Search Results



RSA2015 BannerEmbedded within all the noise, booths, FUD, and cackling pontificators at RSA there are quiet moments of greatness. Today, RSA showed us its soul. The sessions were a touch more pragmatic and the keynotes felt more anchored in reality. It took some time, but RSA is finally starting to embrace Amit Yoran’s call to action.

The first keynote, Zak Ebrahim, was a good warm-up. It reminded us that anybody can let go of the past, or the dark ages, and learn to change, grow, and mature. The next keynote, however, was outstanding.

Martin Roesch – Cisco/Sourcefire

We need more people like Marty in this business. He is the archetypal security leader: technically savvy, plain spoken, unassuming, and visionary. When Cisco bought SourceFire last year, many people (including me) feared they would sideline Martin and his team. It does not appear that is the case.

Martin’s call of “we must do better” hit the nail on the head. I could not agree more. Martin outlined three visions for security in the coming years:

Visibility Platforms

Marty challenged the industry to centralize all the asset information that exists within an environment and deliver true visibility into what is happening. We have heard the “one console to rule them all” principle before (namely from Symantec). However, SourceFire had this concept at least partially baked into their RNA platform. It’s a good idea, but nobody so far has been able to make it happen. With Cisco’s backing and Marty’s vision, this actually might be achievable.

See once, protect everywhere.

If malicious content is detected in any one place, it should be stopped everywhere, automatically. Again, this is not an entirely new idea. It has the feel of Cisco’s previous “self-defending network” nonsense from a few years back. However, Cisco now has some technology to actually make this happen, which they did not before. Again, this feels achievable.


Marty’s last vision was one he admitted was controversial. In all fairness, it really is not that controversial. Failsafes exist everywhere. When we used to deploy in-line intrusion prevention systems, we always set a bag full of network connectors on top of the device. That way if the organization was freaking out about traffic being blocked, they could pull the cables that connect them together. It was a rudimentary failsafe, which saved a lot of finger-pointing.

This too seems doable. Whether organizations would actually implement it or not, that remains to be seen. However, the general concept is sound.

I feel weird writing this, but Cisco is relevant again in security. The ASA/Sourcefire integration is still a work in progress, and their endpoint product needs work. However, there is real vision here.

I must say, Marty has brought some serious credibility to Cisco. After a decade of scoffing at Cisco’s security products, when they bought SourceFire, even us cynics at Anitian were hopeful. Cisco seems to be making good on this acquisition, letting Marty and SourceFire be smart.

However, I did find out (from a shared contact) that Marty still thinks we sell gear at Anitian (we exited the VAR business years ago and now focus exclusively on services). Marty, we only sell the truth at Anitian. The truth is, you are doing an awesome job, so keep it up.

Into the Woods: Protecting Our Youth from the Wolves of Cyberspace

This panel discussion about online child predators was powerful. It poignantly underscored our need to do better. The harrowing tale of panelist Alicia Kozakiewicz was, to say the least, chilling. It made me reflect on why we do what we do. We are here to protect that which is sensitive, precious, and valuable. The world is full of hate, misery, and horror, and it is up to each of us to keep it away.

However, this session also made me reflect on what is so very wrong about RSA: the tireless self-promoting, self-indulgence, and self-congratulating culture of the technology industry. When you contrast the “look-at-me” attention sycophants with selflessness of somebody like Alicia (who frankly has earned the right to be a bit selfish), it makes you want to give your Sophos socks and RSA hoodie to one of those poor folks huddled on the curb on Market Street.

I understand that the world is a rough place. Life may be a tale told by an idiot, full of sound and fury, but it sure as heck does not have to amount to nothing. Tweeting about hacking planes and tinkering with firmware in a Prius might be fun and all, but at the end of the day, who cares about that nonsense? This self-promoting hacker bullshit has to end. Either we are here to make a difference or not. If all you want is people to pay attention to you, then get off the stage.

We owe it to the next generation to deliver on the promise of the term next-generation. We owe them a world where people can innovate. We owe them a world where they can get the education they need to be great security leaders. We owe them a world where predators of all kinds are seen, tracked, and stopped before they exploit us.

Expo Floor

Got back to the expo floor. Checked out some booths.

  • Cisco – Nice booth. Does it ever end?
  • IBM – That is one big screen. Oh look, Qradar has a new dashboard.
  • Intel Security – Ditched the red, in with the blue, but what is it that you do?
  • Websense – Feel the Raytheon love.
  • Veracode – Shark officially jumped here.
  • Fortinet – That truck is pretty awesome. I never thought I would say this, but Fortinet outdid Palo Alto at the show. They also got traffic over to the far side of the hall. That made all those smaller companies over there happy.
  • Palo Alto – Wow. PAN was remarkably clumsy this year. Their messaging, booth, colors…everything felt dated. However, Nir Zuk was in the booth, +1 for that.
  • CheckPoint – Stop it. Seriously, just stop talking.
  • RSA Incident Response Booth – Where the FUD goes to eleventy-zippertillion megacats per parsec…or something.
  • Tripwire – Pretty swanky booth for a company owned by a 112-year-old cable layer.
  • Sophos – Socks were cute. Your products feel tired.
  • Huawei – What the hell was that brick façade thing? Look, you guys are decent and all, but most infosec people are immature kids who blame China for all their insecurities, be they intellectual, emotional, or physical.
  • Alien Vault – Okay, I admit it, this was a cool booth. On the other hand, the technology, meh.
  • NSA – I applaud your courage showing up at RSA. The enigma machine on display was a nice touch. Now, about those calls, I swear, I just wanted that Hello Kitty notebook for my daughter. We’re cool now, right? Please don’t take away my TSA Pre.
  • Accelops – I am liking these guys more and more each day. Their booth was pretty slick considering they are a fairly small company.
  • HP Security – Bleh.
  • OpenDNS – What is going on with this company? They are getting really cool, really fast. I love their product. And they had one of the better sessions of the show. Is there something going on we should all know about?

Interesting Companies

Talked to about 20 different companies. These are the ones that I found most interesting.


They offer a threat detection product that interacts directly with the hypervisor to scan systems and network traffic. When I first heard this company’s pitch, I was not buying it. But something made me keep digging at them, and the more I dug, the more interesting this company got. They boast an agentless threat detection platform specifically for software-defined networks. Their product scans through the hypervisor and transparently redirects malicious traffic or files into an “ambush” system. Once there it can provide analytics on the The GUI is decent. On the down side, this company seriously needs to get their messaging cleaned up. While I understood their technology, it was only because I kept digging. Hire a marketing person, guys; I sense something really cool here.


This is an endpoint security product. What caught me about this product was that they take malicious files and send them back to a scanning system for inspection. They claim to have “five powerful engines” to detect malware. They had “mathematical analysis” as one engine, which sounded decidedly Cylance-esque. However, I was struck with their novel way to handle a malicious file. They don’t delete it, they encrypt it and leave it there, so if you want to whitelist it, they just decrypt it and restore it to normal, kind of like a “friendly cryptolocker.” I like how their GUI breaks down all the criteria for how they score a file.


This is an identity management platform. Uses SAML for auth to cloud apps or managed usernames/passwords for those that do not support SAML. It seems like a solid platform to manage a disparate user base across multiple cloud apps.


I am not entirely certain I know what this company does, even after listening to them pitch me for a while. They sure do have a lot of buzzwords jammed on their site. They take in data, do something, then put it on a GUI, then…something? I sense a company that paid too much for their marketing.


This is a breach detection product. Sensor ingests network traffic, detects breaches. Connectors to AD help with attribution. Connecters to Qualys and Rapid7 can correlate vulnerability and policy data. Their GUI is a little clumsy and it is hard to see how they are really any different than all the other breach detection products.


I ended the day talking analyst stuff over a very expensive bottle of scotch. I have never been a scotch drinker, but I may be one now. Afterwards I met up with the Anitian team, who were all in good spirits. They were heading off to the Code Breakers Bash.

Come back this weekend when we will summarize the final day of RSA and the closing keynotes. Also, don’t miss our RSACUncensored Analyst Webinar next week. Keep watching our Twitter feeds, @AnitianSecurity  and @andrewplato, as well as our hashtag #rsacuncensored .