RSA 2018 – Chaos Engineering

If there is one thing RSA gets right, its chaos. However, part of that is because San Francisco is one giant well-engineered piece of chaos. From the pungent weed clouds to the automated compute clouds, if you like chaos, nobody does it better. I wonder, what would happen if RSA moved to Las Vegas. It would lose its charm.

Key Notes – Tuesday

This year, RSA kicked off with a series of unremarkable keynotes. New RSA boss Rohit Ghai gave an upbeat, sports-cliché presentation that was devoid of controversy or insight.

Next, Brad Smith from Microsoft is still pushing this Digital Geneva Convention idea. It is a noble idea that is disconnected from reality.

Chris Young, who I really wanted to say something profound, did not. He babbled on about airline hijacking and airport security.  Never once did he mention the cloud.

Next, it there was the perennial Cyptographer’s panel, which requires a PhD in Somnambulistic studies to enjoy.

Lastly, we got Kirstjen Nielsen US Secretary of Homeland Security. Her presentation was an ocean-wide, puddle-deep dump of banal platitudes delivered with the charisma and passion of asphalt. And her follow up chat with that CNBC anchor was equally devoid of meaningful content.  However, Nielsen made sure to remind us, multiple times, that the terrorists use the Internet. They hate us for our freedumbs, and porn. Maybe not the porn.

Sheesh. This was not RSA’s best year. However, in contrast the opening rap-opera show seemed positively perky.

Walking the Expo Floor

Nowhere does highly engineered chaos rule like the RSA Expo floor. Every year the noise and distractions inch skyward. The booths are following along. It seems there is a booth height arms race at RSA this year. Two, three, and four story booths are as common as cheesy sales people.

Come along with me, and I will share my observations.

At the F5 booth, they are talking about “the SQL injections that can stop you cold.” As opposed to those other attacks that get you hot.

Noticed multiple companies had banners proclaiming their AWS competency. Give it a few more years, RSA will be the AWS/RSA Conference.

Mimecast held an important looking meeting in a glass fishbowl conference room. It reminded me of clip art of pristinely attractive people having a “business meeting.” This is so important, we had to have our meeting right here, in front of all of you.

People, this is important. Tom, let’s hear about your big time important bigness.

Alienvault is back in earth’s orbit. In previous years they had an alien theme (imagine that) which only seemed to underscore their out-there approach to security. This year, it was about the moon landing. Next year, they may actually be down to earth.

Bromium has become a perennial target for my snark. Last year, it was a Breaking Bad themed booth with fake meth. This year it was Protect Your Genius with artistic renderings of people the likes of Albert Einstein and Abraham Lincoln. End slavery, redefine physics, application virtualization…yeah, all about the same.

The CISO of Lyft, Mike Johnson noted on LinkedIn recently that a lot of vendors are using alcohol to attract people. He is right. The show floor was soaked with beer.  What message are we sending here? Our products are only attractive when you are drunk? Is this the version of RSA “beer goggles?”

I wonder, are we that far away from free bong hits? Or maybe a “gentlemen’s pentest?”  It’s got what plants crave.

Pls no boop Crowdsnek.

Occasionally, RSA booths inadvertently predict the future. Sentinel One and Crowdstrike were side by side at RSA this year. Sentinel One had a good looking booth with lots of content that completely overshadowed Crowdstrike’s booth. The contrast was striking. Where Sentinel One’s booth was bright, active, and modern (like an Apple store), Crowdstrike’s booth was dark, claustrophobic, and dour. Another curious thing about Crowdstirke, they have gone completely silent on the Democratic National Committee hacking they helped identify. Makes you wonder. I am just Putin it out there.

Why is everybody giving away t-shirts? I counted 17 booths with this gimmick. Do I need a t-shirt with a picture of myself?

Welcome to RSA, I love you.

Zerofox has the damn furries again.

Intel has managed to invent a poisonous shade of blue.

Exabeam is supergreen

Whitehat Security had a ultra cheesy pitch man screaming “there are SQL injections out there!”

Watch me pull another round of funding out of my ass.

You know what else is out there, owls. Shiver.

Hey, tip for all you booth presenters: if you end a sentence with “…right” or begin it with “we all know” you sound unsure. For example, “we all know the SQL injections are out there, right?”  Yep, just like those owls.

RSA booth had a work-simulator again. This was a dumb idea last year, and it did not get any less dumb this year…right?


Chaos engineering is where complex systems are tested with unexpected or aberrant behavior to see how it reacts. Observers then analyze those reactions to plot out recovery and reaction strategies.

If all this sounds oddly familiar, it is because chaos engineering is the new “big data” or “threat intelligence.” It is happening all around us from autonomous cars to venomous politicians. The one problem with chaos engineering, is that it is not intended for use in reality. Chaos engineering is intended to be a simulation to assess resilience (and security) of systems in a “non production” environment. My concern is that chaos is becoming a marketing technique. Companies (and politicians) are concocting tremendous amounts of conflicting noise. This noise overwhelms people, who are unsure what to believe, so they cling to whatever makes them comfortable.

Which gets this blog back to the pervious topic: panic. When you see a dark reality coming, it is normal to curl up and eat ice cream for comfort.  The security industry is creating chaos to hide reality. And we are reacting, as expected, curling up and clinging to our NGFWs and SIEMs.

The post RSA 2018 – Chaos Engineering appeared first on Anitian.

*** This is a Security Bloggers Network syndicated blog from Anitian authored by Andrew Plato. Read the original post at:

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)