Based on the RSA Conference 2018 submissions, we are at an interesting time in the security field and are primed for a fantastic event in April. We have major new policies and regulations looming globally. DevOps, automation, and machine learning have taken hold (by the good guys and the bad ones). Identity—and patching!—is once again sexy. IoT isn’t slowing down, and ICS and supply chain attacks have us worried. Passwords are dead (they must be cats with nine lives as this is a recurring theme). And #fakenews?! Human fallibility is weighing on our minds as we grapple with our responsibilities to secure the world, and all of the people and devices in it.
Let’s look at some of the trends that bubbled up as we looked at the universe of submissions this year for RSA Conference 2018:
- Artificial Intelligence: We’ve been commenting on artificial intelligence in the past few trend blogs, and this year noted that the cycle it seems to be going through reminds us a lot of the adoption cycle of cloud technology. The 2016 submissions showed fear of machines taking over the world. 2017’s lens showed the pendulum swinging far to the other extreme and humans were to head on vacation and be universally replaced by machines. This year, the pendulum seems to have swung center as we work to establish a symbiotic relationship between man and machine with both important pieces of the relationship with neither fully replacing the other.We are learning to harness AI as a tool to complement, magnify, and amplify our activities, though we are recognizing some limitations as we explore new applications. We saw applications of artificial intelligence and machine learning beyond just the SOC with self-driving cars, fake news detection, biometric authentication, bug detections and predictions, IT configuration verifications, DevOps, and the list goes on and on—a list so lengthy, in fact, that some are calling for the creation of an ethical roadmap. In fact, we were so impressed by the machine learning-oriented submissions we decided to blow out a dedicated half-track on Machine Learning to allow more focused education on the tremendous—and rapid!—advancements being made here. But we’re also not alone in capitalizing on the maturity of AI: good guys and bad guys are using it with more and more reports about “blackhat AI” being used as an attack vehicle. We also noticed a tinge of audio recording paranoia. With Alexa and Siri firmly implanted into more and more homes and the fabric of everyday living, we are becoming more concerned about the dark side and privacy implications.
- Human Manipulation: Human manipulation through technology was the focus of many submissions as you explored the psychological nudge achieved by parties intent on eliciting specific emotional thoughts and behaviors (with examples beyond just the 2016 US Presidential Election), an impact that will likely be felt for years to come in areas such as reputational damage and the like. Noting how easy it was for parties to manipulate opinions and subsequent actions without ready detection, several of you explored where this could lead with manipulation of data where minor data changes of financial reports, social media posts, health records and the like could have massive, lasting impact on a personal, organizational, national, and global scale. And with advancement of technology making it very easy to create photos, audio recordings, and even videos that appear real but are not….what safeguards do we need to have in place to protect our minds and the integrity of our data? Our impression is that we’re only at the beginning of exploring this attack vector.
- ICS and Supply Chain Attacks:Supply chain attacks are to 2017 what ransomware was to 2016. Headlines this year have been full of attacks that only Hollywood could have imagined—and this was not a singular “wow” attack but multiple attacks across the globe on critical infrastructure, with Petya serving as a wake-up call to manufacturing as they more clearly reviewed the security of their supply chain. ICS attacks, like other types of cyberthreats, have been increasing in scale and sophistication over the past few years, probably due to the growing connectivity of industrial systems. Submissions focused on the unique characteristics of ICS cyberattacks, including the adversary’s intent, their sophistication and capabilities, and their familiarization with ICS and automated processes (lots on automation this year). We’re also exploring the “collateral damage” of some of these supply chain attacks that masquerade as one thing but inflict damage to completely uninvolved parties in the chain. If there’s one place with concerted fear on the threat landscape, this is it since so many core infrastructures are based on antiquated technology, with a whole lot of touch points, and the opportunity for big impact is strong.
- Blockchain: We noted an empirical focus on blockchain this year, moving from theoretical to solid applications. With this growth and spread of blockchain applications, some noted the need to develop true standards and security protocols. Blockchain as a solution to IoT, payments (large and small, particularly peer-to-peer), identity, ICOs, loyalty programs, shared resource distribution, and connected devices came up more and more, with submitters exploring its distributed trust model and availability as a solution for users to govern and manage their own security and for companies to improve operations, security, and generate new services. And, yes, the bad guys haven’t missed the opportunity with blockchain, either. We are so intrigued by the depth of blockchain content to share that we have added a focused Blockchain Seminar on Monday.
- IoT and Medical Devices: As with past years, we had a large number of IoT sessions, with content generally moving toward solutions vs just identification of problems; we are learning to eat the elephant one bite at a time. This was most significant as we looked at the number of submissions focused on hacking and protecting medical devices, where the depth of the submissions and the number that also include an MD practitioner joining the speaking docket was pretty intriguing, seeming to represent a maturity to the conversation and closer movement to resolution now that it is not just a security conversation. Submissions represented conflicting opinions as to if technical solutions alone might solve the challenges the medical community faces (though legacy devices out there were built long before Internet connectivity was even envisioned) or if regulatory oversight will be required to assist in the process of securing practical, reliable solutions. Concern also bubbled up around how the collection of data from these devices is happening, calling for greater assurance that there is not more data collected than is required and it is not shared without the permission of the original owner. Privacy and security once again emerge as connected conversation.
- Intelligence sharing: Or rather the lack thereof! Last year there was an explosion of submissions around intelligence sharing, so much so that we carved out a special half day seminar focused on it. This year….crickets (well—a few chirps, but the submissions certainly feel like a boom and a bust). The undertones of the submissions that did come in pointed to a myriad of issues that arise when organizations endeavor to share intelligence externally. Some explored the technical challenges of sharing intelligence which requires context in order to be truly actionable, pointing to IOCs as the death knell for intelligence sharing, rendering it unhelpful and irrelevant. Others bemoaned the plethora of standards and the different ways that organizations have utilized the standards, arguing that no one is really doing things in a consistent way…rendering the standards essentially useless. Others explored the business ramifications of sharing information: will it cost an organization a market advantage, trigger a legal liability or violate a privacy commitment? We seem to have hit the pause button in our enthusiasm to share intelligence….and yet we recognize the many benefits that would come from getting this right.
- Identity: Passwords are dead (again) this year (we definitely want to drive a stake through the generic admin password, as do some 2017 breach sufferers!), but identity is very alive, with the discussion expanding well beyond people to machines, which need to be identified and secured, particularly given the rise in automation. We’re working hard to manage, track and secure the interrelationships of everything—man and machine—throughout organizations, numbers that are exploding exponentially in a world of IoT. Answering the question of “who” before any exchange of information happens is our most important challenge as security practitioners—something our submitters argue can only be answered with a strong, trusted assurance of identity. But how do we best achieve this? This came through loud and clear as we read about innovative solutions and approaches to answering “who” in the cloud, on mobile devices, in the supply chain, and on the endpoint.
- Infrastructure: Beyond the ICS attack focused submissions—or perhaps inspired by them?—we saw an uptick in conversations in and around the security of infrastructure. We also noted an up-tick in DNS and endpoint focused sessions. We saw a significant growth in submissions that explored software-defined perimeters, which explored DISA black net, Jericho, Zero Trust model, and Google BeyondCorp. This is something that has come up slightly in past years, but seems to have gained some more significant traction this year that may be a harbinger of things to come, with the real proof being we’re seeing end users talk about it and not just vendors making promises around it. We also saw more conversation around patching, which we can probably attribute to successful ransomware campaigns and the Equifax breach (among others). This is another place where we’ve seen the automation word creep in—as well as a discussion about regulatory requirements—as we debate if patching should be mandatory or not.
- GDPR, Risk Management & Resilience: GDPR—and the significant impact it (and perhaps other equally disruptive standards and policies to come) will have on organizations across the globe—was (no surprise!) a big theme in submissions this year, so significant we have a GDPR focused Monday seminar this year. Many vendors hopped on this bandwagon offering magical, one-of-a-kind silver bullet product solutions, but the voice of the end user came through submissions pointing to the larger implications and systemic changes across people and processes (more so than technology) needed within organizations to be compliant, which reminded us of a fantastic webinar from John Elliott, head of payment security at easyJet (which was a follow on to a very well-received presentation at RSAC Unplugged London 2017). The friction between privacy and data protection on one side rubbing against business enablement and customer engagement on the other side (we’ll see blockchain, IoT and Artificial Intelligence play increasing roles in this conversation as the tug-a-war increases, which we saw early sparks of via the submissions)—with security in the middle, needing to satisfy all parties—was a definite theme. We also noted a significant increase in language around risk management and resilience (as opposed to compliance or even governance) and looking holistically at risk through a business lens, an orientation that seemed to pull many submissions around cyber insurance as well as cyber risk warranties, measuring the true cost of security, and security ratings (vendor code security, tool capabilities, etc). We seem to want to be able to measure and validate the effectiveness of security using the same sorts of measurement tools employed across business.
- Workforce: Refreshingly, we also noticed a definite thread through the submissions that show we’re concerned about our workforce, as individuals and as a unit. We’re looking closely at what it takes to make a strong team that achieves the strongest possible security posture, recognizing that diversity of thought, background, age, gender, and experience is important. This is not just a man/woman thing, but a bigger conversation around diversity. Some pointed to the mainstream media coverage of the Equifax breach and the diversity of the backgrounds of executives there (“how could someone with a music degree possibly be in charge of security?”) as tone deaf to the diverse backgrounds of our industry—backgrounds and different ways of thinking that make us stronger and more resilient. This led to a greater conversation in the submissions of what effective education and training is, both as a starting point and on a continuing basis. The NICE Cybersecurity Workforce Framework seemed to be mentioned a lot by our submitters as a way to quickly identify people best suited to perform specific security activities. We saw many submissions about outstanding programs across the globe targeted at helping specific populations be successful with careers in cybersecurity. We were so interested in the conversation—and celebration!—around diversity that we are developing a focused seminar around Securing Diversity for Monday at RSA Conference.
As usual, 10 is never enough to cover the trends that flowed through more than 2,100 submissions. We continued to note an uptick in quantum-focused submissions. We sensed some concern around lawful hacking, some pointing to recent cases they fear may make it harder to lawfully hack and not end up in prison. Likewise, there is a growing concern about geopolitics of research—are we going to discount some things just because of the area of the world it comes from (“balkanization” was used repeatedly)? We read about interesting digitization transformation journeys being embarked on. We heard your expressions of concern about making sure open source code—and as such the applications that use it more and more—is actually secure. Adding to that sense of insecurity, we noted the term “security debt” in an increasing number of applications.
At the end of the day, we were most intrigued and excited about submissions made by collaborators who first met at RSA Conferences and struck up relationships that blossomed into joint work and ongoing exchanges. The underlying theme of what RSA Conference really is about surfaced: the power of the community and the opportunity to gather face to face and exchange one with another as we work together to make the world a more secure place. We look forward to engaging with you this year!