Bringing Sexy back (to Security): Mike’s RSAC 2012 Wrap-upBy Mike Rothman
Oh yeah. I’m back in the ATL after a week at the RSA Conference. Aside from severe sleep deprivation, major liver damage, and some con flu… I’m feeling great. It seems everyone else is as well. Something appeared at RSA that we haven’t seen for at least 3 years: smiles. Which I guess is to be expected, since in 2009 and 2010 everyone walked around with hard hats, expecting the sky to fall. In 2011 there were some positive signs but still a lot of skepticism, which was gone this year. Almost everyone I talked to was very optimistic for 2012 and beyond.
As a contrarian, my first instinct was that we must be breathing our own exhaust. You point to two other guys and they say they are optimistic, and then it becomes the perception of optimism, rather than optimism you can pay your mortgage with. But even when challenged, everyone felt pretty good. Even the tools felt sexy. It didn’t help their hygiene much, but you can’t expect the world to change overnight, can you?
But to be clear, the idea of Bringing Sexy back (to Security) is not mine. But someone said it to me when I was in a drunken haze. I thought it was Rich, but he wouldn’t acknowledge it. So if you were the one who said it to me, thanks. It’s a great assessment of where we are at, after years in the compliance-driven darkness.
Pendulum Swinging back to Security
Speaking of compliance, overt messaging around our least-favorite C word was pretty muted at the show this year. PCI is old news. HiTech enforcement is an unknown quantity, and for the most part unless an organization has been sleeping for the past 7 years they should be in decent shape regarding the low bar that a compliance mandate represents.
Now actually securing something? That’s entirely different, and as such, the pendulum clearly swung back toward more of a security message on the floor this year. Which should warm the hearts of all you security folks nauseated at the game we have had to play to get our security projects paid for out of the compliance budget.
So when you do next year’s holiday cards, send one to the Red Army and probably Anonymous. By then you’d expect both organizations to be Doxed, so you may even have an address. And they both probably own the USPS, so they can get their own mail as well, if they care to… Kidding aside, between high profile targeted attacks and chaotic actors, it is now clear to most organizations that PCI isn’t good enough. And that means we need to start talking about security again.
Also be thankful that we’ve seen innovation in perimeter security gear (think NGFW), as well. Given the number of depreciated firewalls awaiting something interesting to drive a perimeter security renewal/re-architecture, having NGFW gear reach stability created a wave of buying that has also driven many of the public security companies. Those that HP and IBM haven’t overpaid for yet, anyway.
Honestly, it was great to actually talk security this week, and not weird funding strategies. Really great.
BigData Hype did not disappoint
As we highlighted in the RSA Guide 2012, it has been obvious that BigData would be a big theme at the show. And it was. I ran into Joe Yeager from Lancope on my flight home and he joked to me that we should sell Powered by Hadoop stickers for $20K each. Given that every company needs to jump onto the BigData bandwagon, Joe is exactly right. Those would fly off the shelf.
Apparently the marketers still haven’t figured out the difference between BigData and a lot of data, but that’s okay. Hyperbole rules the trade show floor (and some booth babes shaking their things), so it’s all good. But I suspect we’ll be seeing a lot of BigData at security conferences for the foreseeable future.
Cloud still prominent
It was also all cloud, all the time, at RSA this year. Again, not a surprise and probably justified. Though there was a lot more SECaaS (SECurity as a Service), than actual cloud security. I’m sure Rich will want to expand on this a bit at some point, but we saw plenty of folks talking about encrypting data in the cloud, along with lots of focus on managing cloud instances and the security of those instances. And all that is great to see. Real innovation is happening in this space, and not a second too soon – folks are doing this cloud thing, and we need to figure out how to protect that stuff.
Yes, we saw a bunch of cloud washing, especially from the network security folks, who made a big deal about their VM instances that can run in the cloud. After hearing for years about how their hardware prowess makes their boxes great, it was kind of funny to hear them talk about how their stuff runs great in the cloud, but whatever. It’s a bandwagon and RSA requires you to jump aboard or get left behind.
Good vibrations on BYOD
The other area that we expected to hear a lot about was mobile security, specifically this BYOD stuff. At the e10+ session on Monday morning we did an entire section on BYOD and it spurred a great discussion. Here are some takeaways:
- iOS is cool, Android is not, and BlackBerry is dead: That’s not to say BlackBerry is gone, but it’s just a matter of time, as almost everyone in the room was migrating to another platform. It’s also not that Android isn’t showing up on corporate networks – it is, but with caveats. We’ll get to that. iOS is generally accepted as okay, mostly because of the way the App Store screens applications prior to availability.
- Everyone has policies. Most are not enforced. We spent a good portion of the session talking about policies, and everyone agreed that documenting policies is critical. Though enforcement of these policies is clearly lagging, especially for senior folks. But any employee seems to know the corporation can wipe their device, and many folks at the show have wiped devices, and even got a thank you from the user (who actually appreciated their help.) Wait, what? Yes, employees were happy the corporation wiped the device. That’s a security win.
- MDM is still young: Almost everyone was looking at something to manage devices. But most of the solutions weren’t enterprise-class yet. This is going to be a huge market and there will be a lot of competition, so don’t sign long-term deals.
- Good Technology is everywhere: One of the caveats of using these smartphones is using something like Good to create a sandbox, so employees can only access corporate data through that secured app. Most were using it for email, and some have extended it to proxying other apps, even on Android. So they’ve basically reduced corporate use of smartphones to a s ingle app, but it seems to work. I’m sure Motorola is ecstatic they spun Good out a few years ago.
Other random thoughts
Evidently security folks like racecars, because we saw a bunch of racing cars on the show floor in all their glory. I know that both Barracuda and Kaspersky sponsor race teams, so I get that. But a bunch of other companies had fancy cars on the floor and didn’t even give them away. Which kind of sucked. These companies are teases – if they are going to go that way why not use booth babes? Security admins can’t afford either Ferraris or booth babes, and the babes are at least nicer to look at as you pass by on the floor. Yes, Alan, I’m baiting you.
If you do incident response, you can write your own ticket. Every company I talked to that did any kind of incident response talked about how hard it was to get great folks. And it’s hurting the larger I/R shops, as most have backlogs of 3-6 months or more. When people have asked me what they should specialize on, I have always said application security. I figured the skills gap was so significant they’d always be able to get work. And that’s still true, but given the number of breaches we see, incident responders are worth their weight in gold. So I’m changing my tune on that one. Forensics FTW.
A big thanks
The events we were involved in: e10+, The Security Blogger’s Meet-up, and the DR Breakfast, were very well attended. Actually too well attended – we need to think about expanding all of the above for next year. This is a great problem to have, and we are thankful to have these discussions.
A case in point was at the DR Breakfast. Our contributor, Dave Mortman, commented that at the first DR Breakfast, he knew everyone. This year he didn’t know most of the folks at the event. I’m in the same boat. I got to meet a lot of the folks I didn’t know but not everyone, and that’s great. We love hosting the event, and of course owe our sponsors Threatpost, SchwartzMSL and Kulesa Faul bigtime for helping us host it.
So with that, see you all at Black Hat if not sooner. Now back to our regularly scheduled blogging, pontificating, and all that other stuff we do.
Photo credit: “Swing time” originally uploaded by Dave-F