Blog post

RSA 2016: Musings and Contemplations

By Anton Chuvakin | March 08, 2016 | 28 Comments


Warning: this will be harsh and a bit curmudgenly, but I am not yet old enough to be a real curmudgeon – I am not even sure I want to be one when I grow up…

My overall reflections from RSA 2016:

  • A lot of the tools firmly target the “security 1%-ers”, NOT the mainstream. They can only be utilized by people with large, experienced teams that already operate a lot of security products, even if the vendor is subtly inclined to make the opposite impression. This is fine, of course, but where does it leave the rest of the organiztions? In “firewalls + SSL [+ AV]” world?
  • Very, very few of the vendors seem to be bothered to think of “Does this shit work and is it cost effective?!!”, especially compared to all the other stuff you can buy. This is especially true for technologies utilizing threat intelligence (is this good intel? is this relevant to my organization? can I act on it?) and security analytics (does this detect the threats that I face? what tuning requirements are there? will it continue to work as threats change?)
  • In fact, the expo reminded me of the awesome paper “Market for silver bullets” [that you should all go read now!] and this quote “You’re proposing to build a box with a light on top of it. The light is supposed to go off when you carry the box into a room that has a Unicorn in it. How do you show that it works?”
  • Also, I’ve seen a looooooooooooong list of vendors that are a feature – an engine to match TI to logs/flows [SIEM does this, even if not yet at scale], UBA for one particular use case, web proxy log analyzer [because, dude, proxy logs are SO important! :-)], etc. Sorry, but these products are all destined to die, and maybe the lucky few are to be acquired by larger vendors missing exactly that one feature…
  • The trend I mention in my “RSA 2015: Rise of Chaos!!” continues in force, and so I have seen a lot of products that, seemingly at random, mix features from different categories. The result, IMHO, is a product that makes a tiny number of people very happy for a short period of time, but does not fit in most reasonably designed security architectures.
  • All in all, the expo exuded the vile vibe of “It is about taking money from people and giving them buzzwords.” While many old professional cynicists will opine that RSA has always been about that, I beg to disagree. The amount of money flowing to “cyber” does make a difference.

Some keywords and themes I picked in the vendor expo (admittedly related to my areas of coverage/interest):

  • Threat detection – likely a manifestation of the “new” trend to do more detection. BTW, if you only use threat intelligence for advanced threat detection, you are very likely to be very, very late….
  • Isolation – for malware and risky browsing. When I see isolation, BTW, I always ask: who/how makes a call on “what to let thru the isolation boundary?” I suggest you ask that as well….
  • Some IoT security finally showed up. It is of course early, so I expect we will see more.
  • Deception was much more visible this year; I really yearned for more deception in my past RSA blogs, but now it has finally appeared. Will this again be a short-living fad? We’ll see.
  • More network traffic analysis (NTA) products somehow appeared. Some of them seem to plan to start from traffic (since it is easier to collect and process than all those logs) and then expand to being “a SIEM killer.” I wish them all luck, but frankly most SIEM vendors are NOT stupid [well, some are, but most IMHO are not]
  • Almost no compliance, in fact, I think I’ve seen somebody sleeping in an IT GRC vendor booth 🙂

Some additional reflections on stupidity and greed:

  • I’ve asked some personnel in vendor booths the question “who do you compete with?” and they told me “we don’t know, because we are small / just starting / unqiue” … and this is depressing. And, no, I didn’t ask a booth babe [there weren’t any to ask] or a sales droid…
  • Some of the booths projected a very strong impression of “we have the buzzwords and our goal is to take your money.” Nothing else – neither the booth nor the people therein had any knowledge of either the problems they solve or the methods they use to solve the problems. Dear end users! Don’t buy this shit!

Finally, additional reflections on my own presentation and panel:

  • My “Demystifying Security Analytics” [slides PDF] presentation was a raging success, a huge room was completely full and I had a lot of intelligent questions asked at the end. Definitely, the timing was perfect! Later, some of the audience members reported that they used my “demystifying framework” to parse what the vendors had in their booths….
  • The endpoint panel we did on endpoint security was good too, as far as panels go. One theme that emerged was the “silent failure of prevention.” Think about it! You may have the best preventative controlsd money can buy, but how would you know when they fail? These controls tend to “fail silently” by letting the threat pass. Detection is a must to know when it happens [and, thanks for the reminder, I know it is now new, but this message is somehow missed by lots of people…]

There you have it! All in all, RSA was great fun – as always!

Related blog posts:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • chenxi wang says:

    Ha. I appreciate the “booth babe” comment :-). You didn’t come to my government encryption back door panel. You missed a gem of the conference.

  • chenxi wang says:

    BTW, we shouldn’t kid ourselves – RSA is not a place for discovering new ideas. It’s an industry meeting place, and for that purpose, it does its job exceedingly well.

  • I didn’t get a chance to get into too many detailed discussions at other booths, but from what I saw I walked away feeling like I had just visited a small-town carnival. The barkers trying to entice you to their booth (but had no in-depth knowledge of what they do) and the gimmicks (angel wings on the staff’s backs – really?). Not enough true experts anchored to the booths so the now-better-dressed-hired-guns had somebody to direct you to when you wanted more than the tchotchke of the day.

  • Andrew Hay says:

    I found the badge scanners particularly annoying this year. Several even communicated that they had a daily quotas for scanning categories of vendors, press, and actual leads.

    When your product marketing strategy is boiled down to “how many scans can the drones do in a day” it leaves a bad taste in my mouth.

  • Daya Puls says:

    I agree completely with your assessment of the Expo floor: Continued RISE of chaos, disconnect between Risk and Intelligence.
    And my experience with sessions was a marked improvement of content/presentations and interactions. I came away with both learning and inspiration: DevSecOps and Quantum’s Coming (to the tune of Eli’s a coming…)
    And I will be going back next year 🙂

  • Matthew Gardiner says:

    Fully agree with your “vendors as a feature” comment as well as your “market for silver bullets” one. Maybe they really are closely related! As in my feature X is a silver bullet for popular attack technique Y. But what happens when the attacker shifts techniques? Apparently buy a new feature/silver bullet? How about having a monitoring system that collects many types of data, supports multiple detective analytic approaches and also serves as an investigation & response platform? Much easier to shift with the attackers then to buy another silver bullet!

  • Rick Moy says:

    I was also disappointed with the inability of several vendors to clearly articulate how they solve specific problems I asked about. Vendors need to better understand the everyday customer problems they solve, the competitive landscape, and their relevant differentiators. Buyers are getting more discerning. Failing that, “I don’t know, let me get someone who can help you” is always a better choice than trying to fake it.

    • Well, this clearly points at a high value of “several” 🙂 I was shocked this year at the lack of understanding of real end user org security operation practices.

  • Paul Melson says:

    My experience tells me that there isn’t a vendor with a booth on or a sponsored talk at RSAC that won’t meet with you at your business, on your terms, according to your schedule to show off their product and answer your questions. I can’t find the value prop in the RSAC expo floor any longer.

    • Well, some of the vendors AT RSA essentially were not ready to discuss “your business, on your terms”, but instead wanted to discuss their buzzwords, on their terms 🙁

  • Chris says:

    This is interesting to see over the years – I’m surprised 2016 didn’t have a lot more “Threat Hunting” and “Hunt” buzzwords that goes with the endpoint/agent-based security and “the bad-guys are already in your network” theme… Some vendors talk the talk, but even fewer walk the walk. Thanks Anton, keep up the blogging!

  • Bob says:

    Refreshing to hear this line of thinking. I spoke with a few security leaders in large organizations and asked, do you really suffer serious or APT style attacks? Are your adversaries that advanced? Do you need these advanced solutions? The answer was no. No, it wasn’t no because they didn’t know, it was no because they just don’t have that type of activity. Lots of neat stuffs at RSA, but as far as needed, very little. Honeypot 2.0, cool, I always liked honeypot (nee deception) technology. Needed??? Focus on the cyber staples/due diligence/best practice/industry requirements, then focus on where your risk is and attack that with the latest cyber tech, if it requires tech to solve. Most organizations need good people more than tech. Funny, I didn’t see huge crowds around the staffing booths.

    • That MAY be true and I agree with your logic. However, some only discovered they HAD APT inside after a more modern tool was deployed…..

      And of course, great people with OK tech BEAT HANDS DOWN sub-mediocre people with best tech [at least for now, in the “pre-AI age”]

  • Phil McCrackin says:

    You make the comment that vendors don’t bother to think “does this SHIT work”. Does any of it work?

  • Joel Miller says:

    I can answer unqualifiedly that none of it works. I have been participating on Cyber Security Working Groups since the Smart Grid project began, moved to the DHS-sponsored Integrated Task Force for the Cyber Security Framework and am currently participating on NIST’s CPS or Cyber Physical Systems WG. The results are that no Real Solutions are produced, only Standards which are like Legislation = NO Cyber Protection is created.
    The problem is we are engaged in Trench Warfare from the outside looking in. We can watch the attackers as they enter, but can not provide protection within the Trench. The solution is to use Micro-Virtualization (NOT VMWare) to guard endpoints and set up protection within the endpoints so that hackers can be monitored in Real Time in the Trenches. This technology exists today and can reduce costs by 50% to 60% by combining products on a single secure platform. This allows Real Time Continuous Monitoring and Automation, making most of the current “point solution” vendor products obsolete.
    Does this have any implications for Gartner’s Magic Quadrant?

    • Well, frankly, if “none of it works”, then clearly micro-virtualization also does not work 🙂

      We do look at so-called isolation approaches and so far have not found them to be “the final word” in security. Happy to hear more details about your approach, of course.

  • Joel Miller says:

    The VM technology is used to create a secure Platform. It is based upon Micro-Virtualization, Secure Hpervisor, User resources below the Hypervisor and not readily accessible to hackers. This provides a platform which encloses the OS (windows, Linux etc.)and is default-deny. That means that every execution needs permission, so that if a PDF comes in with Malware attached, only one execution is allowed – opening the PDF. Anything else is discarded with the Vm and a new Vm is opened for the next execution. The net result is that all activity within the computer can be “logged” in Real Time and suspected Malware can be moved, similar to sandboxing, to an area for live inspection.
    I know the company had conversations with several vendors that just exhibited at RSA and have made plans to meet with them. I will keep you posted.

  • Kevin Barker says:

    Your RSA session slide deck on the return of the endpoint seems to be incomplete. It has a total of two slides in it when I access it on the website. I found the link through this blog post and was looking forward to seeing the total presentation. Any way to access that?