RSA Conference 2022 Recap
At the annual RSA Conference, which took place in San Francisco this year, cybersecurity professionals from around the world gathered to discuss the current and future cyber threat landscape and innovative ideas and solutions about how to approach this rapidly changing environment. Below, WWT's security experts reflect on key takeaways and the insights they gained about critical cybersecurity issues.
Todd Hathaway, executive security advisor
As I reflect on the last four days in San Francisco, it's never been a better time to be in the cybersecurity industry. The city was buzzing again, and it was so exciting to see so many peers and industry veterans back together in person once again. Having spent 20+ years working for product manufacturers in cybersecurity and network solutions, this was the first time since 2003 that I was able to attend with the objective of looking at the entire industry. Here are my four top impressions from RSAC 2022:
1. Extended detection and response (XDR) was everywhere, including on sidewalks, Uber cars and even in the store windows. I'm not an endpoint guy, but any security professional walking the streets of San Francisco became very familiar with the message of XDR. The marketing teams at Crowdstrike, Cybereason and Deep Instinct really hit a homerun with the messaging creativity. Customers are looking for more than traditional endpoint detection and response (EDR) to do more than simply detect and respond to endpoint threats. They want to extend the reach to all workloads and correlate information between all workloads anywhere they are deployed.
2. Platform consolidation is the executive mandate. Conversations with chief information security officers (CISOs) and security leaders revealed a common theme: Do more with fewer new tools and expand the platforms you already have. However, if you walked the vendor expo, this may seem like a major contradiction; the number of new technology options was enormous. My key takeaway was to expect major consolidation in the industry in the coming months.
3. Identity is key, but passwords must die very soon. Identity awareness and context around user behavior has evolved to be part of almost every security solution, yet we continue to protect our identities with just a password. The idea of a computer password started in 1960 at MIT to help individuals keep their files private on a shared mainframe. Yet, these same users had to be physically identified and granted access to the room in which they accessed the mainframe before the password was even able to be used.
Fast forward 62 years, and it boggles the mind to hear the alarming statistics around how few enterprises have adopted multi-factor authentication (MFA). Yet over 60 percent of all breaches continue to be tied to stolen passwords. The good news for all is that MFA has evolved beyond the nuisance of a password plus another one-time password. The idea of using your smartphone as a smartcard authenticated with facial recognition is now reality. And it makes the user experience better while eliminating the phishable factors of traditional MFA.
My hope here is that those organizations that have failed to move to MFA will now see the benefits of passwordless technology for user experience and quickly end the cycles of password breaches leading to cyber losses.
4. Buyer beware: Not all "API security" vendors are created equal. I personally believe that the term "API security" may be the most overused term of 2022 by those selling security software, yet I am glad to see visibility into the problem. But buyer beware, not all solutions are created equal. If you spent much time in the expo hall, you might have found a well-known 2021 anti-bot company that has suddenly gone out of order to re-invent themselves as solely an API protection company. Yet, when you talk to them in depth about API security, they can't show how their solution stops a BOLA (broken object level authorization) attack. I also saw traditional web application firewall (WAF) vendors claiming API security in mass, yet the technology simply lacks the full context of the API traffic flows to be able to differentiate normal API traffic from a business logic attack. I noticed traditional application security scanning vendors hyping their API security, but the demos made it obvious that their marketing team may have simply done a find "APP" or "Application" and replace with "API."
In my mind, three API security companies really stand apart from the rest of the field. One is brand-new and was recognized as one of 10 finalists for the RSA Innovation Sandbox award. They understand the need for shift left and business logic abuse, but they have brought XDR and threat hunting techniques into a robust security solution, and now the first managed API security offering.
Another is what most consider the first entrant into the market, and if you ask nicely, they might include some pepper. They are doing great things for the industry with their research and patented approach to collective intelligence using a central artificial intelligence/machine learning (AI/ML) data lake to build new protection for all customers based on new attacks seen in the wild.
And then there is that nameless vendor that is doing really cool things to bring API testing to the shift left conversation, while also being very good at giving cloud fearing holdouts the best option to secure APIs on-premises.
I believe these are the three that should be on the shortlist for all organizations.
I encourage you to run to the API security fire but be careful as you select your defenses. The market is really hot, but you do not want to get burned picking a WAF or bot mitigation solution that can't protect your data when what looks like a perfectly legitimate and authorized user begins stealing data or moving the money.
In conclusion, what a great week it was to reconnect and study an industry I am passionate about. There are so many emerging trends in our space that are critical to protecting our data and privacy. As we see companies that once were anti-cloud get crippled by hardware shortages, the race to the cloud has begun and the race to understand cloud security is on. Just remember to simplify your choices. If your organization is going multicloud, picking different security solutions in each cloud provider is going to make your architecture more complicated to protect.
Lamar Hawkins, executive security advisor
As so appropriately titled, the theme of the RSA 2022 conference was TRANSFORM.
Being that it is a cybersecurity/technology conference, the first assumption would perhaps be that the theme of transform would apply to the use of information technology tools, applications, controls and services to transform the world around us, to fix existing problems or to protect ourselves from potential problems that may be levied against us.
However, after attending several of the seminars and symposiums it became quite apparent that the transform theme was more or less in relation to the human element as opposed to the technological one. The focus was on how technology has transformed our lives, but also how we need to transform our thinking in order to better interface and integrate with a technological world that has the potential to both help or to harm us.
As an example, a recurrent theme in many of the seminars was that privacy is the new security. Considering the amount of data that we willingly and unwittingly share, dossiers of personal data are continuously gathered and shared from various sources for various reasons, potentially exposing more personal information about us than we share with our closest loved ones.
One seminar covered how autonomous vehicles and drones collect one terabyte of data per day, per vehicle, inclusive of geo-location information, phone IP addresses, other phones in proximity to your phone, and various biometric data (i.e., audio, video, facial recognition, thermal/infrared scans, body temperature, etc.). Just using our credit cards – whether in person or CNP (card not present) – offers tons of information regarding our personal habits: what we eat, what we wear, where we go and what we do for personal entertainment, our political and/or religious affiliations (or lack thereof), and even the types of personal hygiene items we've purchased. And we haven't even discussed the types and amount of data captured by way of our social media presence and internet usage.
As a result, the ubiquity of this data requires us to transform our thinking in order to truly offer cyber resiliency, protection and other notable controls and infrastructures that were common topics at the conference (namely, cloud infrastructure, ransomware prevention, Zero Trust Network Access (ZTNA), data and identity protection, AppSec, discovery and observability, EDR/XDR, and IAM/MFA).
Perhaps the most interesting topic presented, however, was the rising threat of synthetic content known as deepfakes, a technology that leverages AI/ML and deep learning to quite literally transform the human element. As a means of deceiving the human element, deepfakes manipulate images, video, audio, and text. The presenters highlighted various deepfake software tools while even showing a Jordan Peele deepfake of President Obama that soon morphed the speaker into an extremely believable Donald Trump fake while giving a convincing short speech.
All of this is super cool (at least to me and my fellow nerds) with the exception of the new risks and threats that this technology potentially presents for the aforementioned domains, ransomware and IAM in particular. There have already been real life use-cases where attackers have launched phishing attacks with malware embedded in enticing deepfake videos of company leadership, as well as deepfake videos of people and businesses engaging in illicit behaviors with the intent of damaging their reputation unless the ransom is paid.
However – and most importantly – as alarming as these examples may sound, it all translates into opportunities for WWT to transform the cyber resiliency of our customers and clients by transforming our approach to the current and foreseeable problems on the threat landscape. We do this not only by strengthening our partnerships and thinking ahead while simplifying and/or decluttering client needs, which brings me to the connections.
The connections
Ironically – or perhaps not – the theme of transform was also pervasive during several of the partner meetings where the common line of thinking was to transform the delivery of cyber solutions by combining or consolidating forces to present a holistic, robust, and succinct platform that addresses many related or inter-related security controls and mechanisms into one solid offering.
For example, the Fortinet/SecurityScorecard integration allows for the expansion and deepening of end-to-end automatic threat detection, alerting and blocking into one neat package, while the Cyberark/Thales union provides a singular method of not only encrypting/protecting privileged identity secrets (i.e., account credentials, passwords, certificates, tokens, keys, etc.), but also by encrypting and/or tokenizing the data that these accounts have access to.
In this trifecta of force, WWT serves as curators, thought leaders, facilitators, service providers and custodians of cyber resiliency by vetting the best-of-breed solutions for our clients as every vendor out there claims to be the golden unicorn with the silver bullet. Another theme that became apparent during the partner meetings was the desire for us – WWT and our partners – to champion and support each other during our interactions with our clients and customers. We brag about them, and they brag about us. We go to bat for them, and they go to bat for us.
So, in short, along with providing transformative solutions to address customer concerns and challenges, the theme was on the incumbency of us to transform our partnerships and product presentations and offerings to more streamlined approaches in order to simplify the customer's needs and experiences.
Chris Nicholson, cyber lead
Taxiing to RSA this year, I asked my driver where he was from. He told me he was Ukrainian and while his family was situated in a less volatile part of the country, he felt it was only a matter of time before the threat shifted. This was a stark and humbling reminder that the threat landscape is a moving target, and we should always be considering "what next" in our collective defense against adversaries.
A number of key themes resonated with me at RSAC 2022 (in addition to the obvious one which is the need for comfy shoes!): Getting the basics right, the need for simplicity and a need for appropriateness of security investment relative to the specifics of a threat.
In relation to this last point, I listened to a CISO describe the sheer volume of security measures he was offered when he moved into his new home: alarm, security lights, CCTV. When reviewing the highest threat in the area, he was told it came in the morning during the school run when parents were out, and criminals would ram the front door – something none of the protection mechanisms he was offered would counter! This analogy really resonated with me both in terms of the need to really consider the reason for investments but also evaluating how any security investments will fit into a pre-existing eco-system. As the target shifts, expect to see matters such as API security come to the fore.
If there is one area that has a need to focus on the basics it is observability. This huge segment of the security industry was in clear focus this week through the sheer demand businesses now clearly have. Everything including accelerated migration to the cloud, AIOps, application security, and orchestration and automation has a foundational requirement for good quality data. Organizations are starting to rue years of underinvestment in this space that is now leading to real challenges in the execution of key transformation programs. So, expect to see businesses pause and look to implement key observability solutions including scanning and discovery, application dependency mapping, telemetry aggregation and routing solutions to enable risk reduction and business enablement.
Lastly, and most prominently, was the focus on consolidation to fewer, platform-based partners that will allow organizations to simplify their security posture and achieve more cohesion across various control points. It will be interesting to see how the market reacts to this clear demand – build or buy, both of these have challenges and rigorous testing of these platforms will be critical.
Traci Sever, cybersecurity sales lead
The meeting of the cybersecurity minds at this year's RSA Conference could not have come at a better time. Who best to proactively plan defenses as we come out of an unprecedented three-year transformation and prepare for the uncertainties ahead?
A key priority that came out of these collaborations was born from the recognition that there will be an impending economic shift, and we must be strategic in laying out the best defenses while preserving capital. Across solution sets, we will see organizations consolidating defenses via a smaller number of key platforms, answering the challenge of a scant cyber workforce, reducing redundant costs and alleviating some of the strain of contract management.
While innovation still took center stage, a resonating message that we as an industry must take into account is to start looking past theory and the initial acquisition of new technology and ensuring successful adoption. This can take the form of greater investment in adoption resources and closer collaboration between customers and the siloed areas of their business, and vendors and services organizations throughout the solution lifecycle. Another element of successful adoption comes from the foundational hygiene of the security ecosystem. We believe we'll see a greater focus on topics such as observability and AIOps.