The RSA USA Conference was one of the first cybersecurity conferences I ever attended years ago. I still feel nostalgic walking through the innovation sandbox, attending keynotes delivered from the top thinkers in the industry, and listening to sessions covering every major topic.
Star Trek’s very own George Takei kicked this year’s event off in a grand opening and set the tone for RSA’s theme this year: The Human Element. As Mr. Takei eloquently pointed out, the Human Element allows for infinite diversity and infinite combinations.
While RSA has its own theme, I always try to judge what the industry theme is across cybersecurity by looking at the marketing pushes and research being discussed in sessions. I also focus on vendor messaging from OEMs to potential customers and prospects. In past years, the RSA themes have been extremely transparent, such as the shift from packet-based filtering to application controls or the shift from threat prevention to threat detection. We have also seen trends pointing toward the use of analytics, machine learning, and artificial intelligence.
The theme I took away this year was automation. It’s not surprising that this was a major push coming from vendors, as the focus of cybersecurity defense has once again shifted back toward the Security Operation Center (SOC). Attack volume and velocity continue to increase, creating constant challenges. Most SOC analysts and cybersecurity professionals have essentially become firefighters, triaging network and application availability, rather than spending time to investigate threats and their attacks.
Automation tools are becoming much more refined and elegant. They are starting to combine elements of continuous monitoring, compliance, privacy, and artificial intelligence to monitor and respond to specific situations.
Our organization, Fortinet, has taken the expertise through FortiGuard Labs and released a new AI-based security operations solution called FortiAI. As a research organization, we have many experts analyzing threats. Even with a team of hundreds of specialized analysts, the volume and velocity requires automation to identify which of the millions of alerts we receive are actual threats, how they work, and what they are trying to exploit. Our FortiAI product is essentially a virtual security analyst doing some initial legwork for you, freeing up your time to narrow in and focus on more targeted and sophisticated attacks and threat vectors. You can get much more information on FortiAI on the Fortinet website:
I also saw another repeating theme in Awake Security’s Ava product, with the promise of cybersecurity tools being able to think on their own to make decisions and identify risk based on network analysis. 42Crunch and Cyber Armor were both demonstrating products that allow DevOps teams to take advantage of APIs, manage multi-cloud environments, and automate the deployment of workloads.
I enjoyed how some vendors are successfully developing specialty products, such as those designed to protect ICS environments and IoT devices. It was also good to see the push toward making deception-based honeypots much simpler and easier to deploy.
For the most part, there was no shortage of OEMs and vendors trying to solve the problems of automation and analysis by integrating AI/ML technologies into their products. Of course, I saw other themes as well, including ones focused on threat hunting, incident response, privacy, and cloud management – all from dozens and dozens of solution providers. A big thanks to the guys at CyberX that showed me a great demo.
Session topics for me are another significant indicator as to what topics my peers are interested in from a research perspective, pointing to the tougher challenges they encounter in the world of threats.
I felt very privileged to have an opportunity to present at this year’s event, delivering my research around medical device vulnerabilities and healthcare attacks:
But what also caught my eye were the many topics on container-based technologies. These included Docker and Kubernetes. These types of tools are becoming extremely common, due to the ability to develop IT projects much more quickly using these solutions. Unlike traditional virtual machines or strict demarcation devices in the data center where it is easy to analyze north/south traffic, container-based solutions are much more likely to have a lot of east/west traffic (or traffic between containers, but not traffic that necessarily leaves the host). The current set of solutions involves a dedicated security container on the host that is closely tied in the kernel and other components of the container solution. They basically force traffic out of the container through a gateway or security device for analysis, then route it back to the host. It appears that most people prefer the first option for efficiency and scalability.
I will finish up by saying I was more than pleased to see that most people have started discussing threats within the context of the Mitre ATT&CK framework. The framework makes it easier to have a common language when speaking with other researchers, especially around threat and adversarial techniques. I have personally started using it when I work with Blue Teams (defenders). I often choose specific techniques to attack specific targets to determine if the SOC or Blue Team defenders can detect the specifics of an attack or technique. Richard Struse and Freddy Dezeure (@FDezeure) gave an excellent talk on how to operationalize the Mitre ATT&CK framework. A copy of their presentation can be found here:
It’s always great to see my many friends, connect with people, and learn about new technologies at cybersecurity conferences. I am sure there are hundreds of items I missed in the short time I had available to look around. Feel free to reach out to me on Twitter (@aamirlakhani) if you would like to continue this conversation.