RSAC 2019: Better than what?
Over the past few years, I have chronicled the RSA conference
with snark, praise, cynicism, and strained pop culture references (in 2017 it was
the
Road Warrior.) This year, I will depart from this, to reflect on what is happening
in security.
Okay, maybe a little snark.
In another departure for me, I spent most of RSA outside the
actual event. I attended the AGC conference on Monday, as well as many other meetings,
parties, and events. Many people have said, this is the only way to do RSA. Or in
the parlance of WOPR, the only winning move is not to play. (That’s from WarGames.)
RSA’s sessions and keynotes are infuriating. It is the same people,
saying the same things, with the same tone, set to the same music. RSA’s theme this
year was “better.” Better than what? A swift jab in the liver? RSA adamantly refuses
to change the tone, message, structure, or speakers of the show. The only thing
that got an upgrade this time around was the expo hall. Otherwise, it was the usual
cavalcade of banality.
This is why all the interesting content has moved to the periphery
of RSA. Inside the confines of RSA, there is no room to expand the conversation.
Too Much
Complexity is killing security. There are too many products,
too many vendors, too many attacks, too much data, too many self-important blowhards
writing blogs, too many opinions, and way too many bad ideas being hawked as the
next big thing. How many times do we need another self-proclaimed uber-hacker guru
on stage telling us “the key to security is blah blah blah?”
Ugh!
Nobody outside of the NSA or US Cybercom should spend 1/1000 of a microsecond thinking about attribution. The key to security is not another grand idea about the arcane nuance of risk management. The key to security is not another panel discussion between four vendor vomiting talking points.
The key to security is simplicity. We must solve actual, tangible business problems. It is time to stop talking, and start doing something.
Overwhelmed
All this complexity has CISOs and business leaders seriously
fatigued. I observed a broad range of behaviors and reactions from people in leadership
roles who are fed up with security.
On one extreme, there are the emotionally insecure CISOs who
constantly badmouth vendors and beg for us to understand their selfish needs. Unfortunately,
these dinosaurs have a loud howl on the downward spiral to extinction.
The more well-adjusted leaders are keeping their hostility in check and bypassing all the products and promises. They are looking for fully orchestrated solutions rather than yet another silver-bullet point solution. This is a big conceptual change that I will discuss later in this blog.
But most of the leaders are lost. Adrift on a sea of fear, uncertainty,
and doubt. Which is why we have caturday!
Is that a Cute Kitty?
The expo was as loud and noisy as ever, but there were fun things
to do. Moscone is looking a lot better. The new expo hall layout was much better.
Also, there were puppies (at ThreatQuotient’s booth) and kittens
(at TinFoil security). Yeah, it’s a gimmick, but who cares, they were super cute.
Our gimmick was bags of Portland’s own Stumptown coffee. It was so popular we gave away 1000 pounds of
the magical elixir of life.
Cats, coffee, and security…I’d buy that for a dollar.
Yawn, Innovation
In the less adorable category, I did not see a single interesting
new technology. The Innovation Sandbox winner was … drum roll … an asset management
company.
Seriously?
Okay, sure, asset management is an extremely important aspect
of security. But innovative? Maybe back when Nine Inch Nails was considered edgy.
I mean no disrespect to the winner; their product is perfectly
good. This win, however, exemplifies how little RSA has changed in the last 20 years.
Surely there must be some AI powered secbot learning blockchain big data state-sponsored
mathematical heuristic engine with lasers on its frickin’ head technology that is
the next big Gartner Magic Quadrant thing that captivates the masses. No?
Oh, and don’t call me Shirley.
Cloudward
Saying that security is moving to the cloud is an understatement.
Everybody was talking about the cloud. Even the dude on the street smoking a huge
joint, but that was because the cloud was raining on him.
The merging of cloud, DevOps, and security is fundamentally altering
how security is done. This is a topic I have written
on extensively in this blog.
If you need proof that the cloud is the future of security, then
look no further than security darling Palo Alto Networks. Their $560M purchase of
Dimisto was a loud, clear, message that the future of their business is automation
and cloud.
The Automation Suite
Which gets me to the one “innovation” that is interesting: orchestration.
Automation may be the hot, but orchestration is what makes automation meaningful.
It is not enough to automate a single thing. Automation must be orchestrated into
a workflow that solves a clear, well-defined business purpose.
If you look back over the last 20 years, security has been all
about gadgets that make promises. NGFWs, for example, got more and more powerful,
and made larger promises to protect a network. But a NGFW must be deployed properly,
monitored diligently, and tuned consistently to actually fulfil that promise. Otherwise,
it is merely a box of empty promises.
We have too many promise gadgets. The new realm of innovation
is not another gadget, but rather stitching all those promise gadgets together to
solve a specific business need.
I admit to having bias here. My own company has released a product
in this space: Sherlock
Compliance Automation. This is exactly what our technology does. It is not an
endpoint product (or SIEM, or vulnerability scanner, etc.); rather, it automates
the deployment, configuration, and management of that technology to meet a specific
business need (compliance).
DevSecOps
Which gets to the last big theme from RSA 2019 – DevSecOps. While
this is one of the buzzier buzzwords, it is ultimately what drives orchestration.
I view DevSecOps as the “codification of security.”
Traditionally, security is done after a network or application
is deployed. Let’s call this what it is: after-the-fact security. Which is why we
have an expo hall filled with promise gadgets.
In the cloud, everything is code: infrastructure, configuration,
applications, storage…it is all code, all the way down. Security can now be part
of that. Which means that security can now be enforced and enabled by default, and
by design. This also shifts security left, to be an integral part of the development
process. It has the added benefit of forcing developers to build within a secure,
compliant environment right from the start.
Security, development, and operations all become part of a common code base. The benefits of this are huge. I could spend another 2000 words on this, but I will leave that for my next blog entry.
Of course, this requires a whole different skill set. Specifically,
you have to be able to code, or at least to comprehend how the code is built. This
partially explains some of those hostile CISOs I mentioned earlier. Change affects
people in different ways.
Surely, the Best of Times?
RSA is due credit for a theme that was simple. “Better” is a
concise way to compress down where security is, and where it is going. If security
is ever going to become simple, it starts with the simplest things.
RSA is not perfect nor will it ever appeal to all. It is, for better or worse, the big event of our industry. I mock it, but I also love it. It is infuriating, and exhilarating. It is the best of times, and the worst of times. It is the age of wisdom, and an orgy of foolishness. It is another strained cultural reference, and the end of my blog.
See you next year, and stop calling me Shirley.
*** This is a Security Bloggers Network syndicated blog from www.anitian.com authored by Jackson Hager. Read the original post at: https://www.anitian.com/rsac-2019-better-than-what/
