Earlier this month I attended RSA Conference 2016, the largest of the Information Security industry’s annual conferences, and THE conference to attend if you either deal with security at your organization or invest in security This year’s conference marked its 25th anniversary and was the biggest one to date, with more than 40,000 attendees at the Moscone Center in San Francisco.
This year’s expo included a generally well balanced mix of large incumbents and security startups displaying cutting edge technologies side by side. It was also great to see a strong Israeli presence among the vendors, both large and small. Many of the expo vendors and products tended to be in the areas of endpoint security and network security in general, CASB and cloud security, data security, governance, incident response, and more. For me, however, the most valuable part of the conference wasn’t the Expo, but rather the fantastic keynotes and sessions delivered by industry experts and executives.
“25 Years of Information Security” (Opening theme video from RSA Conference 2016)
One of the glaringly ‘hot topics’ at the RSA conference this year was the Apple vs. the FBI debate. The debate had a strong influence on the Keynotes, some of the sessions, and the questions from the audience, and it was very clear that the debate is has touched a very raw nerve for the Information Security community. Personally, I was glad to see how highly privacy is still regarded and how passionate people are about protecting it (unlike some who are not). My view – which I found to be in line with that of many of the conference attendees (and with that of Tim Cook) – is that any back door mechanism is plain wrong to begin with. If anyone holds a master key to the encryption we rely on, that key would eventually be stolen, or the back door mechanism would be exploited, so it’s simply bad practice to create it in the first place. Be sure to check out the video of Attorney General of the U.S., Loretta E. Lynch, being interviewed on the topic following her Keynote speech.
Here are the core themes from this year’s RSA that resonated with me most:
1. Cloud Security
Cloud adoption is growing fast. As both enterprises and product-led companies are moving to hybrid cloud models and/or adopting multiple public clouds, the topologies and integrations around modern cloud-enabled services that we both consume and provide – are becoming complex and more vulnerable than ever. Organizations and product-driven companies must adapt their thinking in order to handle the threats involved in the highly connected multi-cloud era, from the foundations that would enable them to act quickly (such as logging, analytics, and automation) to the actual methodologies that should be used to react. A practical session on this topic titled “Cloud Breach – Preparation and Response” was presented by Chief Security Evangelist of Splunk, Monzy Merza (slides are available here).
If you are creating a cloud-powered SaaS product, then your customer data is in the cloud, so it is important to think about your data and security and how to scale this approach on a cloud scale. In a session titled “SaaS Attacks Happen: How Cloud Scale Changes the Security Game” presented by Office 365 Security Group Program Manager Sara Manning Dawson, Sara showed just how deeply Microsoft is focusing on their SaaS security principles including aspects of dealing with access control and authentication, encryption, multi-tenancy considerations, automation, and more with their “Protect, Detect, Investigate, and Remediate” approach, which protects over an exabyte of data in their 100+ data centers (slides are available here). I can only hope other companies are taking the same measures. If you are a SaaS startup, it’s important to think about these aspects from the get go.
2. Internet of Things (or… Internet of Unsecured Things)
Many of the vendors that are now entering the IoT era have little experience with computing, networking, and security. As a result, the quality of security in many of the IoT products that are coming out these days is very poor. The sad news is that most of these products have non-upgradable software. Manufacturers of IoT products must take security seriously as a first step to getting it right in their devices. Without sufficient standards for IoT security, this is not going to be a trivial transition, so we may find ourselves exposed to IoT security threats for several years to come. Some examples of this (which we have already seen) include IoT enabled front door locks being hacked, baby cams being exposed to the world, or someone hacking a drone with Software Defined Radio.
We may need to change our approach as well: As Hadi Nahari, VP, Security CTO, Brocade Communications Systems put it in his RSA presentation – static security has reached its limit and dynamic security (using AI, deep learning, analytics, etc.) may be needed to augment it in the IoT landscape.
3. Analytics, IR, and Automation
The amount of security alerts that organizations have to deal with these days is more than human beings can handle. “Alert fatigue” is common among security organization and analytics and automated incident response seem to be a ray of light in the efforts to tackle security incidents. New startups are creating solutions in this space including Israel’s Hexadite and SecBI, and the winner of the RSA conference 2016 startup competition Phantom (see video below).
In this fast-pitched session, the Top 10 Finalists of “2016 Most Innovative Startup” at the RSAC Innovation Sandbox Contest share why their solution will have the greatest impact on information security in 2016.
Another interesting Keynote on the topic (listed below under “Keynotes I found most interesting”) titled “Turning the Tables: Radical New Approaches to Security Analytics” was delivered by HP Enterprise CTO, Martin Fink. In it, he discussed how machine speed, analytics driven reaction is needed to be effective against hackers and how the Security Operation Center would evolve accordingly.
4. Virtualization and Containers
The adoption of micro services (a.k.a. Containers) will bring with it some tough security challenges. Now that multiple micro services can co-exist within the same machine (whether the machine is virtual or not), truly isolating containers is a challenge has yet to be addressed well by the leading container commercialization vendors (such as Docker, for example). Alignment around policies, isolation, and governance of micro services will be needed to truly adopt the technology in production, and at scale.
5. Encryption & Privacy
This one relates to the Apple vs FBI debate: If the bigger IT players weaken their encryption solutions, alternative solutions will emerge to deal with it. Lately we’ve been seeing more and more encrypted messaging apps popping up every few days, the likes of Peerio and Threema. When it comes to privacy, everyone has a different idea of what it is and how to protect it. A major part of the future of privacy will depend on how we educate ourselves and others around us to be more aware of our privacy and how to protect it.
Speaking of encryption and privacy, here’s a great (and entertaining!) analysis of the subject by John Oliver:
Last Week Tonight with John Oliver: Encryption
Keynotes I found most interesting
There were some great keynotes by industry leaders this year, some of whom included CXOs of large enterprises in the security and IT industry. Here are the keynotes that I personally found most interesting:
“The Sleeper Awakes” by Amit Yoran, President, RSA: “Our problem isn’t a technology problem. Adversaries aren’t beating us with better tech. They’re beating us because they’re being more creative, more patient, more persistent.”
“Trust in the Cloud in Tumultuous Times” by Brad Smith, President and Chief Legal Officer, Microsoft: “We need to stand up, be thoughtful and also be vocal. Despite the best of intentions, one thing is clear: The path to hell starts at the back door and we need to make sure that encryption technology remains strong.”
“Turning the Tables: Radical New Approaches to Security Analytics” by Martin Fink, Executive Vice President, Chief Technology Officer, Hewlett Packard Enterprise<
“Peek into the Future: The Security Operations Center of 2020” by Michael A. Brown, President and Chief Executive Officer, Symantec
“The Great Questions of Tomorrow” by David J. Rothkopf, Chief Executive Officer and Editor, FP Group
“Safety Issues in Advanced AI” by Nick Bostrom, Professor, Faculty of Philosophy, University of Oxford, Director, Future of Humanity Institute
Finally, for those of you who are planning to visit the conference in the future, here are a few tips to help you make the most of it:
1. Plan your schedule before you go. There’s a lot to take in both in and around the conference, so if you don’t have a plan of action in advance, you may find in hindsight that you missed out on the aspects that would have interested you most. Make sure you allocate enough time for planning (I spent at least several hours) and plan what sessions you want to attend, when to spend time at the expo, what other events around RSA such as company events and social activities you’d like to attend, and plan specific meetings in advance. You can use the scheduling tools on the RSA website and the RSA mobile app (which was sadly not yet updated for iPhone 6 or 6 Plus).
2. Don’t fall into the trap of wandering the expo halls aimlessly. Focus on the conference sessions instead. The expo experience, while exciting and educational, is limited, and there are alternative ways in any case to learn about the different vendors and products than by visiting their booths, so now that I have attended myself, my personal opinion is that the conference sessions are an amazing source of knowledge and insights and a better use of your time than wandering the expo halls aimlessly.
3. Prepare a list in advance of the vendors you want to check out at the expo. If you do plan to spend time at the expo, a good practice would be to pre-select the companies that are most relevant to you and go directly to those, so that you don’t have to waste time “window shopping” among the hundreds of participating vendors. Time flies very quickly at the expo, so if you’re not well organized, you’ll end up carrying a bag full of free t-shirts, pens, and gadgets you’ll probably will never use…
I had a great time at RSA this year, learning, catching up with colleagues, making new connections, and re-aligning my perspective on the security landscape. If you have your own insights or tips to share from the conference, I would love to hear them.
More posts by Ran Levitzky:
AWS re:Invent 2016: Key takeaways and what they mean for early stage startups
Carmel Ventures invests in Cloudyn, the startup empowering Enterprises to embrace the hybrid cloud
Why startups must protect access to their cloud services from Day 1 (and how to do it in 3 easy steps)