RSA 2018 – Chaos Engineering

| April 19, 2018

If there is one thing RSA does well, its chaos. However, this is partially because San Francisco is a giant, elegant, stinky, haphazardly-engineered, cacophony of chaos. From the pungent weed clouds to the automated compute clouds, San Francisco has mastered chaos.

There has been grumbling that RSA should move to a larger, less expensive venue like Las Vegas. I do not think RSA would work there.

However, this year RSA was particularly messy. Moscone is still under construction and so is RSA’s messaging.

Key Notes – Tuesday

Tuesday is the day of the big keynotes with bold statements and big ideas. And this year, there was none of that. It started with the new RSA boss Rohit Ghai, who gave an upbeat, sports-cliché presentation that was devoid of controversy or insight. It was not that his presentation was bad, it just did not say anything new or innovative…you know, like RSA’s product roadmap. 

Next up was, Brad Smith from Microsoft. Brad is still pushing this Digital Geneva Convention idea. It is a noble idea that is wholly disconnected from reality. Again, nothing wrong here, just nothing new.

Chris Young, who I really wanted to say something profound, did not. He babbled on about airline hijacking and airport security.  Never once did he mention the cloud.

Next, there was the perennial Cyptographer’s panel, which requires a PhD in Somnambulistic studies to enjoy. Again, nothing bad, just nothing new.

Lastly, we got Kirstjen Nielsen US Secretary of Homeland Security. Her presentation was an ocean-wide, puddle-deep dump of banal platitudes delivered with the charisma and passion of asphalt. And her follow up chat with that CNBC anchor was equally devoid of meaningful content.  However, Nielsen made sure to remind us, multiple times, that the terrorists use the Internet. They hate us for our freedumbs, and porn. Maybe not the porn.

Sheesh. At least the opening rap-opera act was decent.

Walking the Expo Floor

Now, if chaos is what you want, nowhere does engineered chaos rule like the RSA Expo floor. Every year the noise and distractions inch skyward. The booths are following along. It seems there is a booth height arms race at RSA this year. Two, three, and four story booths are as common as hyper-perky sales folks.

Come along with me, and I will share my observations.

At the F5 booth, they are talking about “the SQL injections that can stop you cold.” As opposed to those other attacks that get you hot.

Noticed multiple companies had banners proclaiming their AWS competency. Give it a few more years, RSA will be the AWS/RSA Conference.

Mimecast held an important looking meeting in a glass fishbowl conference room. It reminded me of clip art of pristinely attractive people having a “business meeting.” This is so important, we had to have our meeting right here, in front of all of you.

People, this is important. Tom, let’s hear about your big time important bigness.

Alienvault is back in earth’s orbit. In previous years they had an alien theme (imagine that) which only seemed to underscore their out-there approach to security. This year, it was about the moon landing. Next year, they may actually be down to earth.

Bromium has become a perennial target for my snark. Last year, it was a Breaking Bad themed booth with fake meth. This year it was Protect Your Genius with artistic renderings of people the likes of Albert Einstein and Abraham Lincoln. End slavery, redefine physics, application virtualization…yeah, all about the same.

The CISO of Lyft, Mike Johnson noted on LinkedIn recently that a lot of vendors are using alcohol to attract people. He is right. The show floor was soaked with beer.  What message are we sending here? Our products are only attractive when you are drunk? Is this the version of RSA “beer goggles?”

I wonder, are we that far away from free bong hits? Or maybe a “gentlemen’s pentest?”  It’s got what plants crave.

Pls no boop Crowdsnek.

Occasionally, RSA booths inadvertently predict the future. Sentinel One and Crowdstrike were side by side at RSA this year. Sentinel One had a good looking booth with lots of content that completely overshadowed Crowdstrike’s booth. The contrast was striking. Where Sentinel One’s booth was bright, active, and modern (like an Apple store), Crowdstrike’s booth was dark, claustrophobic, and dour. Another curious thing about Crowdstirke, they have gone completely silent on the Democratic National Committee hacking they helped identify. Makes you wonder. I am just Putin it out there.

Why is everybody giving away t-shirts? I counted 17 booths with this gimmick. Do I need a t-shirt with a picture of myself?

Welcome to RSA, I love you.

Zerofox has the damn furries again.

Intel has managed to invent a poisonous shade of blue.

Exabeam is supergreen

Whitehat Security had a ultra cheesy pitch man screaming “there are SQL injections out there!”

Watch me pull another round of funding out of my ass.

You know what else is out there, owls. Shiver.

Hey, tip for all you booth presenters: if you end a sentence with “…right” or begin it with “we all know” you sound unsure. For example, “we all know the SQL injections are out there, right?”  Yep, just like those owls.

RSA booth had a work-simulator again. This was a dumb idea last year, and it did not get any less dumb this year…right?

Conclusion

Chaos engineering is where complex systems are tested with unexpected or aberrant behavior to see how it reacts. Observers then analyze those reactions to plot out recovery and reaction strategies.

If all this sounds oddly familiar, it is because chaos engineering is the new “FUD.” Chaos engineering is all around us from autonomous cars to venomous politicians. Companies and politicians are engineering chaos to force people into a “comfort response.”  They fill up the airwaves with increasingly conflicting noise, which overwhelms people and pushes them into clinging to comfort.

Unfortunately, this is a grotesque misuse of what is supposed to be a scientific process. Chaos engineering is intended to be a scientifically oriented simulation to assess resilience and security of systems in a “non production” environment. It is not a marketing technique.

Which gets this blog back to my previous blog: Panic. When a big change is on the horizon, especially a change that may put you out of business (or office), it is not uncommon for those affected to resort to chaos .  The security industry is creating chaos distract us from the fact that all these NGFWs and SIEMs are not working. Fundamental change is needed. We believe that change is the cloud.  And this cloud does not smell like weed.

Share this post: