Tuesday is the big day at RSA. The keynotes begin, the sessions ramp up, and the expo floor buzz hits maximum. Among all the bright lights and big ideas emerges a troubling reminder of RSA’s dark side.
The RSA Conference is both the creator and the child of its own sensationalist noise. This infinite regression problem is comprised of speakers who promote fear, uncertainty and doubt for attention, and attendees who voraciously consume whatever FUD you give them. This of course inspires more FUD, perpetuating the Circle of FUD.
However, FUD got a kick in the pants this morning. It started with the opening keynote.
Escaping Security’s Dark Ages – Amit Yoran Keynote
All eyes were on the opening keynote to set the tone for RSA 2015. It began with a stark visual statement: darkness. Amit voiced over that it was natural for humans to fear the darkness. Oooookay, sure, let’s go to the dark place.
When Amit revealed himself, he made another bold statement: I am not Art Coviello. Unlike the dapper Coviello, Amit was dressed in a sport-shirt, jeans, and a scruffy beard. He looked like a developer, not a CEO. Message received loud and clear: RSA and its eponymous conference are under new leadership. I like this conference, it’s exciting (so far).
What transpired was a TED-like talk on how the information security community is fumbling around in the dark, trying to use outdated maps to navigate a landscape that has changed. Yeah. I’ll buy that for a dollar.
Then the big kick hit: “The largest enterprises with the most sophisticated, ‘next-generation’ security tools were not able to stop miscreants from making off with millions of dollars, personal information, and sensitive secrets and damaging reputations.” Finally, somebody with a voice gets it. Amit’s use of the word “next-generation” was daring. He took aim at the Palo Altos of the world who keep pushing gear on organizations that neither have the capability nor the maturity to handle their power. You had me at those eyes in the dark, Amit.
Amit continued the assault on the status quo with a multi-vector attack:
“First, let’s stop believing that even advanced protections work.”
I’d counter that they do work, when they are used effectively. Most organizations simply do not use them effectively because they fail to budget for the staff, time, and resources needed to run them at an optimal level. However, this point is reasonable.
“Second, We must adopt a deep and pervasive level of true visibility everywhere – from the endpoint to the network to the cloud. “
A good point, but also highly dependent upon organizations actually being able to see what is going on. Still, these are messages practitioners need to hear.
“Third, in a world with no perimeter and with fewer security anchor points, identity and authentication matter more than ever.”
Okay, that is a sales pitch for RSA’s new products, even if he is correct. I still prefer CyberReason at this point.
“Fourth, external threat intelligence. This is a core requirement as well.”
Meh, this is a weak point. Yes, it is important; however, without providing context to that data, it is kind of useless.
“Lastly, You must understand what matters to your business and what is mission critical.”
Rock on! That’s risk assessment. Real risk assessment, not the risk-as-a-service tomfoolery of checkbox auditors. It was supremely refreshing to hear a major player like Amit promote good risk management techniques. Let us show you RiskNow, Amit.
Amit wrapped up his keynote address by reminding everybody that this is not a technology problem, but a mindset one. Again, we would argue that it is not a technology problem, but an organizational one, or more specifically, a people problem.
This was a great keynote. One of the best I have seen at RSA in a long time. This Amit guy is the real deal. I was inspired.
Now can his company and its conference follow his lead?
Charney, Young, & Gandalf
Up next was Scott Charney from Microsoft, and then Chris Young from Intel Security (McAfee). They both delivered unremarkable keynotes, albeit fairly technical. Charney was surprisingly dry this year.
These did not follow well from Amit’s presentation. They stood out as stiff and reminiscent of the past. Speaking of the past…
Then we had the ever-thrilling Cryptographers Panel, where Gandalf and the Hobbits come out to discuss the finer points of how deliver your encryption keys to Sauron. (It does not work, we discovered.)
This whole run really felt like the old RSA Conferences of past years, not this new vision Amit delivered earlier.
Jeh Begs for Help
Then, to make things extra awkward, RSA trotted out Director of Homeland Security Jeh Johnson. Jeh begged us all to come help out government. Yeah, how about no, Jeh.
Innovative security people don’t work for the government not because they pay poorly as some have suggested, but rather because the government cannot appreciate innovative ideas. Moreover, government RFP practices are incompatible with smaller, innovative companies. Why should they spend valuable resources navigating the complex bidding process, only to be turned away in favor of cookie-cutter, low-value solutions from contract mills and checkbox auditors?
Furthermore, great security people demand an organizational culture that embraces innovation. That was the whole message of Amit Yoran’s keynote—we must try new approaches and tear down old practices. The government cannot provide such an environment. Government environments are too slow, too process-centric, too risk-adverse, and too petty. They repel innovative security ideas, rather than embrace them.
For example, at Anitian, we (mostly) stopped working with government entities. We became fed up with explaining our innovative security techniques to government bodies who reject them because they do not understand them. I know many other CEOs of innovative firms who feel the same way. Why waste time with the government, when commercial companies have bigger budgets, frictionless contracting, and are receptive to new ideas?
Jeh, you want smart security people? Then you need to change government culture to embrace new ideas. Yeah, good luck with that.
The FUD Sessions
After spending some time catching up with Adam Gaydosh, our Director of Professional Services, it was off to the first sessions. I was eager to see if the sessions aligned better with Amit’s call to action.
I quickly discovered that Amit’s new RSA vision did not filter down to the people selecting speakers this year. They were FUD, all the way down.
The first session was Hacking Exposed: Next Generation Attacks with the Cylance guys. The big “next-generation” hack they exposed was this thing called “phishing” using a new communications technique called “email.” Seriously, this was a stupid presentation. The laptop problems they had just underscored the amateur feel.
So I jumped over to The Big Hacks, Malware and Exploits of 2014 and What is to Come. Unbelievably, this presentation was worse. Set aside the fast-talking, hand waving, and ludicrous overacting of the Sophos guy. He actually spent 10 minutes bragging about his awesome hacking skills with rogue wifi access points. Are you really this stupid? Is anyone? Maybe I’m just a jaded 20-year veteran, but it’s insulting that RSA would put such an immature person on stage.
Here is the problem: this obsession with hacking and attack tactics is out of hand. RSA, you are on notice, it’s time to stop this insanity. The RSA Conference needs to reduce the number of sessions devoted to hacking by 95 to 99%.
- Immature: The overwhelming majority of these sessions are amateur-hour brag-a-thons. They do absolutely nothing to promote good practices. They are all about the speaker promoting him- or herself.
- Sensationalist: All of these sessions focus on attacks that are all defeated with the same thing: good security fundamentals. As such, they are merely there to incite emotion, not promote improvement.
- Distracting: These sessions distract practitioners. Attributing an attack is largely pointless. Who cares who did the attack? We must stop the attacks themselves. When practitioners are distracted with this stuff, they forget to practice good security fundamentals.
- Outdated: Did any of you actually pay attention to what Amit said? I guess not.
RSA, no more hacking sessions. That’s it. RSA 2016 needs to be about answers.
Fortunately, my faith was restored in the next session. I listened to Andrew Hay and Thibault Reuille from OpenDNS on Majority Report: Making Security Data Actionable (and Fun!). This was a super nerdy, technical presentation on visualizing complex, related data. It was fascinating. They showed off the visualization capabilities of OpenGraphiti, an open source data graphing tool. However, they also spent time talking about things like math, learning theory, and the scientific method. Whoa! Rational, scientifically minded people presenting compelling ideas based in real research…what the heck is this doing at RSA?!?!
Now, this is why I come to RSA, to see presentations like this: smart people with interesting ideas. RSA, more of this, less of that hacking crap.
Bruce Schneier – Security in the Age of Catastrophic Risk
Bruce is an institution at RSA. His presentations are typically thoughtful meditations on privacy, risk, and security. He has distinct opinions and is not afraid to share them.
While this was not his best presentation ever, it was still engaging. His core point was that attack attribution is very difficult and largely pointless. He used the Sony hack as an example of a big, splashy attack where nobody was sure who actually was responsible. However, does it really matter? It’s a done deal now, and the bigger issue is what to do to prevent similar attacks in the future.
However, we did find out how sad George Clooney was about his last movie flop.
Sometime during RSA, a new threat intelligence firm emerged: ThreatButt. It was just the hilarious spoof we all needed. Check it out.
Spent a little bit of time on the expo floor. Impressed to see Nir Zuk at the Palo Alto booth. I cannot fault PAN for working hard to convert more of the unfaithful. They were calling UTM all sorts of names; nothing new there.
There were cookies at the Qualys booth. I took two. Looks like I picked the wrong week to diet.
After that, I had a meeting with some folks at Rapid7. Thanks for the yummy Mexican food and good conversations.
Today was a sad reminder that RSA has still not kicked its debilitating addiction to FUD. It breeds, nurtures, and adores FUD, even while trying to dispel it. If RSA is really going follow Amit Yoran’s new path out of darkness, it needs to commit FUD-icide. Speakers must focus on answers, not more frothy sensationalism about hacking. Sessions need to be about real ideas, not just thinly disguised hucksters acting like immature hacker kids.
We need to embrace new ideas, which means pushing ourselves outside of our comfort zones. It also means rejecting the old ideas, which clearly do not work (and never really did).
Tomorrow will be interesting. Perhaps the FUD ends, somewhere. Hopefully before the RSA convention does.
If you want to yell at (or hug) the Anitian team, don’t miss our reception at Jamber, Wednesday night during the pub crawl from 5:30-8:30 PM. E-mail email@example.com for more information.