RSA 2020 Reflection

As I mentioned in my past RSA reflection posts, I like the conference a lot — contrary to some of my industry peers — because I consider it to be “an industry in a room” event. This makes it ideal to quickly soak up what is going on. So, yes, it may be an imperfect mirror of our industry, but a mirror nonetheless.

In 2020, the event started in the shadow of coronavirus / COVID-19, but apparently 36k people still showed up. Was it a good idea? At this point, given what we know now about the consequences, only time will tell. In any case, that time feels like years ago…

So, what are my observations and thoughts after RSA 2020?

General

  • Many observers made comments about unclear and confusing messaging from many security vendors. Further, I’ve seen another interesting trend this year: vendor booths with no messaging at all where the salespeople just shouted “come see a demo.” I think this may indicate that the confusing messaging trend has run its course and hit its penultimate end. To me, this also means that some vendors have given up on trying to find the category or market segment where they belong (“It’s a bird? It’s a plane? Ah, whatever, come see a superdemo!”)
  • One more thing I noticed is that some legacy vendors have caught up with newer trends and buzzwords. For example, a firewall vendor loudly proclaimed that they secure the cloud, while an anti-malware vendors boldly claimed to be EDR or even XDR.
  • Funny enough, I’ve seen enough new vendors with extremely narrow focus. For example: we do sensitive data discovery in one or two types of cloud storage. In the past, some called them “feature vendors” and predicted their rapid demise. Guess what? Now even narrower vendors appeared… In fact, I’ve heard of somebody selling a “better” random number generator — and nothing else. BTW, some of them claimed that their advantage is that they are “focused “…

Zero Trust

  • While another commentator opined that zero trust has declined since last year, I am not so sure. I’ve spotted zero trust labels stuck to many technologies with no real connection to the original Zero Trust Network Access (ZTNA) story. Zero trust was used way, way too broadly, sometimes to denote that the vendor simply does not trust something somewhere …
  • I’ve seen “one click zero trust” (for microsegmentation in the cloud, I think), “zero trust for email”, “zero trust for physical security” (yes, really), “zero trust for OT” (naturally) and a wide range of others (zero trust inside CASB anybody? zero trust with encryption?)
  • When asked about the specifics, some disappointed: one vendor explained to me that they are “zero trust” because they don’t trust access firewall rules with IP addresses in them …
  • Note that apart from zero trust, it’s younger brother showed up: SASE (look it up!); I’ve seen at least two booths that mentioned it.

SOC, SIEM, Hunting

  • Sadly, hunting went the way of zero trust noted above: in many vendor materials it just meant “something cool in security ops or detection” — fake hunting seems to have exploded for real in 2020…
  • XDR was spotted in a few places; my impression was that it was somehow more popular with larger, legacy vendors and not start-ups (not sure why).
  • You did guess that SIEM will get its own line, right? So, I’ve spotted a few vendors who now market as “SIEM” even though in recent past, they were merely log management… In reality, deciding if something is a useful SIEM is surprisingly hard.
  • Strangely, MDR was not as visible as I expected — today, in this talent shortage era, a well-done MDR is practically a license to print money…

Network Security

  • We live in an endpoint-centric world (sort of), but this RSA I’ve noticed a distinct revival of network-based detection and monitoring controls. Hey, somebody even launched a network IDS company. There was NTA and even NDR in a few places, sometimes coupled with a modern SOC story.
  • Admittedly, the network crowd has it hard due to TLS / SSL and increasing bandwidth (and now lots more WFH and BYOD), but I also think that the “endpoint is all you need” crowd will ultimately lose the war, even after they won some recent battles.
  • Do we need another signature-based NIDS and another flow-based “NTA”? I doubt it. But do we need to respect the network as a key channel of security visibility? For sure!

Cloud

  • Given my employment, I’ve looked at cloud and multi-cloud security. I spotted quite a few vendors that deliver a layer of cloud security on top of [Instead of? Together with? With no regard for? :-)] the security that cloud providers has built.
  • Why do they exist? Will they exist in the near future? I had a few fun discussions about this, including with some of the vendors. Now, their value proposition is clear for clients who use more than one cloud provider for many projects. Beyond that, they solve problems like these: client’s fear a cloud vendor lock-in, others want separation of duty controls, yet another group wants specific features that their CSP does not have, etc.
  • For sure, I’ve seen a few of the container security vendors (and even Istio security one), but this was not a deluge. Are container threats a big deal yet? 🙂

Data security and privacy

  • This year, I also dug into data security and even a bit into privacy technologies.
  • Here is the thing: I asked a few privacy-related vendors what their customers really buy from them and it turned out that the answer is “compliance” — this surprised me a bit. While there are voices that claim that “privacy is a human right”, those vendors didn’t really sell “human right” as a value proposition — they sold compliance …
  • Overall, I feel that data security somehow lost much of the excitement in recent years. Think about it! EDR, threat hunting, mobile security, IoT security, even app security were generating a lot of excitement recently — but do you see anything new and exciting in data security? A new HSM model or updated data governance rule don’t have their own GOTHIC PANDA threat actor or a logo to promote their causes … Even data breaches lately showcased things other than data security (!).
  • Oh, another anomaly I spotted: when some of the data security-related vendors talked about data they protect, they assume that data equals PII or another type of structured personal data. Why is that? Many secrets are in documents and slide decks too. Such narrow minded focus on structured data seems dangerous to me.
  • Notably, in the past I assumed that DLP and UBA/UEBA would be another happy marriage but the reality today looks different. One part of DLP seems to be thriving — data discovery. As lots of data move to various clouds, nobody really knows where all this will end up. Hence data discovery start-ups and features to do this from the cloud providers were more visible than before.

NOT seen

  • This year I’ve seen a lot less “AI craziness”, a lot less IoT / OT security (perhaps those who launched last year jumped the gun?) and as little insider threat as last year.

Enjoy! And stay safe, of course.

Past RSA Blog Posts:


RSA 2020 Reflection was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.


*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/rsa-2020-reflection-ab96b72be7e5?source=rss-11065c9e943e------2