Tuesday is when RSA spools up the blowers and really lays down the power. You can just feel the air start to crackle with buzzwords and blowhards. The “woo woo girls” show up and begin to populate the booths. The celebrities come out and fire up the tweets. The U.S.S. RSA Conference has left dry-dock and is free and clear to navigate. But, does this ship deliver the goods? Should I accept the mug of RSA Kool-Aid and join the space hippies as they warp off to the land of Big Data?
We Are the Champions, Art Coviello Keynote
It all began with We Are the Champions, and a long blathering attempt to belabor an analogy from RSA’s Art Coviello. The Art doubled down on Big Data in a big way. We get it Art, there is a lot of data out there. I cannot help feeling like we are handing over all of our critical thinking to gigantic databases full of logs. Why think, when you can just funnel it all through a Big Data engine which poops out the answer? I think there is a Twilight Zone episode that warns us of handing our lives over to a computer.
Nevertheless, Art made some good points. We are awash in data. And there is a lot of insight in that data. There are new tools coming to help us pour through all this data and make sense of it. This is all good.
Then Art poured on the fear. I am actually going to give him some slack here. The attacks of nation states are getting pretty serious. And the friction this is causing on the economy is significant. There are a lot more attacks, they are a lot more serious, and they are doing more damage. Mostly, nations have really started to fund these efforts.
It is scary. Then Art went somewhere interesting. He talked about the “PR Gap” between the reality of attacks and the FUD marketing and media sound bytes. After some reasonable explanation of the issues, he went right after some answers. He used Abraham Lincoln as for historical context to the issue. Nice touch, Art. Lincoln was a truly great leader, and offers a lot of inspiration.
Art went into an RSA sales pitch after that. I was fine with this because RSA, for all their faults as a company, does have the right idea about intelligence-based systems. After that Art went into a discussion about the concept of antifragile, derived from the book Antifragile: Things That Gain from Disorder by Nassim Nicholas Taleb. This is a fascinating concept. Basically, Antifragile says that systems need to be adaptable and reactive. Able to identify and respond to attacks dynamically.
The presentation then described the next generation of analytic tools. He also underlined the importance of integrating these tools into each other. Then he gave specific guidance for what security practitioners can do to transform their organizations. This was a lot of sales pitch, but the core message was very good. It talked about building integrated platforms and analytical abilities internally. These are all a good messages. I’m glad to see RSA is catching up to what we have been saying at Anitian for years.
I was really impressed with this. This was actionable. It was not fluffy garbage. It made some specific recommendations.
Ending with a quote from Lincoln and some rousting “big datas,” all in all, it was a pretty good key note. It was more specific and actionable than last year and was grounded with some effective reason. Mostly, it did not overplay emotional arguments. It balanced rational, emotional and ethical arguments quite nicely. As an English major with a degree in rhetoric, I appreciate this. Art finally got a speech writer who was educated on the modes of persuasion.
I am persuaded. Give me my mug of RSA Kool-Aid.
Soctt Charney, Microsoft TwC
Next up was Scott Charney from Microsoft. It started with a dippy, but mildly entertaining fake news cast that ran down the history of cryptography and information security. His presentation was on the case for Optimism. He ran down all sorts of successes we had. This was not the most compelling presentation, but it was nice to see somebody talk in a positive way about security. I also like that Scott grounded his presentation on the value of trust. We need to be able to trust certain people and systems. Trust has a speed and efficiency that modern business and innovation demands.
Scott’s presentation was pretty technical as well. One of his first examples was on trusted boot capabilities in Linux and Windows. However, it almost got too technical. As the presentation wore on, it was all good content, but lacked life. Mr. Charney is clearly a smart guy, he just has a really dull personality. What he lacked in personality, however, he made up for with solid content.
Francis deSouza, Symantec
The next presentation was from Francis deSouza of Symantec. This was a watershed year for Symantec. After years of malaise (see Analysis of Symantec 4.0), Symantec fired their limp noodle CEO and charted a new path. This presentation was the first public evidence of this new direction.
Mr. deSouza was interesting, engaging and even inspirational. He cited specific cases inside Symantec and what can be learned from them. It was impressive to see Symantec back in the security industry. Mr. deSouza revealed that Symantec has evidence of Stuxnet as far back as 2005. He described how criminal organizations outsource their efforts to developers and money mules.
At the end, he make a promise that Symantec will deliver more innovation, deeper partnerships, and pre-integrated products. Okay, I am sold. Now do it. I have heard the integration promise from Symantec for years. You promised innovation, now deliver.
Honestly, I am impressed with Symantec. I think they may actually be coming back from the brink. This is very encouraging.
I hung around for the Cryptographers’ Panel. The big concept this year is the “end of cryptography.” I think this is a ways out. However, I am impressed how cryptographers look like wizards.
I walked out of the key notes feeling pretty good. The messages were sound and solid.
Break Out Sessions
After that I attended a variety of unremarkable sessions. One was on Big Data for the CISO. It was okay. The primary take away from that was the idea that companies need two kinds of information security practitioners: “hunters” and “farmers.” Farmers monitor data and harvest information from the environment (I would consider this a SIEM operator). Hunters are the analysts who ask big questions and challenge the environment to respond to these questions. I really liked this idea, but I could see it as being tough for smaller organizations to adopt.
My next session was on Third Party Breaches. The panel was pretty dull, but there were some really good nuggets of wisdom here. The key message was that you need to hold third parties to specific information security standards. David Chavez defined four things you need in all third party contracts: indemnification, assurances of security (and compliance), agreement on third party security partners, and a framework of notification and monitoring. It was good to hear this. Both PCI and HIPAA have some specific requirements around contracts with third party vendors who have access to in-scope systems or data.
One other thing I learned, apparently everybody uses Splunk and loves it. I did not see that coming.
Out On the Fringes of the Expo
I walked the expo floor for a little bit. I like to immediately dash off to the “sides” of the hall where the smaller, “up-and-coming” companies reside. I have heard McAfee and Cisco’s pitch a million times and do not need to register for the free “spam you to insanity” contest for an iPad. Out on the fringes of the floor are some interesting companies.
What did I find out here? A whole thriving world of GRC companies! Holy standards mapping Batman, where did all these GRC companies come from? A few years ago, GRC was something you still had to define at an ISACA meeting. Now, there are at least a dozen GRC tools. These tools offer reporting, analytics, risk assessment, and a whole host of governance functions. Some of them are really, really interesting. I have been working a lot with Allgress in the past year, which is a great GRC platform. But this market is exploding. Take note Allgress and Archer, you have many competitors gaining on you. I may have to write a specific blog entry about this at a later date.
Suffice to say, there are a lot of analytical and risk assessment tools coming out. This underlines, in big thick marker, our message at Anitian of Rapid Risk Assessment. With these new tools, and the aggressive methodologies we have built at Anitian, we can reduce risk assessment down to days, or hours, not months.
There is one other nice benefit of the fringe – no “woo woo girls.” That is, no scantily clad women acting like they are my friend (screaming “woo woo!” at everything.) Seriously, it is time to end this sexist relic of conferences past.
This was not a blow-away inspirational day at RSA. But it was solid “meat and taters” content. The messages I heard and the discussions were all solid. I do not feel like I took home any huge whoppers, but, I do not feel cheated either.
I ended the day with a client meeting. It was a good dinner with a long-time client of Anitian. Even better, the Allgress guy paid. Thanks Brandon!
The most exciting thing is all these GRC tools. I am going to be doing some serious follow ups on those.
Anitian – Intelligent Information Security. For more information please visit www.anitian.com