With more than three months to go before we welcome you to San Francisco, RSA Conference 2017 is already breaking records. We had more submissions for regular session talks this year than ever before—almost 30 percent more! Let that sink in for a minute. We had almost 500 more submissions than our previous record high. And they weren’t submitted by zombie IoT devices or artificial intelligence robots—they came from living, breathing human experts, eager to share their experience with the security community. And our living, breathing human Program Committee was put to task, reviewing them all so that this year’s RSA Conference is the best one yet.
As has become our tradition, we use your submissions to get a “window into the soul” of the security industry, so here’s what we know about our collective soul:
1. Internet of Things. IoT hacks have become so highly visible that even my 86-year-old neighbor can talk about them. Seriously. Submissions this year showed a greater maturity when it comes to acknowledging the risks posed by the IoT, the excessive bundling of Things, and our lack of knowledge about what Things are even out there. We are now analyzing the collateral damage IoT attacks can cause. A host of problems—from how devices connect to the Internet to how they are manufactured—are leading to increasing worries over, and concrete, demonstrable examples of, how attackers are taking advantage of insecure connected devices. We’re also grappling with how law, policy and regulations should evolve in this new Thing-dominated world. In fact, we saw such an uptick in IoT-focused analysis we promoted it to the track level, introducing the new Mobile & IoT Security track.
2. Ransomware. We were DDoSed with ransomware submissions this year—and they weren’t just technical. Not even APTs took root this quickly. Real experiences with ransomware rocked the world and ignited discussion from all corners of our industry—technical, policy, legal, business managers and executives. Boards of Directors even got in on the action. Was it our collective experience with APTs that made us better at sharing and discussing ransomware quickly? Hmmm. Maybe! We had such a robust, well-rounded universe of ransomware submissions that we decided to introduce a full day Ransomware-focused seminar on Monday that will explore its multi-faceted implications across technical, policy, compliance and financial. Sessions will discuss innovative research, present case studies, explore combatting ransomware, and debate if—and when—you should pay the ransom.
3. Frameworks and Processes: What’s Old Is New Again. Many submissions attempted to review the mechanisms and processes that have underpinned how we have done business for years—ATMs, mainframes, planes communicating with towers, and so on. It read like a retelling of the Ghost of Christmas Past, a parade of victims designed without a security focus from the outset. We recognize that we have to revisit everything with a security lens in this age of connectivity and digitization. (Throw in “paradigm shift” and you have yourself a matching set of candidates for this year’s buzzword award!) We are examining the ways we have done things for years to understand risk, and we are trying to develop a common vocabulary; some fear we are talking past each other, contributing to our challenges, while others fear the overuse of certain terms by marketers has actually muddied the water. The opportunity for DevOps here—and its impact on Application Security—was not lost on our submitters, and it was exciting to see even more end-user organizations share their experiences, pushing the maturation of this market. The Application Security DevOps track this year, consequently, is incredibly powerful.
4. Mad as hell and not going to take it anymore! Last year we commented on the INAMOIBW (“It’s not a matter of if but when”) cloud that hung over us as we sadly, yet patiently, waited to get breached. This year we are fighting back, though we certainly aren’t naïve. We have our gloves back on, we’re sending our hunters out, and we are actively deceiving (more on that on No. 8). Some of us even seem to enjoy it. Predictionseems to be replacing, or at least generally taking a seat right next to, Prevention as we work to get in front of the threats. Additionally, many end user organizations that traditionally are not “allowed” to speak publicly on certain topics submitted talks—far more this year than in the past. That shows a shift that is very healthy for our industry.
5. Intelligence Sharing. We have moved from discussion around “information sharing” to “intelligence sharing,” showing a maturation of the value of what’s shared. We also seem to have defined and launched focused groups—ISAOs, ISACs, CERTs, Sector Coordinating Councils, etc.—who are now starting to share intelligence, which is straining standards and frameworks, triggering necessary legal and privacy conversations, and leading to a healthy analysis of what works best. Our work here is at different stages along the maturity curve, defined by industry, by geography or by governance drivers, and we seem to be experiencing growing pains. The opportunity is clear here, and the need urgent, so much so we are launching a new Monday focused seminar: Practical Intelligence Sharing: ISACs and ISAOs. We’re also offering meeting space to ISACs and ISAOs, part of our commitment to networking and community building within the security industry.
6. GDPR (General Data Protection Regulation). Do we even need to spell it out? Never before has a regulation landed so quickly on our word-cloud analysis of submitted titles. Not even PCI found its way this fast. Is GDPR an opportunity or a curse for CISOs, legal counsels and security professionals? The submissions suggest both. As an industry, we are also intrigued by the role (and responsibility!) of cloud providers in addressing compliance. The massive financial implications of this regulation demand thorough response, and we see fast action across our industry, which will be reflected on our agenda through several different sessions.
7. Artificial Intelligence. Last year we were afraid of the machines, but this year it sounds like we humans are going on vacation. We had visions of WALL-E running through our heads—well maybe “running” is the wrong word— “rolling” blissfully along. This year we’re trying to figure out the role of the “human.” Look for the Human Element track to explore some very different concepts as a result, and watch for some coverage on Analytics, Intelligence & Response as well as Hackers & Threats. AI may merit its own track in a few years, but we are definitely still very divided and unsure about how to best embrace and apply machine learning, automation and artificial intelligence— and if we are the masters or the servants in the future.
8. Deception—and the rise of Military Terminology. This year we noted a significant maturation in the discussion around deception techniques, with that specific term (have we identified another buzzword?) showing up heavily in submissions around offensive countermeasures and hunting. Gone are the references to honeypots as we explore how different types of deception engage and block attackers in different ways. Now we are flooded with submissions that refer to insurgency and counterinsurgency military theory. Kill chain and defense in depth are parts of our vocabulary, and military terminology continues to creep in. We’re using it, and we don’t even know it. (If we’re playing the buzzword game here, “Crown Jewels” is yet another contender for the 2017 submission prize.)
9. Blockchain. Another wow-and-pause moment. Bitcoin burst onto the open-source stage in 2009, garnering much attention from both the good guys and the bad guys. Then interest fizzled away. In 2014 we only had a total of two submissions that even mentioned it. We even seemed to lose interest in identifying Satoshi Nakamoto. Fast-forward to our 2017 submissions, and Blockchain is booming. The variety of applications and the technology’s move beyond financial uses is remarkable and pretty exciting. It’s opening doors for identity and digital-interaction authentication, being used for loyalty programs and payments and, yes, even IoT. The U.S. government, among others globally, is offering grants to companies focused on using blockchain technology to solve security and privacy problems with medical record theft and fraud, among other applications. We may have crossed the chasm here.
10. Uncertainty. This is really the underbelly of many of this year’s trends. We cannot recall another time that there has been so much churn year-over-year in the submissions we’ve reviewed. This is evidenced in the word cloud, which had many new words appearing, usual suspects disappearing and/or shrinking, and a completely different view. There is tremendous uncertainty within our industry, and there is also uncertainty around our industry. As acute social issues play a bigger part in our security world, cyber is playing a larger role in how the world works. It’s an exciting time for our profession, and yet, to quote Spider Man—and Voltaire—with great power comes great responsibility. Are we up to the task?
It’s hard to boil more than 2,200 submissions down to a handful of trends. Beyond these, we saw interesting discussions on intelligence weaponization, Natural Language Processing (NLP) algorithms, cyber insurance, KMIP, 5G, more from small businesses and education, and of course reflection on elections. We heard “meme status” more than a few times (and in case you were wondering, meme” was added to the dictionary in 2015, the same year as emoji). And time travel—yes time travel—even graced the pages of our submissions.
It’s awesome to see the vibrancy and energy of our community and our growing willingness to share and learn. We look forward to an amazing RSA Conference 2017, and welcome your participation.