To be honest, I have mixed feelings about the state of the RSA Conference (RSAC). After attending for six years, I missed a year while focusing on public cloud infrastructure. Upon returning to the security industry and RSAC, I was thrilled to see how much the conference — and as a proxy, the industry — had grown with both South and North Hall jammed with vendor booths and overflow sessions scheduled in Moscone West.
But after a few days of weaving through the highways and byways of the Moscone Center attempting to digest and process a sea of vendor signage and the barrage of similar messaging, I realized that the security buyer and practitioner alike must find the noise level confusing, if not annoying. It must be the product manager in me always mapping feature-function to benefits and the marketer in me seeking to quickly grok what a vendor does and how it’s different.
With that in mind, for RSA 2016 I hope attendees can navigate a market teeming with activity from product launches, partnership announcements, perhaps some merger and acquisition news, and no shortage of impressive innovation. Here are a few themes I’m looking for next week:
The Year of Hybrid Cloud
A good friend turns 50 this year, but she doesn’t want to celebrate on just her birthday and has served notice that is the "Year of Marcy". I look forward to a year of celebrations with her as well as working with customers and vendors alike on their journey to the cloud that will be driven by the need to realize IT agility for competitive parity, never mind advantage. Nearly all CIOs and CISOs I speak with are somewhere along on their TripTik to the cloud, a process that is characterized by variants of hybrid cloud implementations.
Such multi-dimensional clouds will expand beyond a model of on-premises plus a few workloads in Amazon Web Services with the consumption of heterogeneous public cloud services, true private clouds that are service and utility-centric and automated via APIs, as well as micro-segmentation spanning clouds. Customers will want to consider how this multi-dimensional reality needs to be secured by considering solutions from vendors such as CloudPassage, Intel Security, and Trend Micro for cross-cloud workload security and Sumo Logic for consolidated analytics.
East-South and West-North
I never did so well in orienteering, but that’s not why I’m mixing up my compass directions; it’s because when micro-segmentation meets hybrid clouds, the east-west and north-south metaphors to distinguish traffic patterns no longer works so well. Cue Jimmy Hendrix’s "Cross Town Traffic." Customers are beginning to microsegment networks that span on-premises and public cloud infrastructure to secure the associated applications with workload-centric access controls for software-defined perimeters by employing solutions from companies such as Certes, Illumio, Unisys, and vArmour. These software-defined approaches support today’s Agile and DevOps world of go fast or be left behind.
(Sidebar: What an amazing catalog of music from David Bowie. RIP.)
A chunk of the billions of dollars of venture capital invested in cybersecurity startups over the last few years have landed in the coffers of endpoint security plays based on this investment thesis: just like Palo Alto Networks disrupted the firewall market, so too will a well-funded startup disrupt the endpoint security market.
This is clearly a market in transition and one that will be front and center at RSAC. The established brands will let the market know that they too can provide advanced prevention capabilities as well as detection and response, and some succeed. A few of the emerging market leaders who are breaking away from the pack can cite legit enterprise customer adoption and deployment success including Carbon Black who is executing a leveraged go-to-market strategy to accelerate growth.
CrowdStrike, Invincea, Cylance, and Tanium are others going from startup to upstart with increasingly complete functional capabilities, albeit indexed on different ends to the prevent, detect, and respond continuum. And CounterTack and Guidance Software bring different respective approaches to the forensics side of response, both having merit and the customer adoption to prove it. And a number of more recently funded players will be touting their innovation to help customers thwart the endpoint infection point that is so crucial to mitigating the cyber security kill chain. But the endpoint market is all about real estate: protecting what you have and displacing others. As they say in the business — “location, location, location.”
User Behavior Analytics: Many a Use Case
There are a number of compelling applications for detecting anomalous user behavior that could be indicative of stolen credentials or the actions of a malicious insider, with a common objective of preventing data loss. As such, user behavior analytics (UBA) is becoming an important aspect in the resurgence of data loss prevention (DLP) controls driven in part by the horizontal need to secure the use of cloud apps. Bluecoat, vis-a-vis their acquisition of Elastica, Cloud Lock, IBM, Trend Micro, Palerra, and other cloud access and security broker (CASB) vendors do just that by base-lining normal patterns of access and use to identify and alert on exceptions.
But UBA also has compelling applicability beyond the cloud to protect internal data assets stored on a file server, an approach employed by Varonis and enabled by DataGravity’s data-aware storage platform. Pure-play approaches such as that provided by Exabeam and others apply this approach to a variety of resources and assets accessed by users for breadth of coverage. Some organizations will want to consolidate such user telemetry, in which case advanced analytics platforms built for the hunt side of IR, such as that provided by Bay Dynamics and Sqrrl, are a logical environment for UBA to be triangulated with other data via graph modeling. All anomaly detection solutions must start with establishing what is normal, a non-trivial undertaking given the variable nature of end-user computing. But with the human vulnerability being regularly exploited and users thus coopted as the proxy for the actual bad actor, UBA is an increasingly relevant component for detection and response.
Just like the last few years there will be lots to parse for the buyer on their journey to improving their security posture as they try and keep up with the consumerization of IT and the multi-dimensional nature of the modern data center. Please join myself and my colleague Jon Oltsik for our respective presentations next week, mine on cloud security at the TCG event on Monday morning and Jon’s on next generation endpoint security on Thursday morning, both in Moscone West, because, well, RSA has gotten that big!