Today was the first, big day of RSA and it was big cliché on display. Everywhere it was one buzz word piled atop another buzz word. We had three key note addresses, including the big guy himself, Art Coviello, President of RSA. Here are my day two observations, analysis and commentary. More after the jump…
RSA 2012 – Tuesday
The Buzz Words
Big Data: I think this means a pile of data that is larger than you can send in an email and more complex than something you can import into Excel. Whatever it is, it’s big, its important and its everywhere. Big data will change the world, ruin the world, fill up your hard drive and destroy the Death Star – ALL AT THE SAME TIME. It’s so big, and so massive and so totally great, you might have to give up your liver to manage it all.
Hacktivists / Hacktivism: Hacktastic, hackanistic, hackagsm, hackist? When people say hacktivism, they mean Anonymous or Lulz Sec. Sure, there are other hacktivists out there, but who cares about them. They don’t get media coverage.
Cloud: Seriously, I will punch the next person who tells me how cloud-savvy, centric or enabled they are.
Digital Natives: This was a term coined by Enrique Salem at Symantec to refer to young, hip people who use iPhones and spend the overwhelming majority of their awake time focused on themselves. You know, when I look at Mr. Salem, I think, “wow, there is a creative, insightful guy who can really define a generation.” He’s a short, balding monotone accountant sitting on an 11 billion dollar pile of cash. He’s the voice of this generation.
Arab Spring: This is an important world event that is shaping the Middle East. Revolution and cries for freedom, democracy and social justice from long-oppressed and suppressed people are rising to the surface and changing the politics of Arab countries. And naturally, the high-tech industry wants to take full advantage of the media cycles and attach itself to this struggle. Because, you know, those Digital Natives complaining about their Pilates class cancellation on Twitter is basically the same as protesters reporting which towns are being shelled by the Syrian regime. Right, they’re both oppressed and both leveraging the power of big data.
Social: Everything is social. Security, IT, programming, government, weather modification, helicopter repair, water purification, edible underwear, China, firewalls, technical writers, Brawndo the Thirst Mutilator…all social. If you are not social, you don’t exist. Either get social, or get out.
The First Keynote – Sustaining Trust in a Hyperconnected World, Art Coviello, RSA.
The first key note of the day was Art Coviello, President of RSA. It started out with a nice rendition of “You Can’t Always Get What You Want.” Lively song, good singer, everybody likes the Rolling Stones. Things were looking promising. Then Art opened his mouth, and it was all downhill from there.
First, he began with the concept of a world with no risk. Eh, okay. Not terribly insightful. He kept milking the “Can’t Always Get What You Want” theme. Then he recanted how big the Internet is and how we all depend on it. Really, Art. You mean the Internet is…big? No shit.
Then came the fear…rogue nation states, hackavists, criminals…attackers are taking advantage of us. It isn’t just hackers – its adversaries. Art’s use of war and military terminology was unrelenting from this point on.
While there is nothing wrong with military terminology, its already overused and misused in information security. Information security and military strategy are not the same. While they may share some common concepts, I honestly think information security is more like what the FBI or CIA do. We gather intelligence, analyze it, and use that intelligence to smartly deploy defenses. The CIA does not battle attackers like an army. It gathers intelligence and then thwarts enemy activity through insight.
It was about this time that Art said “In my 17 years in this industry, I’ve never sold based on fear, and I’m not about to do that now.” I found myself uncontrollably blurting out “bullshit” which elicited a few giggles from the people around me. The entire presentation was nonstop fear mongering, war imagery, and militarism. Art, you are selling fear; plain and simple. When you use panic-laden words and war imagery, that is selling fear.
Using RSA’s own recent SecureID breach as an example, Art said how “people in our line of work have been going through hell” coupled with a quote from Winston Churchill, “when you’re going through hell, keep going.” Again, these are fear words. Hell is not a place of reflection, analysis or thought. It is a place of panic, horror and misery. When people hear the word hell, they conjure up images of a horrible, terrifying place. And they want out, at all costs. Hell is panic.
Art babbled on and then brought up risk. He chided the community for not adopting risk-based methods of analysis and security. I perked up at this point. He is correct, risk analysis should be the core of all security practices. Art is back on track.
Then he blew it with a completely inaccurate definition of risk. He said risk was “the vulnerabilities you have, your likelihood of being targeted and the value of the target.” Wrong, Art. That is not risk.
As all you good security people know, risk is the evaluation of a threat, based on two components: probability and impact. Probability is not just the “likelihood of being targeted” but also the likelihood of an attack being successful. Moreover, impact is more than merely value. It is an expression of how a threat could harm the business, beyond just financial loss or devaluation.
From that point, I was done with the presentation and a little depressed. After 17 years in the security industry, it is clear that FUD still rules. Despite over a decade of security people yelling and throwing one tantrum after another about the needs for risk analysis, we still have the leading people in this industry unable to define the word risk, let alone actually understand what it takes to implement risk management.
The presentation then nose dived into the toilet, ending with a quote from Twisted Sister. Seriously, Twisted Sister? We went from the Stones to Twisted Sister? What you couldn’t get the rights to a line from Vanilla Ice or Poison?
Whomever wrote Art’s presentation at RSA should hang their heads in extreme shame. That was embarrassing.
TwC For Our Computer-Centric Society – Scott Charney, Microsoft
After that spectacle of fear mongering, I was hopeful for the next keynote. Scott Charney from Microsoft gave a sometimes dull, but informative presentation. It cited some decent examples, spent plenty of time touting Microsoft’s improvements, and giving some glimpse into the future of Windows 8.
Honestly, Microsoft has done a decent and commendable job making Windows safer. And they deserve a little respect and praise for this. Windows 2008 is a stable and relatively secure platform. We do a lot of pentesting, and consistently, Windows 2008 Server holds up well. The new concepts Scott discussed, like trusted boot, coming to Windows 8 sound very promising.
Scott is a lawyer, and boy does it show. He talks, looks and compartmentalizes like a lawyer. At times, this was borderline charming. He’s not the most dynamic speaker in the world, but he communicates clearly. His language was careful, clear but also solid.
One thing I did notice is that Scott understands the modes of persuasion. He used ethical, logical and emotional arguments almost in perfect sequence and precision. I would expect that from a lawyer. And I also respect that as a writer.
While he didn’t light the room on fire, he was by far the most reasonable of the bunch.
The Digital Native: Shaping Tomorrows Security Today
After a break and some awards, we got Enrique Salem from Symantec. This was an entertaining presentation, just for the sheer absurdity of it.
First off, the buzzwords and clichés were flying at warp speed. This concept of “Digital Natives” is just plain stupid. I get that idea that there is a generation that is constantly wired and demands access all the time. But the name “digital native” is humiliating and sounds racist. I kept thinking of those early Bugs Bunny cartoons with the Africans who were made up into racist caricatures with bones in their hair and such.
I do agree with Enrique that these goddamn Millenials, Gen Y, Digital Natives or whatever stupid name you want to give them are a huge information security challenge. But they are a challenge not because they like iPhones and Dropbox, but because they are selfish, entitlement-obsessed little brats who have been insulated from the real world by overbearing Baby Boomer parents. (Is there any mystery here that I am decidedly a Gen-X person?) The answer to this generation is not to design a security system that accommodates them, but to give them a big steaming hot cup of STFU. Gen Y does not need a cloud-enabled big data security framework, they need a lesson in reality. Reality like: you cannot text your BFFs all day at work. I do not think it is a wise business move to devote precious IT resources to accommodating Gen Y. Gen Y needs to learn how to accommodate reality.
Moving along, Enrique is also about as exciting to listen to as an air conditioner. He hums along at a snooze inducing monotone. He looks like an insurance salesman and sounds like one too. When he brought “guests” up on stage it was cringe-worthy.
First up on stage was the CSO for Facebook, Joe Sullivan. He looked like a surfer and sounded like one too. I pictured this guy eating a fish taco at a beach-side cantina while reading a pamphlet from Watchguard so he can get his CISSP CPEs this year. His biggest insight was how they removed the subject line from email. Dude, you just blew my mind. It’s like, gone, man. Whoa.
Next up was the CEO for Salesforce.com, Marc Benioff. I said in my Twitter feed he was a “thermonuclear cliché device with a 1.21 megaton yield.” That sums him up perfectly. And given the number of retweets I got, I know I am not alone in that assessment. This guy spoke thousands of words, and none of them meant anything. Seriously, you could have fed him a random series of words from the dictionary and it would have communicated more value. Salesforce.com is a perfectly good company with a useful technology, but here is some free advice to Salesforce.com’s marketing department – don’t ever let Marc speak in public again. Lock him in a room and let him pro-actively leverage his cloud-enabled Software-as-a-Service synergies alone.
I think I zoned out and checked email for the rest of the presentation, because I honestly have no other notes about it.
This was a panel of some well-know cryptographers. It was about as exciting as four cryptographers can be. I noted on Twitter that you could tell these guys were cryptographers because none of them could dress themselves. Their talk was a tad dull, but interesting. It felt like they had dumbed it down for the audience. I actually wish they had not done that. Cryptography is a fascinating science. Dumbing it down just denigrates its value. Yeah, sure, you would have lost more audience members if the guys went off on the calculus of cryptography, but it would have seemed more – real.
Walking the Floor
I spent some time walking the floor. It was about what I expected: lots of companies, lots of flashy booths, lots of people standing around in little cliques talking. I had a flashback moment to high school. Being a shy nerdy kid in high-school, I did not have a lot of friends and often felt excluded from the “cool kids” conversations. I had a similar feeling walking around the expo floor at RSA; lots of “cool kids” talking, unwilling to let in any outsiders.
I won’t comment on the booths other than this. I really like the “clean white” look that a few companies have adopted. Sophos particularly has a really good corporate look right now. Very clean, very simple, very white. It makes me think of the inside of the USS Enterprise.; which I think is a good thing. Also, I am warming up to Microsoft’s squares motif. At first it seemed crude to me. But now that I see it more and more on their marketing, I like it. They are also reverting to simpler, cleaner colors. The whimsy colors of XP and Server 2003 are gone. Its hushed blues, greens and pinks.
Oh, and while I am on the topic of pink. Checkpoint, your pink sucks. It is not a good pink. It’s a cotton candy pink. It makes me think of the toys my 4-year old gets. Not something an enterprise company wants.
Kudos to Fortinet for putting a Ferrari in their booth. Nice touch.
I then attended the panel: Firewalls: Security Access and the Cloud – Past, Present and Future. This was a phenomenally boring panel. These guys had little to say other than to keep saying how “the firewall is dead.” I must admit, I ended up zoning out and taking in very little. Sorry.
I did notice two odd things. One, Nir Zuk from Palo Alto Networks was a no-show. The whole reason I went to that panel was to hear from him. Next, the most talkative guy was from f5. Excuse me, but f5 does not sell firewalls. Why are they on that panel?
Meetings & Receptions
Next I had a meeting with RSA executives. I won’t discuss the outcome of that meeting other than to say that despite Art’s lame presentation in the morning, I still like what RSA has and where they are going. I think that conceptually, they have the right ideas about analyzing intelligence. I just think they need some marketing help. I met their head of marketing in this meeting, and something tells me he is not going to be my next BFF. I was pretty hard on him.
Then I met with Allgress at their reception. What a pleasant time. I really like Allgress and I like the buzz and excitement that comes out of them. I spoke with Gordon Shevlin (Allgress CEO) and Dave Cullane (CISO for Ebay) for a bit. I really like where they are going as a company. I see a bright future for Allgress. Which is why I have invested heavily in their technologies at Anitian.
Next up was the partner meeting for Palo Alto Networks. They were very nice to me and quite supportive. They are a good company. Apparently, my Cult of Palo Alto Networks blog post caused quite a stir inside Palo Alto. That is good. I hope it made them think.
To their credit, Palo Alto did have really good food at their reception. The falafel and hummus were delicious.
It was a good way to end day 2 at RSA. Check back tomorrow night for my updates on Day 3. I will attend all the key notes and some more break-out sessions. I am invited to Rapid7’s reception which I have heard rumors is quite wild. I am not much of a partier, still being the shy nerdy guy. But, I have to see how rowdy it gets.