Warning: this will be harsh and a bit curmudgenly, but I am not yet old enough to be a real curmudgeon – I am not even sure I want to be one when I grow up…
My overall reflections from RSA 2016:
- A lot of the tools firmly target the “security 1%-ers”, NOT the mainstream. They can only be utilized by people with large, experienced teams that already operate a lot of security products, even if the vendor is subtly inclined to make the opposite impression. This is fine, of course, but where does it leave the rest of the organiztions? In “firewalls + SSL [+ AV]” world?
- Very, very few of the vendors seem to be bothered to think of “Does this shit work and is it cost effective?!!”, especially compared to all the other stuff you can buy. This is especially true for technologies utilizing threat intelligence (is this good intel? is this relevant to my organization? can I act on it?) and security analytics (does this detect the threats that I face? what tuning requirements are there? will it continue to work as threats change?)
- In fact, the expo reminded me of the awesome paper “Market for silver bullets” [that you should all go read now!] and this quote “You’re proposing to build a box with a light on top of it. The light is supposed to go off when you carry the box into a room that has a Unicorn in it. How do you show that it works?”
- Also, I’ve seen a looooooooooooong list of vendors that are a feature – an engine to match TI to logs/flows [SIEM does this, even if not yet at scale], UBA for one particular use case, web proxy log analyzer [because, dude, proxy logs are SO important! :-)], etc. Sorry, but these products are all destined to die, and maybe the lucky few are to be acquired by larger vendors missing exactly that one feature…
- The trend I mention in my “RSA 2015: Rise of Chaos!!” continues in force, and so I have seen a lot of products that, seemingly at random, mix features from different categories. The result, IMHO, is a product that makes a tiny number of people very happy for a short period of time, but does not fit in most reasonably designed security architectures.
- All in all, the expo exuded the vile vibe of “It is about taking money from people and giving them buzzwords.” While many old professional cynicists will opine that RSA has always been about that, I beg to disagree. The amount of money flowing to “cyber” does make a difference.
Some keywords and themes I picked in the vendor expo (admittedly related to my areas of coverage/interest):
- Threat detection – likely a manifestation of the “new” trend to do more detection. BTW, if you only use threat intelligence for advanced threat detection, you are very likely to be very, very late….
- Isolation – for malware and risky browsing. When I see isolation, BTW, I always ask: who/how makes a call on “what to let thru the isolation boundary?” I suggest you ask that as well….
- Some IoT security finally showed up. It is of course early, so I expect we will see more.
- Deception was much more visible this year; I really yearned for more deception in my past RSA blogs, but now it has finally appeared. Will this again be a short-living fad? We’ll see.
- More network traffic analysis (NTA) products somehow appeared. Some of them seem to plan to start from traffic (since it is easier to collect and process than all those logs) and then expand to being “a SIEM killer.” I wish them all luck, but frankly most SIEM vendors are NOT stupid [well, some are, but most IMHO are not]
- Almost no compliance, in fact, I think I’ve seen somebody sleeping in an IT GRC vendor booth 🙂
Some additional reflections on stupidity and greed:
- I’ve asked some personnel in vendor booths the question “who do you compete with?” and they told me “we don’t know, because we are small / just starting / unqiue” … and this is depressing. And, no, I didn’t ask a booth babe [there weren’t any to ask] or a sales droid…
- Some of the booths projected a very strong impression of “we have the buzzwords and our goal is to take your money.” Nothing else – neither the booth nor the people therein had any knowledge of either the problems they solve or the methods they use to solve the problems. Dear end users! Don’t buy this shit!
Finally, additional reflections on my own presentation and panel:
- My “Demystifying Security Analytics” [slides PDF] presentation was a raging success, a huge room was completely full and I had a lot of intelligent questions asked at the end. Definitely, the timing was perfect! Later, some of the audience members reported that they used my “demystifying framework” to parse what the vendors had in their booths….
- The endpoint panel we did on endpoint security was good too, as far as panels go. One theme that emerged was the “silent failure of prevention.” Think about it! You may have the best preventative controlsd money can buy, but how would you know when they fail? These controls tend to “fail silently” by letting the threat pass. Detection is a must to know when it happens [and, thanks for the reminder, I know it is now new, but this message is somehow missed by lots of people…]
There you have it! All in all, RSA was great fun – as always!
Related blog posts: