Heading into the annual RSA Conference—which this year, like so much else, will be virtual—security professionals and speakers are urging the security community to move beyond educating executives and workers about security and on to execution.
The theme for RSA in 2021 is "Resilience." For John Dickson, a principal at Denim Group, a provider of software security, that means companies need to put the work into securing themselves. In the latest significant attack, cyber criminals used ransomware to take down oil-and-gas pipeline provider Colonial Pipeline, causing fuel shortages in the US Southeast.
As an industry, we should be actively preparing for these attacks on software and devices, he said.
"This is no longer about wake-up calls. The Colonial Pipeline attack— who isn't aware at this point about cybersecurity? We need to focus on execution—building these systems to withstand more than the most obvious attacks."
—John Dickson
At RSA 2021, security professionals will be focused on finding ways to better protect infrastructure and data that are increasingly under attack. Here are the themes that RSA Conference 2021 will highlight.
1. Resiliency? What does that actually mean?
Developers focus on software functionality all the time. Yet the "CIA" triumvirate of security—confidentiality, integrity, and availability—is necessary to create reliable software. While developers work to make applications that have slick user interfaces and can scale with demand, they do not frequently include security in their calculus, Dickson said.
Resiliency happens in software when the developers incorporate security as a core tenet of code quality, he said.
"You wouldn't put out code that would fall over with 100 concurrent users. That's an accepted version of resiliency. You wouldn't put out an app with a horrible UX. But companies put out apps that go down after a pretty simple attack."
—John Dickson
Companies need to add resiliency to the requirements that developers need to satisfy, he said.
2. Making security accessible to developers
Companies also need to make doing the right thing easier for developers, said Shannon Lietz, DevSecOps group leader at financial software firm Intuit.
Developers are already asking about how they can make their code more resilient. Bug bounties, red teams, and penetration tests are all demonstrating security pitfalls and highlighting flaws, but many companies do not have an accessible way for developers to take part in making the code more secure, she said.
"There is a lot of emphasis—and perhaps too much emphasis—on the CI/CD pipeline, and not enough on what DevSecOps does for us. We have not solved for security accessibility. I would like to see more companies put developer-focused interfaces on security."
—Shannon Lietz
Part of the accessibility solution is to improve the communication between developers, operations, and security, Lietz said. Language is the biggest challenge at this point. "Developers don't speak security, and security does not speak developer, and ops is their own thing," she said. "Each of those have their own prioritization path."
3. Getting past the critical tests
Security testing is another component of resiliency that companies are failing to consistently perform. The vast majority of companies are testing infrequently or not covering enough of their applications. Denim Group's Dickson, who will be conducting a workshop on security and development, sees companies mostly tackling the most critical threats, while failing to achieve adequate coverage.
"What they are most worried about is pushing out an update on Friday afternoon, and it pushes out a critical issue in SQL injection. It is catching that small flaw that represents a disproportionate amount of attack surface. We see too many companies putting too little into scanning."
—John Dickson
4. Despite hype, machine learning not always practical
While vendors and service providers are increasingly adopting machine learning and artificial intelligence (ML/AI) as a way to more quickly tackle complex tasks such as anomaly detection and clustering, security professionals should expect a difficult time in applying the techniques to their own work, said Jess Garcia, founder of One eSecurity, who will be speaking at RSA.
At the start of the pandemic, Garcia attempted to integrate automation and ML into his threat hunting work. For the most part, he found few resources and most companies quiet about what algorithms and technologies they used. While there is a vibrant open-source community around the development of web applications, ML for cybersecurity is far less developed, he said.
"Everything is very fuzzy; everything is very generic or very obscure. I was pretty surprised to see that everyone is talking about AI and supposed to be using AI and machine learning in their technologies. So you would expect a big community around AI and cybersecurity. To my surprise, there was almost nothing."
—Jess Garcia
AI/ML technologies should not be looked upon as magic, but more as a powerful tool, he said. Plus: There's another potential downside to AI you need to be aware of, which security researcher Bruce Schneier will share at the show in his keynote,"The Coming AI Hackers".
5. Metrics can help make development, operations resilient
Often, management only hears from the security operations team when something bad happens—or, less often, when something good happens. The right metrics can be used to better educate the business about how well the company is doing in its security missions, said John Caimano, a global practice lead for security operations professional services at Palo Alto Networks, who will speak on SecOp metrics at RSA.
Good metrics need to go beyond mean time to remediate (MTTR) the latest vulnerabilities. Understanding how quickly analysts burn down their event logs, how often the security operations team deviates from procedure, and what types of content each analyst is handling can all help determine how efficiently the company is securing its environment and operations, he said.
The security industry is changing
The industry went from security teams that all sat in a common space and were able to communicate easily and often into a situation where it had to self-isolate, while still protecting the IP and data they are responsible for, said Caimano.
"[Executing well shows] the world that we will take on any new challenges—security, health, or otherwise—and rebound to make the required modifications to continue forward with our mission to secure our data and networks."
—John Caimano
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
