This post is part of a multi-part series about the Securosis Guide to the RSA Conference (download the RSAC-G PDF). Please scroll to the bottom for links to other posts in the series.
This is our first post into our series of deep dives. Instead of focusing on technology coverage areas this year, we decided to break things out into “problems” that map more closely to security projects.
As we’ve focused more on topical issues facing security practitioners this year in the Guide, we’re able to get away from the artificial category distinctions of things like Endpoint Protection, Network Security, Threat Intelligence, Analytics, SIEM, GRC, and about another two or three dozen categories that in some way, shape or form deal with one thing: threats.
Of course, there are about a hundred ways to define “threat protection.” And it’s not even clear what word should we use to discuss threats? Is it threat prevention? Absolutely, since we want to prevent threats from causing damage. What about threat detection? We probably need to do that too, since you can’t prevent everything. Threat remediation? Threat investigation? Threat Intelligence? Yes, yes, and yes.
So we’ll just use the umbrella term “threat protection,” since that seems the broadest and candidly, I’ve already spent too much time writing about nonsensical categorizations of the same damn thing. Threat protection has evolved quickly, but not as quickly as the adversary. Thus, it seems like we lost ground since the last RSAC. But then again, why would this year be different than every other year I can remember?
But it’s not all bad. The security funding fiesta isn’t over yet (but it’s pretty tired) and that means there is a lot of new technology being deployed that works (marginally) better. Note, I’m not going to say it totally works, but it’s certainly better than the crap you’ve been dealing with for years (yes, endpoint protection and ports/protocols firewalls, I’m looking at you).
At this years RSAC, you’ll see a lot of activity around similar themes as we’ve seen in the recent past. Your endpoint protection sucks and needs to be replaced. Your network security sucks and needs to be replaced. Your security monitoring sucks, and you get the picture. Understand the machinery of the security industry thrives on this rip and replace, so there will always be a new shiny thing forcing you to figure out if the thing you bought 18 months ago is still shiny enough to keep.
All Roads Lead to the Endpoint
We expect 2016 to be the year upstarts land on the endpoint protection beach and storm the barricades of the incumbent AV vendors. They’ve been assembling their armaments for years. They’ve been stockpiling an army of SEs and channel partners and raising boatloads of cash to fund the full frontal assault.
RSAC 2016 is the shot across the bow. The incumbents will be talking about their enhanced protection using behavioral technologies and global threat intelligence. Per usual, solving yesterday’s problems tomorrow. The upstarts will be talking about endpoint forensics and isolation and a lot of other technical nuances that they can’t prove and most of us can’t understand.
Here’s what you need to know: 1) Will your assessor be cool if you rip out your existing AV? 2) Will the new shiny thing actually stop more attacks? 3) Can you migrate to the new thing without visiting devices? 4) Will it save you 40% off the top of the money you’ve been flushing down the toilet for years?
Of course, the answer to all of those questions is yes. So it’s time to consider moving away from AV incumbents, and that means you need to go shopping for some cool endpoint kit at RSAC.
The Race to Automate
There isn’t a lot new that you’ll see at RSAC from a network security standpoint. It’s no longer about application policies and NGFW will be a lot less shiny, mostly because people are using it now. Sandboxes are passé and everyone can detect C&C traffic. Or at least lie and tell you they can.
What’s going to be shiny on the network this year is automation. There will be a handful of new companies (and a handful of survivors formally known as NAC and firewall management) focusing on helping your manage your network security stuff in a policy-based, automated fashion.
Before you soil your pants, this is actually a good thing. We’re not sure that any of these folks are long-term survivors because this is really a feature of your network security fabric, but given the fact that you can’t find people to do anything nowadays, having machines do machine-like work is great.
It’s early for these folks, so a lot of their stuff will show better on the show floor than in your network, but automation and orchestration go beyond the cloud.
At this year’s RSAC, you’ll hear a lot about analytics. You know, math. It’s this new thing that will change everything in security. It seems security is a few centuries behind other disciplines in leveraging math for better results.
But all the same, whether it’s your SIEM, network forensics gear, insider threat detection devices, user behavioral analysis tools, or other handful of use cases masquerading as companies (which keep RSAC afloat, so we shouldn’t bitch too much), you’ll hear about data scientists in the proverbial coal mines figuring out how to find adversary activity in your network.
To be clear, none of this is novel. It’s true that the analytics do provide a more efficient way to do heavy analytics. And we have more security data than ever before. So the kinds of analyses possible now, were not possible 5 years ago. But all the same, what they don’t tell you (and you should ask about) is that someone will need to go through all of those fancy alerts and see if they are valid.
Regardless of the puffery you’ll see on the show floor, you’ll still need carbon-based models to wade through the morass of alerts generated by these new-fangled math toys. But Pythagoras is happy anyway, because there are new applications for math in security.
Intelligence to Action
For what seems like the 20th year in a row (though it’s probably the third), you’ll hear a lot about threat intelligence. There will be data battles and other marketing shenanigans about why one company’s threat intel is better than another’s. Ho hum.
What’s important is not what data is better, but how easy is it for you to use?If you can’t use the data, having it produce smoking gun after smoking gun doesn’t matter. So focus on integration with the tools you use to manage your security program. Probe and ask questions about scale because doing heavy analytics on the terabytes of data you gather and comparing it to know indicators of compromise requires some computing horsepower. A lot of horsepower, in fact.
Don’t believe the hype. Threat intel doesn’t help you do your job. It’s about how you can leverage threat intel to make your other tools and processes more effective. Period.
Teams of Artemis
I actually think it’s fitting that the deity in charge of hunting is female. It will be great to see many more females roaming the halls looking at tools, as opposed to trying to get middle aged men to sit down for a presentation they don’t want to see, so they can bring a t-shirt home. This year, there will be a lot of noise about this new concept called “hunting.” You know, tasking certain folks with finding adversary activity on your network. Right, haven’t you been doing that already? If not, what the hell are you doing all day?
Once again, nothing is new under the security sun. Though calling these folks “hunters” definitely helps with their self-esteem and that’s always appreciated. At RSAC, you’ll see a lot of tools built specifically for hunters. Kind of in the same way a lot of tools were built for cloud security. I guess we should call this “IDS washing” now.
Yet, if you do have dedicated folks tasked with pinpointing adversary activity, a lot of these tools will be very shiny and you’ll want them. The real question is where on the priority list do hunting tools land. I suspect somewhere below stronger coffee for the Tier 2 folks wading through all of the alerts from the new analytics platforms.
Though in 2-3 years, these tools will be a lot more commonplace and better integrated with the rest of the security program. Even hunters have to play nice with the other folks on the team.
Will you leave RSAC with a better idea of how to protect your environment from threats? Probably not, but make sure to get some grapes at the Caesar Pavilion because it’s not clear these halcyon days of being able to throw money after every new widget to find advanced attackers has much runway left.
— Mike Rothman
Check out the complete series: Introduction
Theme posts: Threat Intelligence & Bothan Spies, R2DevOps, Escape from Cloud City, The Beginning of the End(point) for the Empire, Training Security Jedi, Attack of the (Analytics) Clones
Deep Dives: All Threats, All the Time..., Data Security Deep Dive, Cloud Security Deep Dive