6 Things I Learned at RSA 2016 in San Francisco

RSA is the largest cybersecurity conference in the world, bringing together over 40,000 industry players and just about all the major companies over an intense 7-day period. I was able to get away for 3 days last week, and did my rounds of talks and presentations, and of course the vast expo floor.

Here are the 6 major things I learned:

#1 – There is a HUGE shortage of cybersecurity skills out there

Ironic, when you think that a single conference could attract 40,000 of them, but nevertheless true.

As threats increase and appropriate response becomes necessary, investment by companies into infrastructure and resources has followed. VCs are pouring hundreds of millions into security startups, enterprise companies have opened their wallets are attracting and retaining top cybersecurity practitioners, while the large consulting firms are creating independent cybersecurity practices and stockpiling their own talent. It’s a great time to be selling these skills, as overwhelmed IT teams try to deal with the threat onslaught and the knowledge ramp-up.

#2 – The Cybersecurity market is growing fast

The estimates vary, but there seems to be a consensus around a current size of around $80-90B USD and nearly doubling over the next 5 years, for an annual compound growth rate of 15%. Know a lot of markets that size that grow that fast?

Most interestingly, pretty much all market segments are growing as well, and these include IoT Devices, PCs, Mobile/Network, Connected TV, Wearables, Connected Car, etc. The largest segments today are obviously PCs and Mobile/Network, but there is considerable growth in the IoT Device segment (see below, #6).

#3 – Most attacks aren’t sophisticated

Maybe you won’t be too surprised to hear this, but most attacks aren’t that sophisticated. Think about it. If you were a major enterprise player, and you get hit, and hit hard, would you admit that some canny social engineer conned the CEO’s admin to give away the answers to some security questions that led to hacking into the account? Or is it easier to claim that never-seen-before sophisticated techniques were used to synchronize an attack that took advantage of several known and hidden vulnerabilities over a lengthy period of time…?

While we’d like to believe it, hackers are smarter than that. The more sophisticated the attack, the easier it is to attribute it to a specific attacker.  It’s helpful to employ a ‘The Usual Suspects’ kind of mindset.  Say if only 5 groups in the world could perform a specific type of attack, you can narrow the pool. For some reason Zero Day vulnerabilities, and attacks based on them get all the press, but in truth, they only represent about 1% of all attacks. Experienced hackers poopoo them as the ‘last resort’ of a hacker. I guess for the press a catchy name like ‘Zero Day’, with its ominous sound matters more.

This is not to say that there aren’t any sophisticated attacks. It’s just that hackers, not surprisingly, will take the easiest route. So, maybe it’s about time to change that admin password from the factory default setting…just a thought.

#4 – We have moved from Prevention to Detection and Response

This has been a theme over the last couple of years at RSA. Get over it, you can’t stop threats by putting up what you think is an impenetrable wall. No matter how hard you try, your systems will be compromised at some point or another, and your only hope is to be able to detect it as soon as possible that it’s happened and to be set up to quickly have the appropriate response to reduce the amount of theft or disturbance. The latest software no longer represents a barbed-wire fence, it is more like a complex monitoring system that watches for unusual behavior, flags it, then brings in the blue-shirted guards to isolate it and make sure nothing gets out. The industry term for that last part is ‘reduce exfiltration’, which sounds so much more scientific than ‘stop them from taking your stuff out’.

I heard a well-respected cybersecurity analyst say that ‘banks using passwords for your account is ‘security theater’, which is clearly hyperbole. He supported it by saying that banks have much more sophisticated (there’s that word again…) software that detects odd behavior in your account and that you can assume that someone already has your banking password. These cybersecurity guys are so depressing!

I believe you need software for both Prevention (firewall, endpoint protection, web filtering, etc.) and should be considering Detection and Response (ATP for APT, see below). The thing with Detection and Response, is that they are quite expensive from a resource perspective. These tools generate a _lot_ of alerts, and you will need some expertise to analyze them properly and then more expertise to take the appropriate action. It sounds like there’s a great future for MSSPs (Managed Security Service Providers).

#5 – The Advanced Threat Protection (ATP) market is still very new

I spent a lot of time around this, because I wanted to learn and better understand if my company should be adding such a tool to our product portfolio. There is a lot of chatter out there about anti-virus being dead, although it seems that the actual intent was to say that ‘traditional signature-based anti-virus’ is dead. Basically, as the story goes, endpoint anti-virus is no longer enough and what you need now is Endpoint Detection and Response (EDR) or Advanced Threat Protection (ATP) because it helps with fighting Advanced Persistent Threats (APT, and yes, that’s acronym overload!). The new chatter ranges from pure marketing-speak to newly developed tools by very heavily funded startups. On the marketing side, it would seem that suddenly just about everyone’s security tool actually did advanced threat protection all along! You just didn’t know it, and they forgot to tell you.

The current size of the market is estimated at around $200M, but what has investors licking their chops is the possibility of it becoming the size of the existing endpoint anti-virus market, which is in the $5-7B range, either by gradually replacing it or serving as an enhancement to it. Speaking of which, I spoke with just about every single ATP vendor and asked whether ‘it replaces AV’ and the answers covered the full range. I also asked all traditional AV vendors about whether there was any ATP fairy dust in their offerings, and the answers ranged from ‘yes, already has it, we just didn’t make a big deal about it, till now’ to ‘we are planning to add it very soon’.

This made we think of the time about 10-12 years ago when Spyware was a big issue and there were a bunch of new anti-spyware companies that emerged. What happened to them, did they survive? Well, while the technology survived, it was quickly engulfed by the major AV vendors, either by acquisition or by creating their own technology and beating the new players. This outcome is a distinct possibility for the current ATP vendors, something to consider if you’re looking to purchase or partner.

#6 – The IoT (Internet of Things) is going to be a security mess!

Think about it, billions of new devices suddenly on the Internet, being easily accessed and controlled remotely. The doorbell system hack got a lot of press, but what is the real problem here? The IoT is a veritable free-for-all, a completely new programming space that has attracted a bunch of new players and coders who have little to no experience with software security best practices. To these new players security early on will be an afterthought while the focus will be just to ‘get the thing working’. Secure coding is not yet embedded in the culture of these companies, so we see some completely novice security errors, starting with passwords being sent in the clear, ouch! It will take some time, and things will get better, but for the time being it will serve you well to be very paranoid about the latest connected IoT device.

Conclusion

RSA is a huge conference and cybersecurity is a major concern for us all. I have only scratched the surface of what was covered at the conference. Over the next few weeks I will delve a little deeper on some of the topics. Don’t hesitate to drop me a line if you have any questions or would like to find out more about a specific cybersecurity topic.