Warning: this will be harsh and a bit curmudgenly, but I am not yet old enough to be a real curmudgeon – I am not even sure I want to be one when I grow up…
My overall reflections from RSA 2016:
- A lot of the tools firmly target the “security 1%-ers”, NOT the mainstream. They can only be utilized by people with large, experienced teams that already operate a lot of security products, even if the vendor is subtly inclined to make the opposite impression. This is fine, of course, but where does it leave the rest of the organiztions? In “firewalls + SSL [+ AV]” world?
- Very, very few of the vendors seem to be bothered to think of “Does this shit work and is it cost effective?!!”, especially compared to all the other stuff you can buy. This is especially true for technologies utilizing threat intelligence (is this good intel? is this relevant to my organization? can I act on it?) and security analytics (does this detect the threats that I face? what tuning requirements are there? will it continue to work as threats change?)
- In fact, the expo reminded me of the awesome paper “Market for silver bullets” [that you should all go read now!] and this quote “You’re proposing to build a box with a light on top of it. The light is supposed to go off when you carry the box into a room that has a Unicorn in it. How do you show that it works?”
- Also, I’ve seen a looooooooooooong list of vendors that are a feature – an engine to match TI to logs/flows [SIEM does this, even if not yet at scale], UBA for one particular use case, web proxy log analyzer [because, dude, proxy logs are SO important! :-)], etc. Sorry, but these products are all destined to die, and maybe the lucky few are to be acquired by larger vendors missing exactly that one feature…
- The trend I mention in my “RSA 2015: Rise of Chaos!!” continues in force, and so I have seen a lot of products that, seemingly at random, mix features from different categories. The result, IMHO, is a product that makes a tiny number of people very happy for a short period of time, but does not fit in most reasonably designed security architectures.
- All in all, the expo exuded the vile vibe of “It is about taking money from people and giving them buzzwords.” While many old professional cynicists will opine that RSA has always been about that, I beg to disagree. The amount of money flowing to “cyber” does make a difference.
Some keywords and themes I picked in the vendor expo (admittedly related to my areas of coverage/interest):
- Threat detection – likely a manifestation of the “new” trend to do more detection. BTW, if you only use threat intelligence for advanced threat detection, you are very likely to be very, very late….
- Isolation – for malware and risky browsing. When I see isolation, BTW, I always ask: who/how makes a call on “what to let thru the isolation boundary?” I suggest you ask that as well….
- Some IoT security finally showed up. It is of course early, so I expect we will see more.
- Deception was much more visible this year; I really yearned for more deception in my past RSA blogs, but now it has finally appeared. Will this again be a short-living fad? We’ll see.
- More network traffic analysis (NTA) products somehow appeared. Some of them seem to plan to start from traffic (since it is easier to collect and process than all those logs) and then expand to being “a SIEM killer.” I wish them all luck, but frankly most SIEM vendors are NOT stupid [well, some are, but most IMHO are not]
- Almost no compliance, in fact, I think I’ve seen somebody sleeping in an IT GRC vendor booth 🙂
Some additional reflections on stupidity and greed:
- I’ve asked some personnel in vendor booths the question “who do you compete with?” and they told me “we don’t know, because we are small / just starting / unqiue” … and this is depressing. And, no, I didn’t ask a booth babe [there weren’t any to ask] or a sales droid…
- Some of the booths projected a very strong impression of “we have the buzzwords and our goal is to take your money.” Nothing else – neither the booth nor the people therein had any knowledge of either the problems they solve or the methods they use to solve the problems. Dear end users! Don’t buy this shit!
Finally, additional reflections on my own presentation and panel:
- My “Demystifying Security Analytics” [slides PDF] presentation was a raging success, a huge room was completely full and I had a lot of intelligent questions asked at the end. Definitely, the timing was perfect! Later, some of the audience members reported that they used my “demystifying framework” to parse what the vendors had in their booths….
- The endpoint panel we did on endpoint security was good too, as far as panels go. One theme that emerged was the “silent failure of prevention.” Think about it! You may have the best preventative controlsd money can buy, but how would you know when they fail? These controls tend to “fail silently” by letting the threat pass. Detection is a must to know when it happens [and, thanks for the reminder, I know it is now new, but this message is somehow missed by lots of people…]
There you have it! All in all, RSA was great fun – as always!
Related blog posts:
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
Ha. I appreciate the “booth babe” comment :-). You didn’t come to my government encryption back door panel. You missed a gem of the conference.
Frankly, this sounds like an overly politicized topic, not a gem 🙁
BTW, we shouldn’t kid ourselves – RSA is not a place for discovering new ideas. It’s an industry meeting place, and for that purpose, it does its job exceedingly well.
Well, actually it is a place for discovering ideas that are NEWLY POPULAR with vendors. It works well for that!
I didn’t get a chance to get into too many detailed discussions at other booths, but from what I saw I walked away feeling like I had just visited a small-town carnival. The barkers trying to entice you to their booth (but had no in-depth knowledge of what they do) and the gimmicks (angel wings on the staff’s backs – really?). Not enough true experts anchored to the booths so the now-better-dressed-hired-guns had somebody to direct you to when you wanted more than the tchotchke of the day.
“the barkers” …. indeed, this is how some of the vendors sounded 🙂
I found the badge scanners particularly annoying this year. Several even communicated that they had a daily quotas for scanning categories of vendors, press, and actual leads.
When your product marketing strategy is boiled down to “how many scans can the drones do in a day” it leaves a bad taste in my mouth.
I agree completely with your assessment of the Expo floor: Continued RISE of chaos, disconnect between Risk and Intelligence.
And my experience with sessions was a marked improvement of content/presentations and interactions. I came away with both learning and inspiration: DevSecOps and Quantum’s Coming (to the tune of Eli’s a coming…)
And I will be going back next year 🙂
Actually, very true — this year their session selection process has clearly improved. There was some good and even great content delivered.
Fully agree with your “vendors as a feature” comment as well as your “market for silver bullets” one. Maybe they really are closely related! As in my feature X is a silver bullet for popular attack technique Y. But what happens when the attacker shifts techniques? Apparently buy a new feature/silver bullet? How about having a monitoring system that collects many types of data, supports multiple detective analytic approaches and also serves as an investigation & response platform? Much easier to shift with the attackers then to buy another silver bullet!
Matthew, thanks for the comment. I do expect to see tactical “feature vendors” but not at THAT volume and not THAT narrow 🙁
Really, really, ‘really’ not trying to throw any ‘vendor salesman’ vibes out there, but IMHO http://www.endgame.com seemed to show some promise of remediation from the “silver bullet” approach with a seemingly multi-faceted platform, also kind of focusing on overall threat-hunting (ref: http://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785)
I was also disappointed with the inability of several vendors to clearly articulate how they solve specific problems I asked about. Vendors need to better understand the everyday customer problems they solve, the competitive landscape, and their relevant differentiators. Buyers are getting more discerning. Failing that, “I don’t know, let me get someone who can help you” is always a better choice than trying to fake it.
Well, this clearly points at a high value of “several” 🙂 I was shocked this year at the lack of understanding of real end user org security operation practices.
My experience tells me that there isn’t a vendor with a booth on or a sponsored talk at RSAC that won’t meet with you at your business, on your terms, according to your schedule to show off their product and answer your questions. I can’t find the value prop in the RSAC expo floor any longer.
Well, some of the vendors AT RSA essentially were not ready to discuss “your business, on your terms”, but instead wanted to discuss their buzzwords, on their terms 🙁
This is interesting to see over the years – I’m surprised 2016 didn’t have a lot more “Threat Hunting” and “Hunt” buzzwords that goes with the endpoint/agent-based security and “the bad-guys are already in your network” theme… Some vendors talk the talk, but even fewer walk the walk. Thanks Anton, keep up the blogging!
Well, there was more hunting this year [e.g. see this data set http://zhen.org/blog/2016-analyzing-security-trends-using-rsa-exhibitor-descriptions/%5D, but I am happy it was not oall over the place since it would essentially be deceptive to imply that “everybody can do it.” I treat threat hunting as a quintessential 1%-er activity that is VERY hard to extend down to more normal organizations…
Refreshing to hear this line of thinking. I spoke with a few security leaders in large organizations and asked, do you really suffer serious or APT style attacks? Are your adversaries that advanced? Do you need these advanced solutions? The answer was no. No, it wasn’t no because they didn’t know, it was no because they just don’t have that type of activity. Lots of neat stuffs at RSA, but as far as needed, very little. Honeypot 2.0, cool, I always liked honeypot (nee deception) technology. Needed??? Focus on the cyber staples/due diligence/best practice/industry requirements, then focus on where your risk is and attack that with the latest cyber tech, if it requires tech to solve. Most organizations need good people more than tech. Funny, I didn’t see huge crowds around the staffing booths.
That MAY be true and I agree with your logic. However, some only discovered they HAD APT inside after a more modern tool was deployed…..
And of course, great people with OK tech BEAT HANDS DOWN sub-mediocre people with best tech [at least for now, in the “pre-AI age”]
You make the comment that vendors don’t bother to think “does this SHIT work”. Does any of it work?
Yes, SOME of this works SOME of the time in SOME of the circumstances!
I can answer unqualifiedly that none of it works. I have been participating on Cyber Security Working Groups since the Smart Grid project began, moved to the DHS-sponsored Integrated Task Force for the Cyber Security Framework and am currently participating on NIST’s CPS or Cyber Physical Systems WG. The results are that no Real Solutions are produced, only Standards which are like Legislation = NO Cyber Protection is created.
The problem is we are engaged in Trench Warfare from the outside looking in. We can watch the attackers as they enter, but can not provide protection within the Trench. The solution is to use Micro-Virtualization (NOT VMWare) to guard endpoints and set up protection within the endpoints so that hackers can be monitored in Real Time in the Trenches. This technology exists today and can reduce costs by 50% to 60% by combining products on a single secure platform. This allows Real Time Continuous Monitoring and Automation, making most of the current “point solution” vendor products obsolete.
Does this have any implications for Gartner’s Magic Quadrant?
Well, frankly, if “none of it works”, then clearly micro-virtualization also does not work 🙂
We do look at so-called isolation approaches and so far have not found them to be “the final word” in security. Happy to hear more details about your approach, of course.
The VM technology is used to create a secure Platform. It is based upon Micro-Virtualization, Secure Hpervisor, User resources below the Hypervisor and not readily accessible to hackers. This provides a platform which encloses the OS (windows, Linux etc.)and is default-deny. That means that every execution needs permission, so that if a PDF comes in with Malware attached, only one execution is allowed – opening the PDF. Anything else is discarded with the Vm and a new Vm is opened for the next execution. The net result is that all activity within the computer can be “logged” in Real Time and suspected Malware can be moved, similar to sandboxing, to an area for live inspection.
I know the company had conversations with several vendors that just exhibited at RSA and have made plans to meet with them. I will keep you posted.
Happy to be briefed on this via http://www.gartner.com/technology/about/vendor_briefings.jsp
Your RSA session slide deck on the return of the endpoint seems to be incomplete. It has a total of two slides in it when I access it on the website. I found the link through this blog post and was looking forward to seeing the total presentation. Any way to access that?
That was a panel — no slides were presented.