RSA 2020 had an uninvited guest, Covid-19. Fist bumps replaced handshakes while hand sanitizing stations seemed ubiquitously stationed throughout the Moscone Center. Attendance seemed to be down due to factors like the virus panic and the withdrawal of major players like AT&T, IBM, and Verizon.
While lots of people pulled back, the ESG team was in full attendance. Here are a few of our observations and thoughts on RSA 2020:
- Endpoint security vendors are looking for their next act. My colleague Dave Gruber summed up the current state of endpoint security in one word, “Meh.” In the past, endpoint security players were adding advanced analytics or unifying layers of endpoint protection with EDR. This year, they tended to talk about support for cloud workloads and mobile devices. Yes, these workloads and devices need protection, but this all seemed like “dot release” stuff to old Dave.
- On to platforms. Ho-hum security trends may be because endpoint security seems destined to be a cog in a greater cybersecurity defensive machine. Call them platforms, XDR, or something else, these platforms bring endpoint, network, and cloud security together under one roof. This should make for better data correlation, more robust and accurate alerts, and streamlined operations. Cisco, Palo Alto Networks, and Trend Micro made announcements along these lines. While end-to-end cybersecurity technology platforms will proliferate over time, cybersecurity professionals grew up with a tradition and culture anchored to point tools. Successful vendors will need to hold customer hands through this transition, making sure to help them blend platforms into established SOCs.
- CISOs need help. For several years, we’ve heard the soundbite, “cybersecurity is a boardroom issue.” Maybe so, but the average corporate board member is a 65-year-old white male who is highly experienced in business but wouldn’t know a digital certificate if it bit him. Meanwhile, CISOs are being asked to protect an expanding footprint of mission-critical digital assets. Alarmingly, this can degrade to the blind leading the blind in some organizations. CISOs need real-time risk management, solid metrics, and tools to run an enterprise security program. I had some good chats with CISOs about these problems and a vendor named Blue Lava about possible solutions.
- API security, the next frontier. My colleague Doug Cahill is really concerned about this area. In an example of history repeating itself, software engineers are gung-ho on serverless application development and thus way ahead of security professionals' experience and tools. Furthermore, there are a lot of insecure APIs out there and we’ve already seen plenty of breaches due to these vulnerabilities. While Doug is concerned, he was also encouraged by the level of innovation going on in this area and believes we’ll see lots of investment and M&A activity in 2020.
- Network security moves to the cloud. My colleague John Grady is closely following network/security integration into cloud-based services. ESG calls this architecture the elastic cloud gateway (ECG). What type of services? CASB, SD-WAN, DLP, and web security are most frequently mentioned, but Mr. Grady sees this as a starting point – users want to add things like access control, firewalling, IDS/IPS, and SSL/TLS decryption to the mix so they can crack the packets once (at the network edge) and then perform a multitude of services on ingress/egress network traffic. Stay tuned, John Grady is researching ECG trends as we speak.
- Email and app security renaissance. These areas are heating up for good reason. On the email security side, email remains a major threat vector while newish exploits like business email compromise (BEC) are growing. For example, the FBI estimates losses associated with BEC of $26,201,775,589 from 2016 to 2019. New threats mean new and innovative types of defenses. Alternatively, perpetually underinvested areas like application security are getting more attention for a simple reason – there is way more mission-critical software being written using modern development techniques. If we don’t ramp up application security, we are effectively increasing the target on our back daily.
- SOC scale and scope. The security operations center (SOC) used to be synonymous with SIEM tools but it’s expanded way beyond SIEM alone. There are threat intelligence platforms, network traffic analytics, EDR/XDR, SOAR (author's note, I hate this term), etc. Oh, and I can’t forget to mention that many enterprise organizations are collecting, processing, and analyzing TBs of data per day, requiring message buses (i.e., Kafka, RabbitMQ), streaming processing (i.e., Apache Spark, etc.), graph databases, data lakes, and constant tuning of the data pipeline. Meanwhile, new applications like continuous automated penetration and attack testing (CAPAT) and deception technologies are new additions to SOCs in a closed loop between prevention, detection, and response.
Grey-haired security analysts probably never anticipated that they would need to moonlight as data engineers and scientists. Given this scale and scope, security professionals are proactively moving SOC infrastructure and analytics models to the cloud. Vendors like Devo, Exabeam, Google, IBM, Micro Focus, Securonix, Splunk, and Sumo Logic have lots of work and opportunities ahead.
Despite the down year, RSA is still the nexus of cybersecurity thought leadership and will continue to hold that title in the future. Given this status, I believe it is essential that the show be moved from wildly expensive San Francisco to a more economically friendly location. We need to inspire business, industry, and cybersecurity diaspora participation, not exclude large segments of these populations due to obscene costs. If RSA turns into an exclusive phat cat event for cybersecurity 1%ers, we all will suffer.