For five days last week, tens of thousands of security professionals filled the multiple venues that constituted the RSA Conference 2019. Across the many sessions, exhibitors and product announcements, some key trends and themes emerged.
The overall theme of the conference was "Better" -- how cybersecurity overall can be better and what organizations can do to better their own security outcomes. The theme of better echoed in a number of areas, ranging from new security tools, better approaches for forecasting, and better overall understanding of what is needed for success in security. In this eSecurity Planet roundup, we look at the top 10 takeaways from the RSA Conference 2019 and how they can help improve security in the months and years ahead.
1. Complexity and lack of understanding creates security gaps
Multiple speakers and sessions throughout the conference emphasized the complexity of many security technologies.
Rob Westerveld, research director of Security Products at IDC, said the growing complexity of security solutions has led to gaps in coverage, as organizations don't fully understand the capabilities of the technology they have deployed. Complexity also leads to misconfiguration and security policies that are not uniformly deployed across an enterprise's IT footprint.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Complexity has also led organizations and individuals alike to not use two factor authentication (2FA) pervasively. Researchers L. Jean Camp and Sancharis Das from Indiana University-Bloomington detailed the challenges of 2FA adoption in an RSA Conference session. The researchers concluded that simply providing security technology like 2FA to users isn't enough; it's also critically important to communicate why and how to use the technology. Users need to be aware of the risks, and security vendors need to make it easier for users to understand.
2. DevSecOps is more than a buzzword
The concept of DevSecOps was discussed in multiple sessions across the conference, with speakers encouraging organizations of all sizes to adopt the emerging approach. DevOps is the idea that Developers and Operations can and should work together in an integrated workflow. DevSecOps inserts security into that process, ensuring that the software development lifecycle is kept secure.
DevSecOps has often been thought of as an approach where code is scanned after it is built and before it is deployed into production. Cisco Chief Information Security Officer Steve Martino detailed a more nuanced approach in his RSA Conference session.
At Cisco, DevSecOps starts at the beginning of the process, with Martino's team providing developers with a secure development environment that has been hardened and optimized. The secure environment can include on-premises as well as cloud assets that have all been qualified to meet security requirements and enable the secure software development lifecycle.
3. The NSA wants to help security professionals
Perhaps the single biggest new tool release at RSA Conference 2019 was the public release of the National Security Agency's Ghidra reverse engineering tool.
In an overflow session, NSA senior advisor Rob Joyce explained how Ghidra works and demonstrated some of its many capabilities. Reverse engineering is a discipline where security researchers take code, often of unknown origin, and then take it apart, or 'reverse engineer' its components, to better understand what the code can do. Reverse engineering is often a primary component in malware analysis, as researchers attempt to figure out what a given piece of code is trying to do.
Joyce emphasized that Ghidra includes lots of help menus and additional tutorials that can help researchers learn how to use the tool and conduct reverse engineering exercises.
4. Forecasting and metrics are pivotal
Preventing and identifying attacks are important activities, but a key theme that emerged at the conference was about the broader idea of having proper metrics that help organizations understand and forecast risk.
Min-Hwei Liu, director of information security at Aetna explained how organizations can and should conduct an exercise to identify their own set of top ten risks. Simply put, one organization's risks might well be different than another's, and having an understanding of the specific risks and threats that are more likely to affect your own organization will lead to a better outcome.
Liu outlined five key steps toward creating a top 10 security risk list for organizations:
- Establish a governance process
- Define a common security risk language
- Identify risk input
- Transform risk input into measurable metrics
- Prioritize risks
5. Focus on reducing risk, not breaches
One of the most oft-repeated terms throughout the conference was the concept of trust. Fundamentally, cybersecurity is all about having trust in a given process or entity so it is allowed to run. Rohit Ghai, president of RSA Security, outlined a possible future in which trust no longer exists, which could lead to cataclysmic results.
Without trust and the mechanisms that ensure trust, he argued that IT cannot work. Trust in his view isn't about security per se, but rather about the ability of organizations to understand and manage risk in order to create a level of trust.
"Think of security as a risk management problem. Focus on minimizing impact, not breaches," Ghai said. "Embrace digital risk management and automate risk identification, assessment and treatment."
6. Zero Trust is the key to cloud security
The term "zero trust" was another common one at the conference, an approach that assumes that all devices and entities are untrustworthy until proven otherwise.
Amin Vahdat, Google Fellow and Networking Technical Lead, noted during his session that the internet wasn't built for an adversarial model, but designed as an open model to encourage connectivity and collaboration, making the cloud full of security challenges. He argued that no code can be fully trusted and there is a need for byzantine fault tolerance, which is an approach that assumes that there is always an agent somewhere on the network that is trying to do the worst thing possible.
The zero-trust model, advocated by Google and others at the conference, requires continuous analysis to help ensure that assets on a network are not doing anything malicious. Trust in the zero-trust model is never taken for granted, but is based on observation and regular authentication to help limit risks.
7. Innovation is still needed for common issues
The RSA Conference Innovation Sandbox 2019 event on the first day of the conference brought together 10 finalists for vying for the judges' award of most innovative new technology. In the end, it came down to two firms: Duality and Axonius, both of which help solve what many would consider common issues that are still challenging for organizations to solve.
Duality is in the business of keeping data encrypted and private while still enabling collaboration. Axonious is about the most basic of all IT problems, knowing what an organization actually has in IT assets. In the end, Axonius ended up as the winner, though both technologies are about solving what the judges saw as common issues that need to be addressed.
Patrick Heim, CISO at ClearSky and one of the judges, said it has been his experience to never get a straight answer on what assets are actually available.
"It's a fundamental problem in security that for some reason is really obvious but no one has really solved yet and it's crazy important to solve," Heim said about Axonious' asset management technology. "CISOs are looking at back to basics and figuring out what are the fundamentals that we have to fix. Before worrying about ninjas chasing us with APTs and zero days, there are some basic things you have to solve first."
8. Security technologies need to be more integrated
The dizzying array of different technologies and capabilities on the RSA Conference show floor might make some organizations think that they need one of each type of technology to defend the modern enterprise.
The reality though is a bit different. Art Gilliland, EVP and GM Enterprise Products at Symantec, was one of many large vendors at the conference advocating for an integrated approach. Rather than having a large number of standalone, disparate systems, Gilliland said that an integrated approach can help eliminate operational silos that can lead to cybersecurity intelligence and protection gaps. Having a central point of control or policy, either though an orchestration system, dashboard or policy engine, can also help streamline operations, reducing overall complexity.
Integration isn't about choosing a single source supplier either, but rather about having technologies with open APIs and extensiblity that enable data and telemetry from one technology to be useful in another.
9. Education is key to improving cybersecurity
While a lot of focus in cybersecurity is often on tools and technology, without educated humans, cybersecurity isn't as effective.
The need to improve cybersecurity training was highlighted by General Nakasone, commander of U.S. Cyber Command and the Director of the NSA. Nakasone said improving the level of cybersecurity education is now the equivalent of the space race in the late 1960s and is critical to national defense.
Mary O'Brien, general manager of IBM Security, was also among those emphasizing a need for improved training. In her view, training and education is about creating IT agility, where security is about more than just the next technical tool to solve a perceived issue. Education is also about improving diversity in IT, which was the key theme in a keynote delivered by Sylvia Acevedo, Chief Executive Officer, Girl Scouts of the USA.
10. There is no intersection between comedy and security
Keynotes at the RSA Conference are generally tied in some way to the security industry, but that's not always the case. The final keynote at the 2019 event was a conversation between conference chair Hugh Thompson and Hollywood actress and writer Tina Fey.
Early in the conversation, Thompson asked Fey if she saw any lessons learned or similarities between the comedy business and cybersecurity. Fey's response was curt and blunt -- with a simple "no," which left Thompson a bit flustered as he struggled to find common ground. Cybersecurity apparently is not a laughing matter.
While there is no intersection between the comedy business and cybersecurity, there is common ground in what organizations and individuals can do to be better, which after all was the theme of RSA Conference 2019. Fey said that for improv comedy, practice and more practice are needed to get better. Perhaps even more importantly, she said that the need to trust peers and collaborate are the keys to improvement.
In the final analysis, that's what's needed for cybersecurity professionals and organizations to get better too. Having the right tools and technologies in place is important, but improvement and getting better is often reliant on practice, experience and collaborating with others.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.