RSA 2015: Rise of Chaos!!

Here is my traditional RSA (#RSAC) reflection post for RSA 2015 Conference – all my personal opinions/impressions/thoughts, of course.

• Keyword of the year: ADVANCED. Nearly every booth had something advanced – analytics, malware, system, attacks, algorithms, threats. So, 2015 – the Year of Advanced Security Something?
• Other common themes: I’ve noticed visibility, focus on the endpoint, “the attacker will get in” theme, etc
• Surprise of the year: fuzzy product category boundaries – and getting much fuzzier still [more on this below]

The “advanced” theme made me realize that there is now “malware” (1), “advanced malware” (2), and “no, really, this is seriously advanced advanced malware” (3). Stopping malware is easy (=just run AV), stopping advanced malware is …ahem… also easy (=just run sandboxing/whatever), but the real challenge is this last category of “no, really, this is seriously advanced advanced malware” …

Things I did expect to see – but didn’t see a lot of:

• Deception – yeah, there was a vendor or two that I know uses/focuses on deception and honeypots, but it was not in your face at all.
• IoT / OT security – I was coming to RSA this year with fear in my heart that it will be the year IoT security hype emerged – and it hasn’t [yet].
• Compliance – I am sorry guys, but RSA this year made me think that “compliance is dead” [in the hype/theme/meme sense, regulations of course remain]; the number of security vendors that that flat out don’t care about compliance is pretty amazing; moreover, compliance used to be a DRIVER, but now it is often a SILLY PUT-DOWN (“ah, that vendor technology? heh, its just for compliance….”)
• Security for DevOps – this one is probably easy to explain since this is not about box sales, but about processes and people.

Also, mobile security / mobility was no longer an overwhelming presence; definitely there but not everywhere. There was, it seems, more CASB (for “bolt-on” cloud security – because don’t we all love bolt-on security?!), more IR (that made me happy!), more traffic capture / network forensics, etc.

Things I really didn’t expect to see – and they really were not there:

• Insider threat – seriously, nobody cares; there was a tiny bit of that mentioned by some authentication vendors, but who goes to those booths, really? 🙂

Now, let’s get back to my surprise of the year – fuzzy product categories.

Musings on Fuzzy Product Categories

In the past at RSA, you easily noticed that there were “SIEM vendors”, “DLP vendors”, “TI providers”, “anti-virus vendors”, etc. There were also larger vendors that sold product of several categories. But at least there WERE categories. My experience at RSA 2015 show floor really ruined this world view!

First I thought that it was about marketing (like a booth that says “security intelligence” really just sells SIEM or a booth that says “breach prevention” and really just sells …eh… eh… dumb marketing?), but deeper conversations with many vendors – big and small – lead me to believe that the product category walls in security are becoming very fuzzy indeed. “DLP that may also catch malware”, “an agent that can stop risky user action, and also collect forensics data”, “a network forensics tool that also does some malware analysis”, “a SIEM that collects packets and TI”, “an analytic tool that detects lateral movements and excessive account privileges”, etc, etc.

So, what is going on here? Presumably the markets should settle to more firm product category boundaries … but maybe changes in threat landscape prevent that? Is security truly as unique as some say – a set of markets that will never mature? (in another space, it would be considered market devolution, not maturation). Thus, will we eternally live in The Long Tail World, where the choices are plentiful and rapidly changing – but few people use each choice? How do you do security architecture in such a world? After all, “place a firewall here, a NIDS over there” 1990s thinking likely won’t work when there is a dozen types of network threat detection products, with a lot of overlap in features and unknown (sometimes unknowable!) effectiveness in their detection approaches.

Why is this happening? One explanation is that vendors “go broad” and try to take over some adjacent niches – sometimes at the cost of losing their excellence in the core market. So, is this innovation or confusion? Or, maybe vendors decided that sporks and foons sell better than spoons and forks? But while sporks may solve a real problem (less weight to carry on a hike? less utensil types to stock?), most people use spoons and forks on a daily basis (spork is a mediocre spoon and a worse fork, IMHO). Another reason maybe that there is a lot of VC money in infosec / cyber today and any type of a hybrid product have a right – and money!- to exist, however narrow its niche? Or maybe vendor flee what some see as discredited categories, like SIEM and DLP, and make up funky new ones to appear new and innovative?

Thus, if I am even close to being correct in this assessment, we will live in a very, very different world of “cyber.” A fun world – but a risky one, with A LOT more uncertainty! So, go ahead, let’s discuss!

P.S. Does it make you want to be an analyst? You can!

Select older RSA-related posts (if you are into history):

• RSA 2013 and Endpoint Agent Re-Emergence
• RSA 2011 Conference Notes
• RSA 2010 – Day 4-5
• RSA 2009 Impressions, Part IV or The Rest of RSA 2009
• RSA 2008 Summary and Reflections
• Oh, RSA 2007
• Final notes on RSA 2006 show