You are here

RSA Conference 2019: Zero Trust, AI, NSA, DevSecOps—and Facebook?

public://pictures/John-Mello-Journalist.png
John P. Mello Jr., Freelance writer

This year's RSA Conference (RSAC) in San Francisco was a sprawling show that was too much for most forum-goers to absorb. Even for those not attending the event, the steady stream of information gushing from it on a daily basis could be overwhelming.

Looking for a Cliffs Notes view of this year's RSAC? Here are the main takeaways from practitioners and analysts who attended the show, from AI to zero trust.

[ Get up to speed fast on today's tools with TechBeacon's Application Security Buyer's Guide 2019 ]

Zero trust is gaining visibility

As the risks from insider threats—both from malicious and negligent actors—rise, it's not surprising that zero trust is starting to make it to the top-of-mind level of security pros.

"Zero trust and zero trust solutions were a big buzz at RSA," said Scott Gordon, chief marketing officer for Pulse Secure, a provider of secure access solutions.

However, as with any relatively new concept, defining zero trust can be a bit of a muddle, said Daniel Kennedy, research director for information security and networking at 451 Research.

"It's supposed to be a combination of strong or multi-factor authentication, continuous authentication, and micro-segmentation—although if one were to try to discern what it is from the vendor product pitches on the conference floor, that person might leave very confused."
Daniel Kennedy

[ Chas Clawson: Identity management with SIEM: A better breach defense ]

Awareness training gets respect

Maybe it's because insider threats are attracting more attention, or maybe its time has finally arrived, but awareness training appeared to be less an orphan and more a member of the family at this RSAC, said George Anderson, director of product marketing at Webroot.

"There seems to finally be an industry recognition that awareness training is actually part of cybersecurity. Blaming the end user for poor security habits is a cop-out."
George Anderson

Anderson said attacks are getting more sophisticated. "Even people on the lookout can be fooled. Reality is, end users are part of your system, and they must be secured like any other component."

[ See Guide: Best Practices for GDPR and CCPA Compliance ]

Inclusion of more analytics in security products 

Analytics is becoming part of a bunch of classic security products, such as automated classification for alerts and potentially blocking decisions based on insights gained from data, 451's Kennedy said.

"But every product building its own data lake could lead to the kind of sprawl we've seen with every product having its own dashboard."
—Daniel Kennedy

[ Special Coverage: RSA Conference 2019 ]

Artificial intelligence gets real

AI can be a spongy subject in the mouths of vendors, but this year at RSAC, the suppliers seemed to be getting down to use cases, said David Ginsburg, vice president of marketing at Cavirin. 

This is the year that vendors and their customers are getting real with AI and machine learning, focusing on use cases where the technology can have a direct business impact, he said.

"People recognize that without a proper foundation—best practices, automation, training—adding AI and ML to the mix is like slapping a fresh coat of paint on a termite-infested house."
David Ginsburg

Rise of the developer as security enabler

As more organizations start moving security "left" in the application lifecycle and embrace DevSecOps, developers have begun to take on a new role vis-à-vis security. "A macro theme I saw subtly inserted into pitches at the conference was the rise of the app developer's role as an enabler for security," 451's Kennedy said.

There was a focus in some of the talks on DevSecOps, said Sherif Koussa, founder of Software Secured. But he said that wasn't reflected in the vendors' booths. "On the expo floor there was a lot about threat intelligence and threat detection, some email security, but there wasn't a lot of security development tools."

[ Erdem Menges: Devs are the key to app sec: Make training a priority ]

The NSA goes open source

The NSA warmed the hearts of many researchers at the conference when the agency open-sourced its reverse-engineering hacking tool Ghidra. "As researchers, we were really impressed with this move from the NSA," said Ben Herzberg, director of threat research at Imperva.

"Not only are they releasing Ghidra to the public," he said, "but they’re doing that as an open-source project, enabling transparency into the code of this remarkable tool, which is among the top free and commercial reverse-engineering tools out there."

While taking it all with a grain of salt, given the fact that the NSA is not becoming a transparent organization anytime soon, Herzberg said it was a bold step.

"This continues NSA's attempt to appeal to and connect with the security community in a positive way."
Ben Herzberg

Staffing shortages persist

Discussions about workforce shortages in the industry continued to attract conference-goers' attention, as they have done for several years now.

ISACA drew attention to the subject by releasing at the conference its annual State of Cybersecurity report. The report found that more than half the information security pros surveyed (58%) noted their organizations have unfilled cybersecurity positions. What's more, 60% of enterprises are waiting at least three months before they can fill a cybersecurity position.

There is a lot of focus on the shortage of cybersecurity professionals, but not as much attention on job quality and satisfaction, Webroot's Anderson said.

"Cybersecurity is an increasingly high-stakes field, and CISOs are under an immense amount of pressure to do an almost impossible gig. Many are burning out and suffering physical and psychological issues from the stress."
—George Anderson

Adding to the CISOs' problems is a lack of understanding about what they do, according to a global CISO report prepared by Osterman Research and released at the conference, said Russell Haworth, CEO of Nominet, a sponsor of the study.

"There is an overarching feeling among the CISOs questioned that, while their work is appreciated by senior management teams, it’s still yet to be seen as strategically valuable."
Russell Haworth

Blockchain interest waning

At last year's RSAC, blockchain seemed to be everywhere, hyped as a potential silver bullet for cybersecurity. That wasn't the case this year, Webroot's Anderson said.

"This year blockchain was sort of nowhere to be found. As it makes its way into consumer awareness, it's less and less discussed for its security benefits."
—George Anderson

A move toward 'normalizing' security speak

To most parts of a business, the security folks can appear to be speaking a foreign language. "There is a profound need to normalize the language of security and help translate it into the way every other business group speaks," said Nathan Wenzler, senior director of cybersecurity at Moss Adams.

"We know the common problem security teams have in talking to executives or developers or other non-security practitioners, but the reality is, even between security pros, we often don't understand each other when talking about the same tools, processes, regulations, or methods."
Nathan Wenzler

Some have been advocating for this kind of translation for years, he said, "but hearing this be a widespread topic among security folks of all shapes and sizes throughout RSA this year is easily my most important takeaway from the show."

What? Facebook is a privacy company?

Although the conference was half over when Mark Zuckerberg dropped his bombshell about Facebook's increasing use of encryption and new emphasis on privacy, the announcement gathered plenty of buzz among event attendees.

Terry Ray, Chief Product Strategist for Imperva, said the move was welcomed but signaled trouble ahead.

"Encryption for other services beyond WhatsApp is a move in the right direction, but at some point Facebook is likely to find itself in court, much like Apple did, defending it and its users' rights to keep their information private from government and law enforcement."
Terry Ray

For his part, 451's Anderson said that rules that make a system secure may have nothing to do with privacy.

"Privacy does not always equal security. Private systems aren't necessarily secure systems."
—George Anderson

[ Security Blogwatch: RSAC 2019: Better, wetter—and weirder ]

Photos courtesy @TalosSecurity.

[ Join Webinar: Five Steps to Implement a Universal Policy Strategy ]