements in data processing capabilities.
It is the basis for many data sharing initiatives – which is great – but I somehow feel that a lot of data sharing is still on an IP address basis which is getting less reliable by the day. I expect to see much more in this space in the near future.
Plentiful new players on the market
The combination of the inefficiency of existing solutions and lots of attention from the VC community helped create many new startups in the Internet security area. They seem to be popping up every day. Some do things slightly differently (e.g. user behavioral models on top of anything we do right how), better endpoint protection, authentication/identity and more security solutions in the cloud security space. Do we really have to take the concept of a DMZ into the cloud or should we totally rethink the security approach there?
Internet of Things (IoT)
I have to agree with Bruce Schneier that this is a disaster waiting to happen. The interview is well worth the read and will open your eyes: “When you’re selling a $1,000 computer you’ve at least got a support staff. When you’re selling a 30-cent thermostat, potentiometer, pressure-detecting sidewalk square, smart light bulb – no one’s going to be left to care [about security].”
Adi Shamir mentioned a cool new study where they were able to hack into the control component of a smart light sensor. These smart devices are typically used in commercial buildings. By changing the light intensity from 100% to 95% (which is invisible to the human eye), they’ve been able to establish a communication channel to the outside world.
Translate this to today’s world. We have malware scraping credit card details directly off a POS device and we only detected this due to some irregularly large network communication to the fraudsters. Now the fraudsters can use the smart light sensors to communicate the stolen credit cards to the outside and noone will notice anything. You can run whatever forensics you want on it and you won’t find anything.
This is a great time to be in the Internet security space as the challenges are plentiful, everywhere and increasing (IoT). We need new approaches to solve these problems. It’s a perfect environment for innovation to grow. So let’s take this opportunity and innovate.