The state of cybersecurity: DevSecOps gets real at RSA

If there was one key takeaway for developers from RSA 2018, the cybersecurity industry's massive gathering in San Francisco that ended last week, it was that organizations are shifting security "left" in earnest.

At past conferences, security pros talked about shifting left, or moving to DevSecOps, as something organizations ought to do. At the 2017 conference, the pitch by vendors and security pros about baking security into the development lifecycle was foggy at best. 

They were talking about container security and vulnerability scanning, as well as integrating with tools, such as Jenkins, that allow developers to quickly find code defects and automate testing of their builds.

That changed in 2018. "This is the first time that it felt that DevSecOps was real," said Derek Weeks, vice president of Sonatype, a software supply-chain automation company.

"People are integrating security teams and security practices into their development pipelines, and they're doing it on a scale that I haven't seen before in previous years."
Derek Weeks

Here's what moving to DevSecOps looks like in 2018, as well as what industry observers had to say about other important takeaways from RSA, including AI and the GDPR.

Application Security Research Update: The State of App Sec in 2018

What DevSecOps looks like in 2018

Although many people are still trying to figure out if DevSecOps is just a buzzword, attendees at RSA last week got the feeling that "it's real, people are doing it, and they're doing it at scale," said Weeks.

"They were saying, 'We're doing this. We have integrated teams. We have hundreds, sometimes thousands, of people who operate with security teams and security technologies embedded into the development life cycle."
—Derek Weeks

Amy DeMartine, a principal analyst with Forrester Research, said DevSecOps had matured.

"It's like the vendors grew up in a year. They've honed their messaging to exactly what they do."
Amy DeMartine

AI comes to the fore

Artificial intelligence and machine learning were prominent topics at the conference. As with moving security left in the development life cycle, AI is at the fore for vendors. And it, too, is getting more real-world. 

Jeff Pollard, a principal analyst at Forrester, said vendors were being much more specific and precise about what they meant by AI. "In fact, a number of vendors admitted that they don't have artificial intelligence. They said they have machine learning or a very narrow and specific AI," he said.

"The terms were being used, but in a way that's much easier to believe than last year or the year before, when they were being touted as a magic bullet."
Jeff Pollard

DeMartine explained that many vendors were being specific as to what they were using machine learning for, such as enhancing a feature in a product offering.

Machine learning was more prevalent at the conference than AI, which disheartened some conference-goers. "It's unfortunate, because all it really gains us is responding faster," DeMartine said.

"That's fine and good—we should respond faster—but that doesn't help us get several steps ahead of the malicious attackers."
—Amy DeMartine

Rusty Carter, vice president for product management at Arxan, an application attack protection company, was sober about AI in 2018.

"When it comes to AI, most companies should focus on their own I, and worry less about the A."
Rusty Carter

One vendor seemed to be doing true AI, DeMartine said. BluVector announced at the conference a collaboration with Endace, maker of a network recording and analytics hosting platform. The combined system collects information from thousands of disparate data sources, then analyzes and prioritizes the data and events.

The resulting information becomes instantly available to SecOps teams, delivering the contextual data they need to quickly understand a threat and its severity. “The sophistication and evolution of today's cyber adversaries continues to accelerate, as does the number of successful intrusions," said Endace CEO Stuart Wilson. "This makes network security even more important in today's connected world."

Intrusions don't have to lead to major data breaches and cyber incidents, he continued, if threat-detection information and packet-level evidence are used to investigate, respond to, and neutralize cyber intruders quickly and efficiently. "What BluVector is doing sounds a lot more like AI than what most vendors were able to come up with," DeMartine said.

[ ALSO SEE: #RSAC2018: The infosec escalators we love to hate ]

The GDPR: A reality check

Security pros looking for takeaways from RSA 2018 about the European Union's General Data Protection Regulation found slim pickings. The GDPR, which calls for hefty fines for organizations that fail to meet its requirements for protection of consumer data, is set to take effect in May, and while data handlers have been given two years to get ready for it, much ambiguity still surrounds it in the minds of many security pros.

Chase Cunningham, a principal analyst at Forrester, said solutions are at the ready, but organizations are lagging.

"Vendor solutions are starting to scratch at the problem, but overall organizations don't appear to be ready for the mandates that are coming in less than a month."
Chase Cunningham

Forrester's Pollard said that for a couple of years, service and consulting firms have been evangelizing on their ability to address the GDPR, but what hasn't appeared until this year was technical solutions for it. "What we're seeing now is a technology lifecycle that begins when a major new compliance requirement appears and technology is introduced to address it."

Richard Ford, chief scientist at Forcepoint, a behavior analytics company, said the GDPR is being used as a stick by some marketers, creating anxiety about being ill-prepared for the new regulation.

"I wish the industry talked more about the opportunities the GDPR provides for getting our house in order."
Richard Ford

Ford added that there is a real worry from organizations beyond the marketing push. "[There's] very much a sense of 'How’s this going to play out?' in people's minds. We’ll know more soon, but there’s nervousness around it."

Arxan's Carter said security teams should get their house in order rather than relying on solutions: "There is no magic GDPR product to solve all that ails you. Good processes along with smart fundamentals are where you should focus."

Back to basics

In general, there seemed to be a lack of innovation at RSA this year, analysts noted.

"There wasn't anything I saw that made me think, 'That's going to take us to the next level, to the next stage.' It was all how do we do what we do better or faster."
—Amy DeMartine

Joseph Blankenship, a senior analyst with Forrester, said the industry had stalled a bit. "It seemed like the vendors are still focused on solving the same problems, but not in a necessarily new or novel way."

Many vendors focused on refining their approaches to recurring problems with endpoint security, security analytics, and identity management.

The search for security value

Pollard said the focus was on fundamentals. 

"There wasn't a brand-new technology or term that people were obsessed with. It was much more going back to fundamentals and making sure we address the things that matter."
—Jeff Pollard

That attitude seems to correspond to another one circulating the conference: a search for value.

At RSA this year, organizations expressed that they're trying to get more value out of what they've got instead of buying the next new buzzword, said Brian Contos, CISO of Verodin, a security instrumentation company.

"Today, security is more about proving security value than simply assuming vendor claims and default configurations work as promised. There are a lot of security companies doing old things in a new way, but there are very few companies actually doing anything different."
Brian Contos

Security is becoming more strategic for executive teams and boards, Contos said, "and as such, there's a growing need to prove the value of security with evidence-based data that can be measured like other core business units such as sales and operations."

While innovation may have been scarce at RSA, there were signs of old technologies becoming new again, such as deception technology and new approaches to endpoint software, said Forrester's Pollard.

"There have been a number of immature or new technologies at RSA for a number of years. What we're seeing is second or third movers of those technologies. What will be interesting to see is if the latest versions of those technologies will begin to catch on."
—Jeff Pollard

Topics: Security