RSA Conference Guide 2013: Key ThemesBy Mike Rothman
It’s that time of year again. Time to get ready for a week of mayhem, debauchery, and the hunt for tchotchkes. OK, there isn’t a lot of debauchery at the RSA Conference besides the Barracuda party at the Gold Club, which we hear is an establishment of high repute. Realistically, you’ll spend most of your week fending off sales droids, gawking at booth babes (much to the chagrin of the security echo chamber), and maybe learning something about what’s new and exciting in security.
As in previous years, your pals at Securosis have put together our 4th annual RSA Guide to give you some perspective on what to expect at the show and some of our key trends for the upcoming year. And we even include the snark for free. These themes are compiled and written by the entire Securosis team, so don’t pay too much attention to the posting author when you call us out.
We’ll give you blog-reading faithful an early look, over the next 10 days, at what we expect to see at the show. So today we start with the key themes…
Security folks have been dealing with malicious software since the days when your networking gear came with a swoosh on it. Yes, you young whippersnappers – back when sneakernet was the distribution vector for viruses. But what’s old is new again, and driven by advanced attackers who figured out that employees like to click on things, we expect almost every vendor at the show to be highlighting their ability to not block advanced attacks. Oh, was that a Freudian slip? Yes, you’ll hear a lot about newfangled approaches to stop advanced malware. The reality remains that sophisticated attackers can and will penetrate your defenses, regardless of how many shiny objects you buy to stop them. That doesn’t mean you should use 5-year-old technology to check the compliance box, but that’s another story for another day.
Of course, kidding aside, there will be some innovative technologies in play to deal with this malware stuff. The ability to leverage cloud-based sandboxes that block malware on the network, advanced endpoint agents that look an awful lot like HIPS that works better, and threat intelligence services to learn who else got pwned and by what, are poised to improve detection. Of course these new tools aren’t a panacea, but they aren’t the flaming pile of uselessness that traditional AV has become.
Many of the emerging products and services are quite young, so there won’t be much substantiation beyond outrageous claims about blocking this attack or that attack. So leave your checkbook at home but spend some time learning about the different approaches to stopping advanced malware. This will be an area of great interest to everyone through 2013.
BYOD Is No BS
We may not all be Anonymous, but we are certainly all consumers. It seems a little fruit company in Cupertino sparked the imaginations of technology users everywhere, so now the rest of us have to put out the fire. Technology used to be something you used at work, but now it is embedded into the fabric of our daily lives. So we shouldn’t be surprised as the workforce continually demands work tools that keep up with the things the kids are playing with in the back seat.
While consumerization of IT is the trend of people bringing consumer-class devices and services into the workplace, BYOD encompasses the policies, processes, and technologies to safely enable this usage. In the past year we have moved beyond the hype stage, and we see more and more companies either developing or implementing their BYOD and general consumerization strategies. This trend won’t go away, you can’t stop it, and if you think you can block it you will get to find a new job. Even the government and financial services companies are starting to crack and take hard looks at supporting consumer devices and services.
On the device side we see the core as Mobile Device Management, but MDM is merely the hook to enable all the other interesting technologies and controls. The constantly changing nature of BYOD and varied enterprise cultures will likely keep the market from ever maturing around a small set of options. We will see a huge range of options, from the mostly-mature MDM, to network access gateways (the rebirth of NAC), to containerized apps and security wrappers, to new approaches to encryption and DRM. And each of them is right… for someone. There is no silver bullet, but wandering the show floor is a great opportunity to see all the different approaches in one place and think about where they fit into your strategy and culture. Are you lockdown artists? Free-loving tech hippies? Odds are you can find the pieces to meet your requirements, but it definitely isn’t all completely there yet, regardless of what the sales droids say.
The main thing to focus on is whether the approach is really designed for BYOD, or whether it’s just marketed as BYOD. There is a huge difference, and a fair number of vendors haven’t yet adjusted their products to this new reality beyond cosmetic changes. Think hard about which controls and deployment models will fit your corporate culture and, especially, workflows. Don’t look at approaches that take these wonderful consumer experiences and suck the life out of them, reverting to the crappy corporate tech you know you hate yourself. Yes, there will be a lot of hype, but this is a situation where we see more demand than supply at this point.
Viva la revolucion!
Security Big Data
In the past two years at RSA we have heard a lot about risk management and risk reduction, which basically mean efficiently deploying security to focus on threats you face – rather than hypothetical threat scenarios or buying more protection than you need. This year’s risk management will be security analytics. Analytics is about risk identification, but the idea is that big data clusters mine the sea of security event data and for actionable intelligence. We will have real data so we will understand our risks, make better security decisions, and make them faster than ever. Great idea, right? Yes and no.
The idea is sound. We collect a massive amount of security-relevant data every day – from servers, network devices, mobile devices, applications, and so on. And we have been behind on the analysis curve as the amount of data has grown faster than our ability to do useful stuff with it. Clearly there is useful information within the data we collect, and so far we have done a poor job of mining it. So wringing out information from the sea of data is both possible and useful. The question is how.
Big data technologies can be utilized to find security event data and then analyze it. But today it’s a pretty messy proposition; neither the integration layer nor data analysis capabilities are fleshed out. The queries – think MapReduce data analysis – are hypothetical and still require you to know what you’re looking for. If you want this capability it’s something you need to write. Since you probably don’t have someone on your team who is fluent with both security and writing big data queries, you will look to vendors and service providers to do this for you. Which is a problem because they don’t have any more answers on this than you do. Moreover, it’s not likely an off-the-shelf product could fully meet your needs, regardless. As if that weren’t enough, most companies don’t have the big data engine hooked into their event streams. The integration of SIEM/Log Management and Big Data is just now being deployed, but each vendor does so in a slightly different way. It works with a bunch of duct tape, bailing wire, and consultants. But it’s hardly mature.
But that doesn’t mean we won’t hear a lot about how Security Big Data will change everything at RSA. We will. We’ll hear all about how these new shiny objects will address issues of event data volume/velocity, scale, multi-type data and alternative query techniques to provide better analysis. Security big data analytics has the capability to address the problems with SIEM and real promise for the future, but for at this year’s show, keep your expectations in check.
Watchlist: In Soviet Russia, Things Internet You!
Most of the time we talk about what you will see on the show floor, but this entry is all about what you won’t see… unless you really look. Hard.
As you meander the floor check out the wrists and belts of your colleagues. Odds are more than a few will be wearing fitness tracking gizmos or other toys. Check out the display areas – how many have smart TVs? Embedded devices? Cars with Internet connectivity? (Yes, some idiot vendors give away cars). How many security cameras with embedded web servers? Everywhere you look you will see small devices connected to the Internet that move in and out of home, work, public, and private with nary a thought given to them.
We are only at the earliest edge of the Internet of Things, a term applied to all the myriad of devices that infuse our lives with oft-unnoticed Internet connectivity. This won’t be a big deal this year, nor for a few years, but from a security standpoint we are talking about a collection of wireless, Internet-enabled devices that employees won’t even think about bringing everywhere. Most of these won’t have any material security concerns for enterprise IT. Seriously, who cares if someone can sniff out how many steps your employees take in a day (maybe your insurance underwriter). But some of these things, especially the ones with web servers or access to data, are likely to become a much bigger problem.
We are keeping an eye on this space, on the potential risks, benefits, and security controls. It isn’t something to pay too much attention to yet, but one of these years we fully expect it to move to the forefront. Just think of the Internet of Things as SCADA security, except you don’t actually realize precisely when you became a hybrid waste treatment plant/solar-electric provider.
The Anti-Theme: Security Programs
As most of our faithful readers know, process centricity drives most everything we do. Most of the time it feels like we are talking to ourselves. But clearly the lack of structured and sustainable security programs continues to adversely impact the ability of organizations to protect themselves. We fear far too many folks will walk the RSA floor continuing to search for the silver bullet, without having the process foundation to actually do anything.
Even though you should, you won’t see many companies at the show evangelizing the need to have a process in place before you buy technology. That’s not good for business when a company sells widgets. But the best favor you can do yourself is to look at all the shiny objects and clearly understand how any new technologies or controls fit into your program.
As we have in the past, we’ll dig into each of our key areas in separate posts over the next week. That means breakout sections on networks, applications, data, endpoints, identity, cloud security, and security management. Then we’ll be good citizens and assemble everything into a nice package with booth numbers and other niceties for the show, which you will be able to carry around on your iPad or smartphone. Yay!
And don’t forget to register for the Disaster Recovery Breakfast if you’ll be at the show on Thursday morning. Where else can you kick your hangover, start a new one, and talk shop with good folks in a hype-free zone? Nowhere, so make sure you join us…