Now in its 26th year, RSA’s conference in California remains the IT security industry’s largest and most essential get-together. A reported 43,000 people attended the conference which is spread over a week in the Moscone Center, San Francisco, and even speakers who have boycotted the conference itself come and sit in hotel lobbies to hold meetings.
To the frustration of some, almost none of the speakers were Trump administration security officials, with only a single keynote from the House Homeland Security Committee Chairman, Michael McCaul. This contrasts with the much closer engagement of the previous Obama administrations. A long-anticipated, and now much overdue, ‘Executive Order on cyber security’ is still awaited from the Trump administration, despite expectations that it would be announced at the conference.
Also in the keynotes, Microsoft’s Brad Smith called for a Digital Geneva Convention to reduce the impact of state-sponsored hacking on citizens. Besides the existing economic damage of internet fraud and hacking, Smith’s concern is that there are ‘increasing risks of governments attempting to exploit or even weaponize software to achieve national security objectives, and governmental investments in cyber offense are continuing to grow’.
Security software engineering
This year’s keynote Cryptographer’s Panel included a reminder from Whitfield Diffie (Stanford University) that improvements in programming quality and in building security into software from the ground up would have a greater positive impact than any of the products on display at the conference expo. Similarly, a presentation on the not-for-profit Core Infrastructure Initiative set out the benefits of free & open source software. However, it drew attention to the critical need for active participation in the development process by its users if they were to avoid baking code into their products with inadequate security oversight. According to Linux Foundation CTO, Dr Nicko van Someren, prior to the discovery of the critical Heartbleed bug, the OpenSSL software stack used by the majority of world’s web servers had only two programmers occasionally maintaining it, with a paltry $3,000 spent funding security work on it in the preceding years.
The cyber security domain is complex and fragmented, as this ‘top-level’ map illustrates:
Figure 1- Cyber security domain map (Source: @VladislavBukin)
Within every sub-domain bubble are myriad conference participants, speakers and vendors sometimes offering almost indistinguishable products and services. No wonder there were a reported 700 speakers and 550 booths in the RSA conference expo, with more overflowing into hotel ballrooms and basements nearby.
All this complexity means multiple new innovations and issues present themselves at the conference each year.
Unsurprisingly, claims of Artificial Intelligence and/or Machine Learning were almost ubiquitous in security products this year, although direct evidence of the benefits remains scant. Nonetheless, automating information extraction from data of all kinds remains a potentially potent tool which is arguably peaking in the ‘hype cycle’.
Following the impact of the Mirai botnet (which exploited webcams to deliver a Denial of Service attack against DNS providers), Internet of Things threats were receiving a lot of attention. Given that the Mirai toolkit was incredibly successful with only a username/password pair of ‘root/root’, there is clearly a lot of work to do!
Alas, few products directly addressing the challenge were in evidence, leading commentator Bruce Schneier to insist that regulation is essential and, since Government itself is not qualified to understand the technical issues, that the security industry ‘need to get into the debate’.
Ransomware is a growing danger already causing significant direct harm to rising numbers of companies. Moving beyond the ‘to pay, or not to pay’ dilemma (paying up being increasingly acceptable), the development of adequate response plans, in advance of an attack, has become a basic obligation of all enterprises. Waiting for the event to happen is, as ever, way too late – and almost certainly all organisations are going to get hit. The principal vector for such attacks is email, so anti-phishing tools and phishing avoidance training for employees were clearly in evidence as growth areas this year.
As enterprise migration to the cloud continues, identity management for cloud apps continues to be a growing requirement, and so Single Sign-On vendors were making the most of the trend. The advantages of central password management become clearer as users are increasingly faced with externally-facing applications.
Likewise, mobile threat detection and mobile device management continue to be growing requirements. Google continues to improve central app security analysis in the Play store, but all enterprises offering their own apps to customers and employees should be using static code analysis tools as a minimum to check for vulnerabilities before every app release.
UK cyber security companies at RSA
Once again, the UK Department for International Trade led a delegation of UK cyber security companies to the conference expo, hosting a joint booth there and organising a programme of activities including a VC Investor panel event and a reception co-hosted with the local UK Consulate.
Participating companies included data discovery and classification platform Exonar (an Amadeus portfolio investment), and Cyber London accelerator graduates CheckRecipient and Galaxkey, along with Corax, Cyber Owl, Glasswall, Huntsman and Panaseer.
The award for ‘Best Party’ was widely said to have been taken by endpoint security unicorn (and Amadeus portfolio company) ForeScout, who hired the rapper Snoop Dogg to perform at a San Francisco nightclub, but your intrepid reporter remained waitlisted, so has no first-hand evidence to back this up.