Security Trends From RSA Conferences

As I flew back to Michigan after another RSA Conference this week, I thought about the highlights, takeaways and major themes in the security industry right now. At the same time, I couldn’t help but look back and reflect on the past several RSA Conferences in San Francisco on a personal level. Bottom line: These RSA Conferences tell quite a bit about where we have been and where are we heading in cyberspace — on both a personal and industry level.

by Dan Lohrmann / March 6, 2016

Another version of the RSA Conference in San Francisco has come and gone, and for those in the technology or security industries who missed it, it has been quite a week.

If I had to summarize the events, keynotes, announcements, company parties, dinner meetings, side-shows and more that happen every year at the Moscone Center in three words, I would say “wow” and “scary” and “overwhelming.”

There were plenty of well written introductions regarding this year’s show, including this summary from Jon Oltsik at Network World, which laid out four areas of focus:

1.       IoT security — The Trusted Computing Group is hosting an event …

2.       Cloud security — The Cloud Security Alliance is also active …

3.       Encryption — Apple v FBI debate discussions

4.       Industry consolidation — IBM acquired integrated cybersecurity orchestration platform (ICOP) vendor Resilient Systems.

IT World Canada added this analysis on the current encryption controversy.

BankInfosecurity.com also offered this preview of the “must see” RSA sessions for the week.

To kick the week off, Amit Yoran, the president of RSA, described Why “Bling Won’t Save Us.” Here’s an excerpt:

Yoran said he is unconvinced that fancy new tools will solve the pervasive data breach threats that organizations of all stripes face today. “There are no silver bullets in security,” he told Fortune, mentioning a few examples he considers promising, including artificial intelligence, behavioral science, and data analytics.

Still Yoran said he believes there is no cure-all — no one method or product that can definitively keep hackers at bay. “We can’t just apply some bling and hope that revolutionary technology will come save us,” he said.

Computer Weekly added this, which emphasized the importance of encryption and rapid detection and incident response.

Another important keynote included Palo Alto Network’s CEO Mark McLaughlin who said that we cannot lose the digital trust.

U.S. Attorney General Loretta Lynch told a packed audience that: “One risk is making this all about Apple when in reality it's about all of us. ... Do we let one company, no matter how great a company, no matter now beautiful their devices do we let one company decide this issue for all of us? Do we let one company decide this is how investigations are going to be conducted?"

NSA Director Adm. Michael Rogers said it's a matter of "when, not if" state-sponsored hackers hit critical U.S. infrastructure. "Seven weeks ago it was the Ukraine," referencing a cyberattack that killed the power to hundreds of thousands of Ukrainian homes in December. "That wasn't the last we're going to see of this. That concerns me."

Chris Richter, senior vice president of global security services at Level 3 Communications, listed these three themes for the week:

  • Malware proliferation and the new deception detection technology he likens to "sandboxing on steroids."
  • Security Costs are escalating. Organizations once spent about 3 percent of their IT budget on security; now that number is about eight times more. But money doesn't create a silver bullet fix.
  • Cyber Education and the lack thereof. Humans remain the weakest link for every organization.

The week wrapped-up with an interview with actor Sean Penn, who said he has become “nostalgic for George W. Bush.”

Looking Back at the Last Three Years

Here’s the summary I provided after 2013, 2014 and 2015 along with some tips on this year’s event in sunny, warm San Fran:

The three takeaways from the 2013 RSA Conference:

One theme that kept coming up was dealing with “big data.” There were many twists on this, such as this one from Darlene Storm’s Computerworld blog. She wrote:

“The big topic was big data, including how it can bring big security problems. ... Regarding big data vulnerabilities, Coviello warned, ‘Our attack surface and risk will be magnified in the coming years as a result. We all have the ability to access large data stores because of cloud, but we're not the only ones that can access these data stores. Our adversaries will, as well.’"

The second theme was a push toward a network of sensors that work together to report back to a central “brain” almost like the human body's central nervous system. 

third lesson learned at RSA this year was perhaps the most obvious. Cybersecurity is really hot right now, with more companies, products and attention than ever before.

There were many excellent lessons and great keynote speeches in 2014, with the new cyberframework taking center stage.

Government speeches will cover the new NIST Cybersecurity Framework, the new National Infrastructure Protection Plan (NIPP) released in December 2013, FedRAMP, and progress on security surrounding data center consolidations in federal and state governments. Also, watch out for announcements on incentives and government programs to speed implementation of the Cyber Framework in state and local governments.

Last year, we had plenty of protests and disagreements on encryption and more, with these other top highlights:

-          New York Times: “Jeh Johnson, the secretary of the Department of Homeland Security, announced this week that his agency would be opening an office in Silicon Valley.”

-          Washington Post: How Internet Security Conferences make you feel unsafe.

-          USA Today: “It’s boom time for hackers as cyber sleuths gather ...”

-          Computer Weekly: Intel Security head challenges industry (to step up).

-          The Register (UK): Point of sale (retail industry) passwords aren’t being changed.

-          ABC News (with video): Size and scope of conference and challenges with Jeh Johnson quotes.

Other articles showed off the 25 Innovations unveiled at RSA, the rise in cyberinsurance, and press releases such as this one from Cisco highlighting more bad news such as:

"... Security researchers at Cisco have found that 75 percent of all attacks only take minutes to begin exfiltrating data, and more than 50 percent of attacks persist for months or years before they are discovered. ..."

My View of the Overall RSA Conference Trends

As I was sitting at the SC Magazine awards dinner on Tuesday night, we were discussing the growth in the RSA Conference to 40,000 people this year. One person predicted that the event is outgrowing the San Francisco Moscone Center and would move to either Las Vegas or Chicago in the next few years.

Indeed, the RSA Conference in the USA seems to be bigger and more intense every year, which echoes the wider growth in the number of industry vendors, startups, threats, data breaches, predictions and more.

I agree with Chris Richter’s event summary (see above) on the importance of the people and cybereducation taking center stage.

As always, Amit Yoran continues to deliver good points, especially on the corporate world’s search for a security silver bullet that will never exist. I have personally known Amit since he visited us in Michigan (when I was the state’s CISO) just after Riptech was acquired by Symantec. I always find his content to be timely and thought-provoking.

On a personal level, I continue to see the annual RSA Conference as a big homecoming party for the security industry, where I usually see dozens of people every year from all over the world that I haven’t seen in a while. The networking opportunities over breakfasts, lunches, dinners, parties and over coffee is unparalleled, but also exhausting.

During those conversations, I hear much more than just the latest sales pitches, security threats or technology trends and solutions. I learn about the many different roads that various people have taken. I hear about the good, the bad and the ugly and the changes and new opportunities that men and women are considering.

I saw people like Teri Takai, Mark Weatherford, Phyllis Schneck, Cheri McGuire and many others. These industry leaders have transformed companies, changed roles, moved from the public to the private sector (or vice versa), but continue to offer help and different perspectives on the security industry as a whole. I truly value listening to them.

There is no doubt that my top takeaway from every RSA Conference is always a collection of stories and personal feedback from friends and industry colleagues that I have worked with and trust. I always learn new things at RSA, but the best insights and motivation come from personal (or small group) conversations.

As Dale Carnegie once said, “Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.”