It’s hard to believe, but we are two weeks out from the RSA Conference. As in previous years, your pals at Securosis have put together our 3rd annual RSA Guide, which we will distribute next week. But we will give you blog reading faithful, an early look at what we expect to see at the show. So let’s with the key themes…
It’s hard to believe, but the RSA breach was less than a year ago. Feels like forever, doesn’t it? At last year’s RSA Conference we heard a lot of marketing puffery about stopping the APT, and guess what? We’re in for another week of baseless claims and excessive FUD about targeted attacks, advanced malware, and how to detect state-sponsored attackers. As long as you remember that you can’t stop a targeted attack, and continue to focus on Reacting Faster and Better, you’ll have plenty to look at. Especially given that our conference hosts acquired the leading network forensics company (NetWitness) last spring. Just remember to laugh as you walk around the show floor in your Red Army uniform.
But there is another return engagement we expect to witness at this year’s RSA: the Guy-Fawkes-mask-wearing crew from Anonymous. Though they have kept busy over the past year occupying every park in the nation, we figure they’ll make some kind of splash at RSA. If only because their boy Topiary’s trial is scheduled to start in May. Obviously it’ll be hard for them to top the grand entrance they made on the back of Aaron Barr and HBGary at last year’s conference, but we figure they’re up to something. Given the continuing rise of chaotic actors, and our inability to build a reasonable threat model against attackers who have no clear motive, it’ll be interesting to see them #OccupyRSA.
Is That a Cloud in Your Pocket?
Or are you just happy to see us? We’ve said it before and we’ll say it again – the overlapping rapid adoption of cloud computing and mobility make this the most exciting time to be in technology since the start of the Internet bubble. I find today far more interesting, because these two trends affect our lives more fundamentally than the early days of the Internet. Then again, avalanches, earthquakes, and someone pointing an assault rifle at your nose are also pretty exciting, but from a different perspective.
Unlike the past two years, at this year’s conference we will see far more real cloud security solutions. Up until now most of what we’ve seen was marketecture or cloudwashing, but merely printing a pretty pamphlet or tossing your existing product into a virtual appliance doesn’t make a real cloud security tool. Of course we see plenty of make-believe, but we see the emergence of new and exciting tools designed from the ground up for cloud security. Our biggest problem is that we still need more people who understand practical cloud architectures, but most of the people I meet at security conferences are more interested in writing policy. Unless you know how this stuff works you won’t be able to tell which is which – it all looks good on paper. But here’s a hint – if it’s the same product name as an appliance on your network, odds are it’s an old product that’s been dipped in a bath of cloudy paint.
And then there’s mobility. I can securely access every file I have on every computer through my phone or tablet, but for everyone like me there are dozens of less paranoid folks doing the same thing with no thought for protecting their data. IT lost the battle to fully control all devices entering the enterprise long ago, and combined with the current dramatic growth in local storage on laptops, even barely-technical users can snarf down all the storage they can choke down from the cloud. You’ll see consumerization and mobility themes at nearly every booth, even the food vendors, but for good reason. Everyone I know is forced to adapt to all those friggin’ iPhones and iPads coming in the door, as well as the occasional malware magnet (Android) and the very pretty, can’t-figure-out-why-she’s-being-ignored Windows Mobile.
Ha-Duped about Security BigData
Yep, it looks like security has gotten intelligence and business-style analysis religion. So you’ll see and hear a lot of BigData, massive databases, NoSQL, Hadoop, and service-based architectures that enable analysis of ginormous data stores to pinpoint attacks. And there is plenty of value in applying ‘BigData’ tactics to security analytics and management. But we clearly aren’t there yet. You will see a bunch of vendors talking about their new alerting engines taking advantage of these cool new data management tactics, but at the end of the day, it’s not how something gets done – it’s still what gets done.
So a Hadoop-based backend is no more inherently helpful than that 10-year-old RDBMS-based SIEM you never got to work. You still have to know what to ask the data engine to get meaningful answers. Rather than being blinded by the shininess of the BigData backend focus on how to use the tool in practice. On how to set up the queries to alert on stuff that maybe you don’t know about. Unless the #OccupyRSA folks are sending you their attack plans ahead of time. Then you don’t have to worry…
It’s supposed to be good for you. It’s in lots of the products you buy. Marketing documents advertise how you’ll stay slender while enjoying tasty goodness. It’s a miracle product and everyone uses it! Yep, I am talking about Olestra! The irony here is that the product actually makes you fatter. Worse, eat too much, and you’ll ‘leak’ like crazy in your pants. Yuck! Notice any similarities between that and IT products? We buy solutions that are supposed to keep us secure, but don’t. These products suck up all your budget and personnel resources. And the coup de grace is your boss – the person who gave you the budget to buy these security tools – has the deluded conviction that your data is secure. You’re leaking like crazy! Your customer database is in Eastern Europe and your super secret schematics are in China – and who’s to blame? Yeah, not so much fun in hindsight, is it?
You will hear about the latest and greatest products at RSA this year, especially for to data security. But what’s different this year? Why is this shiny new model any better than the last shiny new model? That’s right – it’s not, really. So as usual, as you are roaming the show floor, keep everything in context. That means you’ll get back to the office and use risk management analysis to understand what security threats will have meaningful impact on your business, rather than being distracted by less serious ‘noisy’ threats. You’ll re-allocate budget for key technologies that actually solve the problems you need solved. It means getting more out of the products you have, such as Monitoring up the Stack with your SIEM tool and using the rest of the DLP solution you already own. It means more efficient deployments through the cloud, or perhaps using managed security service providers. When you go to the show this year, you should be looking at both your incumbent vendors and the new technology providers with a clear eye on effectiveness. Remember, diet fads ultimately fail because weight loss means a lifestyle change. There’s no magic fat substitute that will allow you to eat yourself thin, nor will you buy yourself secure.
Our focus on the next generation (NG) has been plaguing the security business for years. Basically, it’s an acknowledgement that the stuff we have now stinks, and you need a next generation solution to solve the problem. For the past 4 years we have heard all about NextGen firewalls (NGFW) and now the Big G (that’s Gartner for you Securosis n00bs) has started talking about next gen IPS. As the Who sang so many years ago: “Here’s the New Boss, same as the old boss!”
Of course the path to application-aware network security devices which represent the next generation of network security is where we need to be heading. Being able to block port 80 isn’t very useful anymore, so deep packet inspection and application-centric policies will be all the rage for everyone showing network security gear at the conference. Which means every vendor will have a NextGen box, regardless of what it actually does. You think RSA Conference marketeers are going to let truth get in the way of building buzz on the show floor? Right, no shot.
So as with our little Olestra ramble above, keep everything in context. NGFW is not a magic bullet – it won’t enable you to eat your way thin. But it will provide additional visibility, and then eventually a better bit of control over what’s happening within the protocols that permeate your network. So check them out and see how shiny they are, but don’t think this is the year you finally solve the problem.
Mobile Payment Security Anti-theme
Google wallets. PayPal at the Point of Sale. Payment apps. Square. Smart cards. Chip and Pin. Chip and no pin.
And guess what? There is nothing to see here. That’s right, we are at the cusp of a payment revolution, and you will hear next to nothing about it at this year’s RSA Conference. Thousands of customers are adopting new payment methods, most through their mobile devices, and there is not even a whisper about it at the largest security conference in the world. That’s because security is a reactionary need – nobody is interested until there is a problem. Well, that and the payment providers and card brands don’t want to talk about the negatives – better to get you as a paying customer first. We have already seen mass infection of Android devices, and we understand mobile devices can effortlessly exfiltrate a significant fraction of your intellectual property. So do we believe that mobile payment applications and devices are secure? Is the Pope? – well… hold that thought.
There is no reason to expect these new payment applications to be secure just because they come from big household names. In fact history shows that big firms, rushing headlong to capture market share, only care about security once they have a huge market. Or a huge breach – whichever comes first. That means prioritizing features over security – every time. Based on initial product reviews, there are security holes in every implementation we have seen. And what’s more, there is no guarantee that consumers are protected from liability, as they are currently when using credit cards. So who’s protecting your wallet?
As we have in the past, we’ll dig into each of our key areas in separate posts over the next week. That means breakout sections on networks, applications, data, endpoints, and cloud security. We will also throw in some good stuff about content security and security management. Then we’ll be good citizens and assemble everything into a nice package with booth numbers and other niceties for prospering at the show, which you will be able to carry around on your iPad or smartphone. Yay!