Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

2/17/2017
02:21 PM
Curtis Franklin Jr.
Curtis Franklin Jr.
Curt Franklin
50%
50%

RSAC 2017 in 4 Words

The big news and trends from RSAC 2017 can be summed up in four key words: visibility, IoT, partnership and automation.

The RSA Conference (RSAC) in San Francisco is one of the year's largest gatherings of security professionals, with a reported attendance of more than 45,000. From three-letter government agencies to startup security vendors taking the first step toward their big cash-out, the exhibit floor is filled with technology and services while enterprise security professionals, CISOs and security researchers of varying levels of respectability roam the aisles and fill conference seats. It's a good place to be if you want to get a feel for the big concerns and issues in the computer security space.

Every year, attendees and journalists are asked about their impression of the show. It's a shorthand way for people who aren't in the security field to ask what they should be afraid of, or what they should know about computer and network security. This year, there are four words that seem to be part of almost every conversation: booth presentation and sales pitch. Each contains, in its own way, information about the status of the security field in 2017.

What are those four potent words? Listing them is easy: visibility, IoT, partnership and automation. When you look inside those words things get more challenging -- and much more interesting.

Visibility
The impression gained in many conversations here is that CISOs, and IT professionals in general, have but the faintest idea of what's truly happening on their networks. The level of ignorance about how many devices, what sort of devices and how many cloud services are playing on the enterprise network is profound. Why is there such a high level of ignorance? On that, opinions vary, though the explosion of IoT, the continuation of BYOD and the economic power of shadow IT are combining to make the enterprise network such a dynamic place that it's difficult to know just how many devices are attaching at any one time.

Most of the researchers I spoke with at RSAC said that the IT group consistently under-counted devices by anywhere from 50 percent to 150 percent. It's not that people think that these are malicious actors lurking about on the network and waiting to attack -- it's just that each employee now represents somewhere around 3.5 connected devices and few physical systems (think HVAC and physical security) come without many more devices than are plainly visible.

What everyone agrees on is that knowing your network is the first step in protecting your network. The lack of visibility is a huge piece of the security deficit felt by many organizations today.

IoT
Not to get all Socratic Method here, but the first thing you have to do is define "IoT." Is it all the Fitbits walking around on employee wrists? The POS terminals and thermostats in your retail outlets? The process control systems in your manufacturing facilities? All of the above? Something else entirely?

The answer, of course, varies with precisely who's doing the defining. And the nature of that answer will go some way toward explaining the visibility problem already mentioned, and toward rationalizing the CISO's attitude toward protecting the IoT.

IoT security starts with the understanding that the industrial IoT and consumer IoT are two very different things that place very different demands on enterprise security. It continues with the firm knowledge that many techniques used for securing computing endpoints aren't possible with the IT; watching traffic to and from IoT nodes may be the only way to monitor, analyze and protect IoT devices from criminals -- and the rest of the internet from the botnet trying to use IoT devices against others.

Partnership
It seemed that every company on the expo floor at RSA was eager to talk about APIs -- how their API was being used by other companies, and how they were eagerly making use of APIs to bring capabilities from other companies' products into their own. At least for this year, the spirit of cooperation was in the air as each company wanted to show that they were more open and cooperative than the next.

It's important to remember, though, that an available API is only part of what's needed for a complete security infrastructure. Someone, somewhere, has to use the API to integrate two (or more) components into the solution for a security problem. In an interview with Light Reading, David Ulevitch, vice president and general manager of security business for Cisco, said, "People don't want the potential of APIs, they want the results of integration. The number of customers that harness APIs is much smaller than the number of customers taking advantage of integration."

Put another way, everyone recognizes that enterprise security is complicated and security vendors are reluctant to over-promise capabilities. An emphasis on APIs and integration means that there's at least the possibility of taking a "best of breed" approach to building a security solution. Actually getting there? Well, enterprise security is still complicated.

Automation
Security threats move at lightning speed and humans are ill-equipped to keep up the pace. That's why automation is the fourth word describing this year's RSAC. In truth, automation is a broad word that encapsulates at least a couple of other concepts. Some companies will tell you about the AI used in the product while others use the phrase "machine learning" to describe what they do. In either case, the impact on the customer is the same.

When security components can collect data, perform analysis, decide on a course of action and then take action without involving humans, then there's the possibility of responding to threats before they can cause damage. Both enterprise customers and security vendors want security systems that successfully deal with the vast majority of security incidents without ever involving humans, leaving analysts and administrators to deal with outliers, marginal cases and truly novel situations.

Five days, 45,000-plus people and four words; the story of RSAC 2017 in the tightest of nut shells.

— Curtis Franklin, Security Editor, Light Reading

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23631
PUBLISHED: 2022-01-21
This affects all versions of package convert-svg-core; all versions of package convert-svg-to-png; all versions of package convert-svg-to-jpeg. Using a specially crafted SVG file, an attacker could read arbitrary files from the file system and then show the file content as a converted PNG file.
CVE-2021-23664
PUBLISHED: 2022-01-21
The package @isomorphic-git/cors-proxy before 2.7.1 are vulnerable to Server-side Request Forgery (SSRF) due to missing sanitization and validation of the redirection action in middleware.js.
CVE-2021-40595
PUBLISHED: 2022-01-21
SQL injection vulnerability in Sourcecodester Online Leave Management System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username parameter to /leave_system/classes/Login.php.
CVE-2021-23460
PUBLISHED: 2022-01-21
The package min-dash before 3.8.1 are vulnerable to Prototype Pollution via the set method due to missing enforcement of key types.
CVE-2021-23518
PUBLISHED: 2022-01-21
The package cached-path-relative before 1.1.0 are vulnerable to Prototype Pollution via the cache variable that is set as {} instead of Object.create(null) in the cachedPathRelative function, which allows access to the parent prototype properties when the object is used to create the cached relative...