Now that I’ve had a week to recover from the annual infosec circus event to end all circus events, I figured it’s a good time to attempt being reflective and proffer my thoughts on the event, themes, what I saw, etc, etc, etc.
For starters, holy moly, 43,000+ people?!?!?!?!?! I mean… good grief… the event was about a quarter of that a decade ago. If you’ve never been to RSA, or if you only started attending in the last couple years, then it’s really hard to describe to you how dramatic the change has been since ~2010 when the numbers started growing like this (to be fair, yoy growth from 2016 to 2017 wasn’t all that huge).
With that… let’s drill into my key highlights…
Why do people like me go to RSA? Because it’s the one week in the year where I can see almost every single vendor in the industry, as well as see people I know and like who I otherwise would never get to see in person (aka “networking”). It truly is an enormous event, and it has definitely passed the threshold of being overwhelming. Several people I’ve know for years did not make the trip this year, and I suspect this will become a trend, but in the meantime, in many ways it’s a “must attend” event.
The down-side to an event this large, and something I learned back in my Gartner days, is that – as someone with nearly 2 decades of industry experience – this is not an event where you’re going to find much great content. Talks must, out of necessity, be tuned to the median audience, which means looking backward at what was cutting-edge 5-10 years ago. Sad, but true. There’s simply not much room for cutting-edge thinking or discussion at the event nay more.
Soooo… why go back? Again, so long as there’s business development and networking benefit, it is an essential event, but it’s also very costly. Hotel pricing alone makes this an increasingly difficult prospect. For as much as we’re spending on hotels each year, I could very likely visit friends in 3-4 different parts of the country and break even on travel costs. It’s also increasingly a lot of noise, and much harder to sift value from that noise. I truly believe RSA is nearing the point where they’ll have to either break the event into multiple events (kind of like 3 wks of SxSW), or they’ll at least need to move to a different model where you’re attending a conference within a conference (similar to “schools” within a large university). As it stands today, it’s simply too easy to get lost in the shuffle and derive diminishing value.
Automation Nearing the Mainstream
We’ve been talking about security automation and orchestration for several years now, but it’s often been with only a handful of examples, and generally quick forward-looking. We’re just now finally reaching the point where the automation message is being picked up in the mainstream and more expansive examples are emerging.
One thing I noticed this year is that “automation” was prevalent in many booths. There are now at least a dozen vendors purportedly in the space (up from the days of it being Invotas (FireEye) and Phantom). No, I can’t remember any names, but suffice to say, it’s a growing list. Also, separately, I’ve noticed that orgs like Chef and Puppet have also made an attempt to expand their automation appeal to security (not to mention Service Now doing the same).
The point here is this: The mainstream consensus is finally starting to catch up with the reality that we will never be able to scale human resources fast enough to successfully address the rapidly changing threat landscape. Thus, we absolutely must automate as much as possible. We don’t need SOC analysts staring at screens, pushing buttons when a color changes from green to red. That can be automated. Instead, we need to think about these processes and make smart decisions about when and where a human actually needs to be in the loop. This is our future, which we should eagerly embrace because it then frees us up to do much more interesting and exciting things.
Since we’re talking about automation, it’s only natural to pivot briefly into DevOps/DevSecOps/Secure DevOps. This year’s Monday event on DevSecOps was ok, if not highly repetitive. However, initial attendance was strong, and feedback has reportedly been good (the schedule got a bit foobar, so attendance declined after lunch, c’est la vie).
Here’s what’s important: Companies are continuing to reinvent how they operate, and DevOps is the underlying model. As such, we need to push hard to ensure that Dev and Ops teams have security responsibilities in their assigned duties, and that they are held accountable accordingly. A DevOps co-worker recently complained about this “DevSecOps” thing, and I pointed out that the entire reason for it is as a kludge because security has once again been left behind, and neither Dev nor Ops has taken on (or been assigned) security responsibilities, nor are they being held accountable for poor security decisions. THIS IS A CULTURAL FAILING THAT AFFECTS ALMOST EVERY SINGLE COMPANY AROUND.
In DevOps, the norm is always to point to “gold standard” examples like Netflix, Facebook, Etsy, etc. However, what people oftentimes forget in looking at these orgs is that, for the most part, they started out doing DevOps from the early days. There was very little need for cultural transformation because they were already operating in a DevOps manner. For companies that have been around for much, much, much longer, there will be internal opposition and institutional inertia that will slow down transformations. It’s imperative that these cultural attributes be supplanted, aggressively if necessary, in order to remove barriers to change. DevOps provides an amazing template for operating an agile, efficient, effective organization… but only if companies fundamentally change how they function, including cultural transformation.
AI, ML, and Big Data Lies
If we were to take all the marketing at face value, then we’d be led to believe that the machines are thinking for themselves and we’re a mere small step away from becoming part of The Matrix. Thankfully, that’s not really true at all. The majority of companies claiming “AI” today are really being misleading and disingenuous. The simple fact is the majority of products are still based on heuristics or machine learning (ML) – sometimes both.
Heuristics is the traditional pattern matching we’ve seen for decades upon decades upon decades. Your traditional AV or IDS “solution”? It’s primarily based on heuristically matching patterns and signatures to detect “a known bad thing.” These are ok, but in the grand scheme they’re providing little lasting value.
ML has emerged as an alternative, wherein rather than looking for patterns, we instead model environments or behaviors, and then do alerts based on either matching or deviating from the models (sometimes both!). The ML approach is actually quite promising, though it’s premised on the ability to actual create a discrete model of an environment or behavior. It is also imperative that ML engines be constantly rebuilding the models to account for changes in an environment or behavior (for example, imagine building a model of your diet starting in mid-October and running through the end of the year, and then trying to apply that same model to your diet Jan-Mar after you’ve made major life changes, perhaps as part of a New Year’s Resolution).
There is a lot of hope in AI, ML, et al, and I think for good reason. Frankly, ML gives us a lot of value when applied to reasonably discrete environments (e.g., containers), and thus I think we’ll continue to see great growth and success in this space. I expect that computing environments will also continue to evolve and grow to make modeling of them that much easier. I think there’s much promise.
As for AI itself, we’ll have to wait and see, but I suspect we’re a good decade+ away from true examples of real-world applications. However, that said, if you’re in a lower-level role (analyst, basic infrastructure config, etc.), then now is a good time to invest in training/education to improve your skills to raise yourself up to a higher-level job that will be less easily threatened by AI+automation. As I noted above, we really do not need SOC analysts staring at screens clicking buttons according to a set process. Machines can already do that today. Thus there’s no job security in it. Instead, become the person who builds and trains these automation tools, or be the higher-level “fixer” who is activated one automation has done all the base enumeration and examination. The world is changing rapidly, and will look quite different in a decade.
The Threat Is Real / Ignore the FUD
One of my favorite tunes from last year is Megadeth’s “The Threat Is Real” as it’s really quite an appropriate phrase. Hacks are succeeding every day. Breaches are so commonplace that the mainstream media has all but lost interest in reporting on them. Incidents are inevitable. And, yet, in some ways they needn’t be so inevitable; at least, not to the degree and severity we continually see. Whether it be massive DDoS attacks built on the back of woefully insecure IoT devices or sizable holes in cloud CDN infrastructure a la Cloudbleed, there are a lot of holes, a lot of bugs, and a lot of undertrained people, all of which will lead to bad days.
That said, we also need to be incredibly mindful and diligent to avoid the FUD. There’s too much FUD. It’s like running around telling us that “we’re all gonna die” as if we don’t all accept this as an inevitability. Come on, folks, let’s get out of that red mental state (fear/panic/anger) and apply some rational thought. There are tons of things we can be doing to prepare and protect our organizations, our customers/clients, and our resources. We just need to take a deep breath, settle down, and execute.
What should we do? Well, interestingly, it’s not all that strange a list. First and foremost, Basic Security Hygiene, which I wrote about while at Gartner nearly 2.5 years ago. Things like robust IAM (centralized, processized, monitored), vuln and patch mgmt, and applying consistent, secure standards for infrastructure and development are all great starting points. Beyond that, it comes down to taking the time to understand your environment and exposures, and investing in tools and techniques that will produce measurable results (measurement is key!!!). A progressive security awareness program can be critical to educating and incentivizing people to make better decisions, and really reflects the overall imperative to transform the business and it’s underlying culture. We can absolutely make things better, but it requires effort and thoughtfulness.
*whew* Ok… so, there you have it… my thoughts from RSA 2017. All told, it was a so-so week for me personally, but I’ll definitely be back for one more year. TBD after that. It’s really quite the circus these days. This year was especially difficult with how spread out things were (Moscone South has a major construction project underway, so the Marriott Marquis was enlisted). The wifi and mobile signals in the Marquis dungeon were nonexistent, which was painful. Also painful was the 4 spread out venues for Codebreaker’s Bash on Thursday evening. It didn’t work. Because people were spread all over, it was difficult to casually run into folks I was hoping to see. Hopefully next year they’ll revert to a large single venue (I really, really, really enjoyed the Bash at AT&T Park, though many folks complained about it). Finding a venue for 43k+ people has to be incredibly challenging. Of course, so is finding a hotel room each year, so, ya know, there’s that, too. Ha.
Hope you find this interesting/useful! Until next time…
This is a Security Bloggers Network syndicated blog post authored by Ben Tomhave. Read the original post at: The Falcon's View