RSA 2019: Happily Not Over-AI’d

by Anton Chuvakin on March 12, 2019

My RSA Conference (#RSAC) this year was only a one day affair due to a new baby at home, but I cannot skip my ”duty” of writing this blog post with conference observations and impressions.

Here they are:

My first observation from the HUGE ~900 vendor expo was a happy one: mad claims of “AI” were NOT staring at me from every booth. At least one vendor with “AI” in the name honestly said “we use basic statistics, really.” In fact, my impression is that AI was mentioned at perhaps 1-5% of the booths, if that. Count this one as a win for sanity!!
Another thing I feared to see and fortunately had not seen: GDPR and privacy. The former is a solved problem, as I was told, and nobody cares about the latter
In fact, there was so little compliance overall, you can forget that merely 7-10 years ago, much of security was in fact sold as “helps compliance.”
Among other things spotted, perhaps subjective: I’ve seen a fair amount of identification and authentication this year.
Perhaps not unrelated, I’ve also seen a lot of zero trust this year. The concept comes from 2010, but for some reason many vendors have re-discovered it and plastered it all over their booths.
While AI was not there in annoying volumes, “hunting”, sadly, was spotted on many booths. Needless to say, much of this had no relation to the practice of threat hunting.
Automation as theme was spotted by others, but, frankly, I didn’t feel it was an oppressive presence, just like AI.
From the classic security products, I’d say DLP is still very much there.Threat intelligence vendors also were seen in force. Or perhaps random vendors claimed, out of the blue, that they do threat intelligence now
As before, I picked a few of the “we analyze logs but we are totally not a SIEM” vendors. I have no idea why they do it, but some keep doing it, in a very self-defeating manner. Saying “not a SIEM” when you have one, only removes you from a $2b market…
As we predicted, UEBA capabilities spread all over the security toolset. In fact, I’ve seen plenty of “EDR with UEBA”, “CASB with UEBA” and a lot of other tech with UBA or UEBA or just user analytics.
Refreshingly, SaaS almost-SIEM is having a big moment! Both Microsoft and Alphabet are building theirs. For years, I insisted that “SaaS SIEM is the future” but also, until recently, that “SaaS SIEM does not really exist” (2015).
Sadly, the trend I mentioned in 2015 RSA post is still very much with us: many vendors claim that they “<protect/block/detect> of threat <X/Y/Z> in the environment of <A/B/C>” but cannot explain anything beyond that point. This is how you get “DLP for Kubernetes”, really. This is why we cannot have nice things in infosec …
In fact, the number of vendors who don’t know what they themselves do, or at least cannot explain it even to an expert is too high. Epic FAIL!
Related to this, I feel that I’ve detected fewer patterns and in fact more vendor diversity. It seems to follow this trend, only more so. This makes “market-defining” activity much harder.