It’s a bit late to write about what I saw at RSA this year (it’s almost time for the Gartner Security & Risk Management Summit!), but I’ve finally defeated procrastination and managed to write down my thoughts. Here it is:
Keywords: isolation, visibility, “analytics”, deep/smart/machine learning: most booths would have at least one of these. A more careful analysis indicated that technologies such as SDN and microvirtualization are bringing a new wave of isolation and compartimentalization products. Also, the message that the attackers are already in has finally been absorbed, generating the demand for visibility technologies. And, finally, analytics and machine learning, because they sound cool and someone needs to provide the Kool-Aid.
Crazy feature combinations: Anton mentioned this on his analysis too; many vendors building odd combinations of features, making very hard to define what their products are about. In essence, it seems that there is a general lack of vision for product roadmaps and a frantic attempt by the startups to meet the needs of the first big customers, in a kind of “roadmap by the biggest cash cow” mode.
The brains are moving: The “brains” of security monitoring environments used to be in the SIEM, the central point where all events and alerts would be correlated and prioritized. It seems that many organizations are giving up on that model, either putting the brains in each monitoring component (EDR tools for endpoint monitoring, NFT tools for network monitoring, UBA tools for user activity monitoring, etc) and using the SIEM just as a simple SOC interface or even as data source for those external “brains”. There also those cases where the vendors are providing “brains as a service”, consuming data from the client environment, processing on the cloud with proprietary engines (“analytics”, ML, very smart analysts, correlating with very exclusive TI, etc) and delivering alerts or “badness scores” for entities. Some of those vendors believe they can provide an alternative to SIEM, which is very resource demanding, using this model.
For years we’ve been listening to peers criticizing the “RSA circus”. I understand their frustration and lack of tolerance to all the marketing and buzzwords, but for most organizations those vendors are the primary source of security technology and skills. They need to navigate through that craziness to find the pieces they need for their security strategies. Being there and assessing what is being offered is crucial to understand how to translate common needs into product and service requirements that can actually be addressed by what is on the shelves. It could certainly be easier if there was less spin and unreasonable marketing approaches, but with the amount of money being spent on security that is just a utopic desire. We need to deal with chaos and learn how to extract what we need from that.