The Buzz at RSA Conference 2019

Like many other cybersecurity professionals, I spent last week at RSA Conference 2019 in rainy San Francisco. Here are a few of my impressions:

1. Cybersecurity and business leaders are coming together, awkwardly. Remember when we used to wish that business executives would get more involved with cybersecurity? Well, be careful what you wish for. Yup, business leaders understand that there is a tight bond between digital transformation and cybersecurity and are now asking CISOs to provide the right data and metrics, so they can measure risk and implement the right controls. Alas, you can’t measure a dynamic environment like cybersecurity with static data, and most CISOs have nothing but static data. Since this situation won’t change, RSA was full of new innovations to quantify risk on a continual basis and help CISOs and business executives make better risk mitigation decisions. This is a big step in the right direction.
2. Every layer of the security technology stack is in play. Remember a few years ago when we were all shocked by dual exhibition floors in Moscone north and south? Well the RSA conference addressed this by making one contiguous show floor in and between both buildings. Why so many vendors? Because every individual technology in the security technology stack is in play, driven by things like machine learning algorithms, cloud-based resources, automation, managed services components, etc. All these vendors may be a boon to industry tradeshows, but they are confusing the heck out of cybersecurity pros. Instead of buzz words and hyperbole, successful vendors will invest in user education and thought leadership, offering guidance and support for customers and prospects.
3. The market is absolutely moving toward consolidation, integration, and platforms. CISOs I talked with at RSA have a 2019 goal of eliminating some percentage of vendors and tools from their networks, and many are just getting started. Large cybersecurity vendors are jumping on this trend with integrated cybersecurity technology platforms and moving toward enterprise license agreements and subscription-based pricing. Many of the vendors I met with are now tracking multi-product deals and incenting direct sales and distributors in this direction. To succeed, vendors need best-of-breed products that come together through central management consoles for configuration management, policy management, and reporting. It’s early on in this transition and none of the big vendors have a distinct advantage, but I predict that we’ll see a few break from the pack by 2020. Furthermore, we’ll see at least one $5 billion cybersecurity vendor by 2021.
4. Cybersecurity analytics meets cloud-scale. Earlier this year, I posted a blog predicting that 2019 would be the year of cloud-based security analytics. At RSA, Google and Microsoft did what they could to reinforce this prophecy with announcements of Chronicle Backstory and Azure Sentinel. Both are SaaS offerings that capitalize on a cloud “home court advantage” by accommodating massive amounts of data, storage, processing, etc. Both vendors readily admit that these are Rev 1 products, but each has an aggressive roadmap. Will these announcements usurp category leaders? Will they disrupt the status quo in terms of architecture and pricing? Heck yes.
5. Professional and managed services everywhere, by necessity. Amongst the widget vendors, there were lots of architects, consultants, designers, and managed services offerings for hire at RSA. Everyone equates this upsurge with the cybersecurity skills shortage, which is true but misses an essential point. Cybersecurity is perpetually evolving, with new demands for data analysis, scale, incident response, risk management decision making, etc. Most organizations don’t have the advanced skills to keep up with all the change. Cybersecurity technology may be sexy, but the future of enterprise security will depend more on third-party brainpower than ever before. This may shift the balance of power (and topics) at RSA from products to services in the near future. 
6. Cloud security immaturity continues. Large organizations are getting their arms around cloud computing technologies but there is still a large and growing gap between the pace of general cloud innovation and security controls and skills. So, while we may be figuring out container security, we remain behind in areas like securing microservices and the APIs they depend upon. This gap represents a true opportunity, but only for vendors who understand various cloud technologies, native controls, and what’s needed for central management. In the meantime, services vendors are acting as the tip of the spear yet again. 
7. The network still doesn’t lie. I’m please to see a renaissance in network traffic analysis (NTA) tools. Some are based upon open source technologies like Bro/Zeek, Snort, and Suricata. Some use machine learning to detect anomalous/malicious traffic. Some are tightly integrated with endpoint detection and response (EDR) tools. Why network security? ESG research indicates that network security monitoring is most often the center of gravity for threat detection. In other words, SOC analysts detect suspicious activity on the network first and then pivot elsewhere for further investigation. This makes the network an important source of security truth, which in truth, it always has been. In my humble opinion, CISOs can get a big bang for their buck by implementing one of the more modern network security monitoring/analytics tools, which may be why they seemed to be ubiquitous at RSA.

One additional note: Lots of discussion at RSA about the MITRE ATT&CK framework. Bravo! This is one industry effort where everyone seems to agree and crow about its benefits.