RSA Conference 2017 is now a wrap and blogs such as these that attempt to summarize such a content rich event are challenged to do so in any sort of brevity, but, alas, I will try. Colleague Jon Oltsik, who fought being placed on the injured reserve list the week before RSA and missed the event for the first time in over a dozen years, and I offer a review of just some of the news from the show in this first of two video blogs. Here are some of the threads we pull on.
Heat on the endpoint and the need for “efficient efficacy.” The contested release of another round of third-party efficacy testing results stirred up controversy over the creditability of these tests with some vendors rightfully crying foul. These comparative tests have raised real questions about both the testing methodology and engagement model via which testing houses monetize their services, casting a shadow over the legitimacy of the results. While the industry has been highly focused on the relative efficacy of techniques such as behavioral analysis v. machine learning/AI, including some interesting perspectives on which approach actually detects threats pre-execution; one argument being that detecting an exploit in action before it can drop payload that then executes is further upstream, pre-execution detection. But CISOs and security practioners I talk to are as concerned with the operational efficiency of endpoint security controls as they are about their improved efficacy. More specifically, customers tell me they are well aware that traditional, signature-based AV is ineffective against new threats and understand that new detection techniques are required, but want to hear more about how new releases from incumbent brands and those from emerging leaders improve operational efficiency by minimizing false positives, eliminate the need for on-going alert curation and other acts of care and feeding, and employ the cloud as a delivery vehicle. And a big part of that is consolidating controls – anti-malware, anti-exploit, port/device control, app control, etc. – into suites that ride on a platform. While the noise around efficacy testing creates confusion for buyers, the good news is that many an endpoint vendor is offering suites with a layered packaging model that will be evaluated based on efficiency as well as efficacy.
The complexity associated with security analytics begs for a reference architecture. The oft-cited expanded attack surface area that is the result of employee mobility, BYOD, IoT, and the use of cloud services means that telemetry from multiple sources including user behavior, network activity, data access, endpoint processes, cloud app and infrastructure services and more is required. And that’s not even including threat intel in the form of IoCs and IoAs that, when correlated, provide situational awareness to mitigate risk by enabling multiple use cases from detection to hunting. Ringing the signal out of all that noise is step 1, but security teams need to then operationalize under the ‘orchestration and automation’ heading, terms that means different things but are often used interchangeably. The imperative to leverage security analytics more efficiently is why colleague Jon Oltsik coined the term SOAPA (security operations and analytics platform architecture) to lay the groundwork for operationalizing telemetry. Many at RSA noted SOAPA is spot on and they look forward to hearing more from ESG on this topic – stay tuned.
To be continued ....