IT Focus Area: Security
May 25, 2018
From Cyber Fatigue to Cyber Joy: a Look Back at RSA Conference 2018
RSA Conference 2018 drew approximately 50,000 attendees to San Francisco for a whirlwind week of security industry activity across a four-building campus. The conference featured 550 sessions, and 650 exhibitors sharing ideas about the latest cybersecurity threats, trends, and technologies.
With so much content clamoring for attention, it is impossible to recap every highlight. Here is a glimpse into some of the keynotes, news, and sessions that caught our attention.
The keynote line-up was eclectic, with 17 speakers ranging from RSA President Rohit Ghai to Monica Lewinsky. Topics aligned with the conference theme, Now Matters, and focused on actions that can be taken to address cybersecurity issues. Here are a few that stood out:
RSA President Rohit Ghai
Rohit Ghai took an optimistic stance in the conference’s opening keynote, asserting that cybersecurity is getting better, not worse. Despite all of the breaches making headlines, we need to focus on cybersecurity silver linings. He referenced Marcus Buckingham—a leading business expert—and his recipe for lasting success.
When you study lastingly successful people, you find that they have one thing in common: they focus on their strengths and manage around their weaknesses. —Business consultant Marcus Buckingham
We should consider this approach in cybersecurity and do more of what’s working, faster. Additionally, we need to pay attention not only to security technology, but to the psychology of defense. “The spirit of the defender matters as much as the shield that he or she wields," Ghai said.
He outlined three silver linings that can act as a blueprint for our strengths, fuel for our spirit, and a catalyst for advances yet to come.
1. End of the silver bullet fantasy: focus on risk orientation, not the latest shiny gizmo. Between complacency and recklessness is a “goldilocks zone” of risk. Organizations can stay in that zone through business-driven security. The knowledge of our business context is the only asymmetric advantage we have over cyber adversaries, and it helps us get the big things right. Cyber hygiene, such as patching, helps us get the small things right. If we address incidents based on business context, focus on the crown jewels of the organization, and make incremental improvements everywhere, we can achieve “cyber joy”, which he defines as the feeling you get when you kick the hackers’ behinds.
2. Quicksilver law of cyber defense: establish a Quicksilver-like pace to adopt technology, and better anticipate adversaries. Using the 1963-1964 Boston Celtics as an example, Ghai stressed that the best defensive teams anticipate better than anyone. Former Celtics player Bill Russell, when asked about the team’s secret sauce, stressed both speed and anticipation. Being at the right place, at the right time, before the adversary—just like Marvel Comics superhero Quicksilver.
On the cybersecurity court, the ball moves fast. New technology, such as artificial intelligence (AI), is getting adopted faster than ever, and it’s as much a target as it is a weapon. However, we’re making progress towards closing the “cybersecurity afterthought gap”—the gap between when a technology emerges, and when we actually learn to leverage it and protect it.
3. Magic of sterling teamwork: ensure teamwork both inside and outside the organization. Using the sport of rowing as an example, he likened security to a weak-link sport that cannot be won unless everyone contributes. Rowing requires teamwork both inside and outside the boat; to win in cybersecurity, we also need cooperation “inside the boat,” between cybersecurity and risk teams, and “outside the boat,” from business stakeholders, policy makers, regulators, universities, IT leadership, and even users.
He closed by emphasizing that data and technology are fuels for our digital transformation, and our trust in them is tenuous. We must collectively strive to avoid a breach of trust in technology.
Microsoft President Brad Smith
Brad Smith kicked off “The Price of Cyber-Warfare” with an allusion to a December 2017 BBC article titled, “If 2017 could be described as 'cyber-geddon', what will 2018 bring?” The question to focus on, Smith says, is not what 2018 will bring to us, but what can the security industry bring to the world? We need to learn from last year’s wake-up calls, WannaCry and Notpetya. These were not attacks that pitted machines against machines, but machines against real people, with devastating consequences. In the UK alone, over 19,000 medical appointments—including life-saving surgeries—had to be canceled when WannaCry hit.
At the end of World War II, Smith pointed out, world leaders came together through the Geneva Convention and agreed to protect civilians during times of war. Last year, we saw civilians being attacked during a time of peace. It’s time for a new, digital Geneva Convention. We need to get countries to agree to stop targeting technology companies, stop targeting electrical grids, stop targeting the private sector, and stop targeting hospitals. We need them to work with us, so we can do more to work with them to make the world a safer place.
The Cryptographer’s Panel was chaired by RSA CTO Zulfikar Ramzan. Panelists included Ron Rivest of MIT and Adi Shamir of the Weizmann Institute (the 'R' and 'S' in RSA, respectively), public key encryption co-creator Whitfield Diffie, security researcher Paul Kocher, and Signal Founder Moxie Marlinspike.
Ramzan kicked things off by asking, “What’s top of mind?” Rivest called out election security as a major area of focus. Shamir noted that as an academic, he’s troubled by the lack of precise definitions and theorems in cybersecurity. "It is time to make cybersecurity quantitative, rather than qualitative," he said. Diffie made a touching tribute to his wife, Mary Fisher—“the elder mother of public key cryptography”—who died shortly after RSA Conference 2017. Security versus performance value gains was on Kocher’s mind. Security is a multi-trillion dollar problem, he said. The value we get from performance gains is a rounding error by comparison. Marlinspike stressed a recent shift in the perception of social technology from a path to a brighter tomorrow, to a weapon that’s in the wrong hands.
The discussion moved on to the merits of blockchains, which the panel was not very optimistic about.
Rivest pointed out that three things make blockchains interesting: they’re decentralized, they’re public access, and they’re immutable. However, he said, they fail miserably in terms of scalability, throughput, and latency, and for uses like voting—which requires a centralized database—they’re a poor fit. Shamir agreed that blockchains are over-hyped but noted legitimate applications, such as ensuring the long-term security of digital signatures as quantum computers ultimately become available. Marlinspike maintained that the primary value of blockchains, their distributed nature, is also their downfall. "Distributed systems generally don’t work," he said.
When Ramzan brought up the Facebook–Cambridge Analytica data scandal, the response was scathing. Kocher said there was a lot Facebook could have done to protect the data, but it came down to economics; it was not in their interest to do so.
In many ways, Facebook is the Exxon of our time. It is a daily part of everyone's lives that everyone despises...like Comcast. —Signal Founder Moxie Marlinspike
Marlinspike pointed out that despite the "egregious" violations, it is unlikely people will walk away from a platform that, for many, has become synonymous with the internet intself.
In a nod to Ghai’s keynote, Ramzan asked the panel to close by suggesting silver linings in the field of cryptography. Rivest said he’s pleased to see the increased focus on election security, and Shamir joked that our job security is guaranteed, exclaiming, "We’ll be needed for a very long time!"
U.S. Department of Homeland Security Secretary Kirstjen M. Nielsen
The Honorable Kirstjen Nielsen began with a joke about cybersecurity ignorance in Washington D.C., where members of the political elite are prone to wondering aloud why the dark web is dark, and why bitcoins can’t be pulled out of an ATM. Her tone grew serious as she said we’ve reached a turning point in cyber history. Digital security is merging with personal and physical security, and people are waking up to that fact. Every facet of our society is being targeted, and cybersecurity is now everyone’s problem.
By 2021, cybercrime damage alone is expected to hit $6T annually. To put that in perspective, that’s almost 10 percent of the world economy. —DHS Secretary Kirstjen M. Nielsen
She noted five areas in which the DHS is looking to partner with the security industry to make improvements in response to threats:
1. Systemic risk; we must be more aware of vulnerabilities built into the fabric of the internet, of single points of failure and concentrated interdependencies. We need to hunt down security gaps and share actionable information to close them.
2. Collective security; your risk is now my risk, and my risk is now yours. We cannot protect ourselves in a vacuum. We have a weakest link problem, and we all have a role to play in advancing security. Bad guys are crowdsourcing their attacks, and we need to crowdsource our response.
3. Federal role in cybersecurity; a shift from regulators to empowerers. They want to help manufacturers build security into the design of products and move from “first to market” to “first to market secure.”
4. Focus on resilience rather than prevention; we need to focus on advanced persistent resilience and build in redundancies. Fail gracefully, innovate as we recover, and bounce forward rather than back.
5. Cyber-deterrence; complacency is being replaced by consequences. They are working to identify and punish America’s cyber adversaries.
She asked the security community to work with DHS to collectively raise our shields, without lowering our standards or level of innovation.
Two industry announcements generated a lot of buzz. The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) released version 1.1 of its popular Framework for Improving Critical Infrastructure Cybersecurity, commonly known as the Cybersecurity Framework.
Cybersecurity is critical for national and economic security. The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must-do for all CEOs. —Secretary of Commerce Wilbur Ross
Version 1.1 includes updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain, and vulnerability disclosure.
Microsoft announced a new Cybersecurity Tech Accord, which was signed by a group of 34 technology and security companies as part of the effort to achieve a digital Geneva Convention. The agreement promises to “defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states,” regardless of where they take place or who perpetrates them.
It is aimed at defending against the misuse of technology, strengthening protections, improving collaboration, coordinating vulnerability disclosures, and refusing to assist governments in launching cyberattacks. Members of the initial group include Microsoft, Arm, Cisco, Dell, Facebook, LinkedIn, HP, Microsoft and Nokia along with RSA, Oracle, Symantec, Trend Micro, FireEye, and others. Membership is open to additional companies, but they have to be trusted, share high cybersecurity standards, and "adhere unreservedly" once they sign up.
This tech sector accord will help us take a principled path towards more effective steps to work together and defend customers around the world. —Microsoft President Brad Smith
While there may be a lack of specific action detailed at this stage, it’s early days; the group’s first meeting took place during the conference. Some absences from the agreement were surprising, including Amazon, Apple, and Twitter, while others—such as Russian and Chinese companies—were not.
Numerous new products and product enhancements were announced during the conference. Here is a brief rundown:
Cisco announced improvements to its Advanced Malware Protection (AMP) for Endpoints platform, including enhanced visibility features that benefit from threat information provided by Cisco's Talos research group, and third party sources.
CrowdStrike announced the addition of Real Time Response and Real Time Query features to its Falcon Insight EDR solution, enhancing incident response and cyber resilience capabilities.
Cylance announced AI enhancements to its portfolio that are being delivered as modules in the CylanceOPTICS threat hunting and visibility platform.
F5 Networks updated its DDoS Hybrid Defender, combining an on-premises appliance that works at the network and application layers with a cloud-based scrubbing service to handle the overflow from extremely large attacks.
Fidelis Cybersecurity has upgraded its Elevate platform to secure cloud assets by deploying and managing deception defenses in cloud environments.
ForeScout introduced version 8 of its Internet of Things (IoT) security product CounterAct, which supports up to 2 million devices in a single enterprise manager.
IBM Resilient announced the launch of Intelligent Orchestration with the next-generation of its Resilient Incident Response Platform (IRP).
- Intel announced three new security measures that will be built into future chips and assume some of the load previously put on security software, which should improve performance and stability.
McAfee expanded its cloud security capabilities with the McAfee CASB Connect Program, which provides a self-serve framework to enable cloud application services to build API connectors to the McAfee Skyhigh Security Cloud Service.
Microsoft made two IoT-security related announcements: a preview of Azure Sphere, which provides security for MCU-class devices, and the company’s participation in an IoT Security Maturity Model, which is being developed in partnership with the Industrial Internet Consortium (IIC).
Symantec announced enhanced Targeted Attack Analytics (TAA) capabilities for its Advanced Threat Protection (ATP) customers.
Trend Micro announced a new AI-powered writing style analysis capability, which uses machine learning techniques to enhance email security.
Tripwire announced expanded support for cloud environments with its Cloud Management Assessor (CMA) product. The solution now features File Integrity Monitoring (FIM) capabilities for addressing publicly exposed data in the cloud.
Most Innovative Startup
BigID won “RSAC Most Innovative Startup 2018” at the conference’s Innovation Sandbox Contest. A judging panel comprised of venture capitalists, entrepreneurs and industry veterans selected the US-Israeli software company from a group of 10 finalists.
BigID focuses on privacy and personal data protection. It helps customers identify sensitive data in big data stores, and was launched around the same time that the EU announced the Global Data Protection Regulation (GDPR).
In “Abstractions of Security: Mining a Decade of RSA”, speakers from security research firm Cyentia Institute presented their analysis of 10 years of anonymized RSA speaking submissions, including more than 2,000 submissions for 2018. It was clear through their data that cybersecurity has undergone rapid developments in the past decade—including overcoming resistance to the term “cybersecurity” itself. Their analysis showed how trends and relationships between topics add another dimension to our understanding of our work, and the industry.
Some of this year’s sessions that stood out focused on cloud security, blockchain technology, the GDPR, IoT, diversity, AI, security operations, and the DevSecOps movement.
Cloud usage—public cloud, SaaS applications, and hybrid cloud—was front and center. Security vendors are increasingly using the cloud to deliver security services, and providing new software features to secure enterprise applications hosted in the cloud. Security challenges were covered in a variety of sessions, including "This is Your Enterprise on O365," "Cloud Defender: Detecting and Responding to Adversaries in AWS," and "Incident Response in the Cloud."
Blockchain technology, as noted during the Cryptographers’ Panel, was a subject that sparked debate. A full-day seminar served as a forum for industry leaders and attendees to delve into topics related to key components of blockchain, from ledgers to cryptocurrencies. Security experts offered diverging views about whether it truly fits into the enterprise, how it could be exploited, and whether its risks outweigh potential benefits. "Blockchain, Bitcoin and Smart Contracts and the Future of Security" featured highlights.
GDPR was a major focus. An all-day GDPR Essentials seminar, and sessions with titles such as, "Get up to Speed on GDPR Fast", “Get Cookin’ With GDPR” and “The EU’s GDPR—Beauty or Beast?” featured security experts from around the world providing their insights to help companies gain a better understanding of GDPR’s structure, requirements and penalties, and how it affects cybersecurity plans.
One bit of GDPR-related news to take note of: Europeans will soon be able to file class-action lawsuits for violations, instead of having to sue individually. This provides yet another incentive for companies to come to terms not only with the GDPR, but with data protection and privacy in general. Get it right, and you can enhance your brand reputation and resilience going forward. Get it wrong, and you are likely to end up in the financial—and legal—line of fire.
With the May 25 deadline upon us, thoughts have turned to enforcement. Consequences for non-compliance can include fines of up to four percent of annual worldwide turnover, and instructions to cease processing. In “When Will the Big Scary Fines Happen, and How Do You Avoid Them?” the assessment criteria for violations leading to warnings, reprimands and fines were discussed, and the audience was reminded that organizations of all sizes are in scope.
In addition to efforts to identity and classify sensitive data, there are four important things companies subject to the directive should have in place by now, at a minimum:
- A Data Protection Officer
- Data protection register management
- Data processor and third-party risk management
- Incident response management and reporting
The Article 29 Working Party's guidelines on the application and setting of administrative fines provides clarity on the enforcement of rules.
Multiple sessions, including “My Voice Is Your Command: The Perils of Smart Voice Assistants,” and "The New Landscape of Airborne Cyberattacks" focused on threats related to voice assistants and other devices.
By 2020, one third of successful attacks experienced by enterprises will be on data located in shadow IT resources, including shadow Internet of Things (IoT). —Gartner, How to Respond to the 2018 Threat Landscape
Organizations need to gain visibility into the devices on their networks, and take action to mitigate the risks they present.
A variety of speakers conveyed their thoughts, backgrounds and perspectives on the importance of diversity to the advancement of cybersecurity. In “Diversity in Cybersecurity—Changing the Conversation,” Professor Kim Jones, Director of the Cybersecurity Education Consortium at Arizona State University, expressed concern that the security industry is not ready to take diversity seriously. He pointed out four things that we should be doing:
1. Separate the diversity issue from the talent gap issue. Even though security is a meritocracy, we’re not attracting a diverse talent pool. Women make up only 10.5 percent of security professionals. Latinos and African Americans are less than 12 percent combined. We are a profession that is “pale, male, and stale.” If we don’t separate the two issues, diversity problems will persist even as we fill the talent gap.
2. Own the message. The images of bad guys in hoodies, hunched over keyboards that are often depicted in security branding do not appeal to women, minorities, and immigrants. We need to refocus our messaging. We are not about emulating bad guys—we’re about keeping people safe. If we change our messaging, we can broaden our appeal.
3. Remember: being the diversifier is hard. Companies need to go beyond just having diversity programs. Ask yourself:
- What are you really doing about diversity?
- Where are you recruiting?
- What are you doing as a leader to make your organization welcoming?
4. Move the discussion to the main hall. We need to recognize that this is a critical issue, and bring the conversation up—even if it is uncomfortable—as we interact in the industry.
AI, Machine Learning & Deep Learning
In “Evaluating AI and ML-Based Security Products”, speakers from Invincea, NSS Labs, Cylance and Capital One pointed out the confusion around terms such as AI, machine learning (ML) and deep learning and sought to, “...cut through all the BS and get down to brass tacks.”
- Artificial intelligence involves machines that can perform tasks that are characteristic of human intelligence. It includes things like planning, understanding language, recognizing objects and sounds, learning, and problem solving.
- Machine learning is a way of achieving AI. Instead of hard coding software routines with specific instructions to accomplish a task, ML is a way of enabling an algorithm to learn how. It involves feeding the algorithm large volumes of data, and allowing it to adjust itself and improve.
- Deep learning is an approach to ML that takes some of the core ideas of AI, and focuses them on solving problems with neural networks designed to mimic human decision-making.
With endless AI, ML, and deep learning product pitches, organizations are often skeptical of vendor’s claims and don’t know how to address the challenges of testing the products themselves. Truly independent (not sponsored) third-party testing is essential in order to address testing complexity and gain objective guidance. However, there are gaps between real-world production networks, real-world threats, and the testing that occurs in a lab. Unique variables come into play; in addition to leveraging independent tests, organizations should conduct proof-of-concept testing.
Organizations are suffering from cyber fatigue, with too many alerts, too many technologies, and not enough people. Base content in a security information and event management (SIEM) platform can generate 1,000 alerts a day—far too many to investigate and respond to. Even with SIEM optimized to reduce the number of alerts that need attention, it may still be too much to handle in-house. Companies are doing as much as they can with process and technology—taking SIEM to the next level with tools such as user and entity behavior analytics (UEBA) and cognitive computing-based orchestration and response—but are struggling to hire and maintain the right people.
The global cybersecurity workforce is predicted to be short 1.8 million by 2022—Frost & Sullivan Global Information Security Workforce Study
While most organizations have deployed SIEM, many do not have an in-house security operations center (SOC). Presenters of, “From SIEM to SOC: Crossing the Cybersecurity Chasm,” advised CISOs and technology leaders contemplating building their own SOC to be cognizant of the cost and staffing implications involved. It is import to understand what your needs are, what you can do in-house, and what you should outsource. Many organizations are taking a hybrid approach to security operations, keeping their SIEM on-premises and leveraging a managed services provider (MSP) to monitor and manage it. This saves some of the cost and frustration involved with staffing and increases the productivity of in-house analysts, allowing them to be more strategic.
A full-day DevSecOps event featured members of both development and security teams. "Integrating Security with DevOps Toolchains" highlighted the DevOps security practices of three large companies, including Target and UnitedHealth. Tips for successfully bringing security into the picture with a focus on automation were presented by DevOps evangelist Hasan Yasar in "Dos and Don’ts of DevSecOps." Additionally, a panel of experts presenting “DevSecOps: Whose Job is it Anyway?” noted that security is making progress towards shifting our image, and helping developers make security synonymous with quality.
Stephanie Derdouri, Director of Vulnerability Management & Information Security at Fannie Mae pointed out that we need to get our message across in ways that provide value in order to be seen as a true advisor, rather than a scary monster with a compliance checklist.
Fannie Mae is teaching developers how to write secure code up front with this in mind. Their developers are also taking advantage of scanning tools and, as she put it, “...doing the right work early, with security engaged in an advisory role.” Derdouri added that since initiating the training program, they are discovering and remediating more vulnerabilities than ever before. Her advice on getting start with DevSecOps? Pick one thing that your security team is doing right now—a report that’s being compiled, a scanning process that’s taking place, etc.—and make it better. Find out how the people receiving the information you are providing are experiencing it, and build off of that.
Driving Cultural Change
There are more highlights than we can mention on a variety of other hot topics, including the CIS Controls V7, identity, human manipulation, automation, dangerous new attack techniques, and more. We have barely scratched the surface of RSA Conference 2018! If there is one key takeaway, it is that we need to work together to drive a stronger security culture. The challenges of cybersecurity are too immense for us to handle on our own. Increasing collaboration across the public and private sectors, improving teamwork, taking diversity seriously, and making incremental improvements everywhere are critical to protecting data, and closing the trust gap. Now really does matter. The security community came together in unprecedented numbers to attend this conference; if we can stay together in spirit we can address the world’s security problems, and ease the path from cyber fatigue to cyber joy.