Wednesday is when RSA throws it all at you. Want to discuss analytic learning theories? You got it. Want to listen to nuts froth about cyberwar? Done! Like the word blindspot? We got plenty of ‘em. Want to watch a 9-year-old kid erase a billion dollars in value from Juniper Networks? Done and done.
Hump day at RSA is energetically depressing. On the one hand, there is a little bit of everything and it is shoved at you with the zeal of a coke-fueled, Twinkie-hoarding lunatic. On the other hand, it is a cynic’s paradise. Our team struggled to restrain our snark and remember that for most people at RSA, this is one big snarking party.
RSA likes to change things up on Wednesday. The breakout sessions are held in the morning and the keynotes in the afternoon. Where Amit Yoran’s presentation on Tuesday was a high watermark for RSA, Wednesday was a drought.
Diana Nyad – Never, Ever, Give Up
At age 64, Diana swam from Cuba to Florida. That is an amazing feat. When she first came on stage, I opened up a few extra tabs in Chrome expecting to tune out the content. However, I was quickly captivated.
She spoke in great detail of the unbelievable challenge of swimming such a long distance and in dangerous waters. The physical and mental exhaustion were extreme. So much so that Diana failed many times at this swim. Along the way, she had a core set of people who believed in her, as well as a lot of people who did not.
The parallels between Diana’s swim and the Herculean task of defending a complex enterprise were fuzzy. However, for me, I connected with her story because it mirrors my own struggles of owning a business. Failure is part of the journey on the path to success. Giving up is simply not an option. Or as my dad said: perseverance furthers (a quote from the I Ching.)
The real message here for security people is to never allow failure to stop you. Hard things are worth earning. This was inspiring. Also, in addition to swimming long distances, Diana can sing. Maybe the Wednesday keynotes would buck the trend and be hits.
Christofer Hoff – Juniper Networks
This keynote may go down in RSA history as the most cringe-worthy train wrecks ever. Christofer wanted to talk about the security people of the future. So, he wheeled out a server rack to reveal a 9-year-old kid, Reuben Paul. It was a novel idea that crashed and burned badly. The hacking demo did not work, and the whole thing rapidly devolved into something you might see at a low-rent IT trade show.
There are numerous conclusions to draw from this epic fail.
- Juniper not only makes weak security products, they make weak keynotes.
- FUD accomplishes nothing.
- Stunt hacking is stupid. It is a selfish act and provides middling value to the audience.
- Live hacking demos are boring. Unlike the movies, real hacking is rather mundane.
Admittedly, I feel sorry for Christofer. I know he meant well. His message was not lost entirely. The next generation of security people are coming, and they are not beholden to the ways of the past.
Nevertheless, while the future of security might be today’s young hackers, let’s hope they are smarter than the marketing people at Juniper.
Art Gilliland – HP Security
Art was boring, said nothing insightful, and…eh, I am not even going to finish this thought. Take a baseball bat to all your HP security products and pound them into scrap. Why is this company still doing security?
Amit Mital –Symantec
Old Yellow is showing the strains of their perpetual reorganizations. Amit attempted to explain how “Moneyball” big-data analytic techniques can solve security problems (like selecting which security vendor to use.) Amit made good points, but his hypothesis assumes that baseball data and security data are comparable. They are not.
Baseball data is, mostly, objective. If a player hits a single, that is an objective fact. Likewise, any statistical analysis of that data would be scientifically valid, because the data has a high degree of accuracy. The whole point of Moneyball was that the Oakland A’s did rigorous statistical analysis to locate players with specific strengths, so they could coalesce that into a high performance team.
Security does not work that way. Security data (alerts, events, etc.) are notoriously unreliable. Consequently, any analysis of unreliable data leads to unreliable conclusions. This is why security teams must have skilled practitioners who can assess the quality of data and conclusions.
Like the Juniper disaster, and the HP snoozefest, Amit’s presentation also says something about his company: Symantec is basing their business on flawed assumptions. They are still stuck in the old Symantec ways of milking renewals out of their clients. Much in the same way security data is unreliable, so too is Symantec’s products and future. Symantec cannot seem to reorganize the mediocrity out of their business nor can they extract any kind of vision from their Moneyball analytics.
Our advice to Symantec is that it is time for dramatic action. We suggest Symantec merge with Intel Security (McAfee) and do some Moneyball analytics on the shared library of products. Cherry-pick the winners (like Vontu DLP and ePO) and send the weak products to the showers. In 18-24 months with some hard work, a unified Symantec/McAfee might actually win a game. It may also explode into a giant white-hot ball of fire. Either way, it would be a hell of a game.
Andrew McAfee – The Second Machine Age
Andrew McAfee rode in a driverless car. His comment was that it was sheer terror at first, but that gave way to boredom. So, we can all look forward to boredom in the future? Thanks Andrew. Maybe you need to Moneyball your futurism with Ruben.
I was only able to get to a few. However, they were pretty good. While Wednesday might have the B-list keynotes, it has some the A-list sessions.
My first session, was fascinating, if a bit dry. Be like Water: Applying Analytical Adaptability to Cyber Intelligence from Jay McAllister of the Software Engineering Institute.
This was another example of the kinds of presentations RSA needs. An intelligent researcher presents some good ideas on how to train people to analyze data effectively. Great stuff.
The next session was on security journalism starring:
- Dan Hubbard– Chief Technical Officer, OpenDNS
- Brian Krebs– Investigative Reporter, Krebs On Security
- Joseph Menn– Technology Projects Reporter, Thomson Reuters
- Kevin Poulsen– Contributing Editor, WIRED Magazine
- Nicole Perlroth– Investigative Reporter, New York Times
It was a fun session. I went because I wanted to hear other security writers muse on our craft. I asked the panel if they thought reporting on attacks actually begets more attacks. Menn definitely felt it did and that it was part of the reason why many outlets have stopped reporting on hacktivists, since it just encourages them to do more of it.
The last session I attended was on intelligence sharing. Yes, we should share intelligence. Many companies do. For example, Fortinet, Palo Alto, and other competitors have begun to share their intelligence data to better serve the whole industry. Good. Keep that up.
On the expo floor, it is mayhem. In the center of the floor, there are the big booths, bright lights, noisy presentations, and superficial pitches. As you move out toward the edges, the booths get smaller, the companies get more specialized, and the innovation increases. Cool things happen on the expo floor fringes, noise happens in the center.
Caught a few interesting companies.
This is an endpoint, user-monitoring product. When a policy is triggered, it does a video capture of user actions. It spools those to a server for review and even interaction. It is similar to Raytheon’s SureView. I really liked this product. It is simple, but effective. For what seemed to be a smallish company, they have a pretty sizable customer base as well.
A cloud app management product. Having to do full proxy creates architectural problems. They are a solid SkyHigh networks competitor.
Threat intelligence feed. Okay GUI, weak pitch, strange name. Source of their intel is suspect. Source of their clients is even more suspect.
Threat intelligence feed. Fair GUI, weaker pitch, stranger name. Source of their intel sounds like bullshit. Between this and Blueliv, Threat Stream and iSIGHT are both stronger.
This is an attractive mobile authentication platform. Use an app on your phone to scan a code and get access to a site—VPN, PC, whatever. The demo is cool. They also claim compatibility with Apple Watch…sure, okay. Reminds me a bit of Ticto from the Innovation Sandbox. They have a respectable set of authentication connectors. I liked this company.
I have been watching these guys for some time. They have a respectable data analytics product that can ingest log data and then produce attractive reports. Their new product, Hawkeye G, is a full-featured endpoint and network analytics and remediation product. However, they win big bonus points for having a path for full remediation automation and a GUI that is clean. This company is going after some key criteria for a full Security Analytics platform as we defined it in our previous blog entry. This company is going places. I just hope they are not yellow places, if you get my drift.
Anitian had our reception event tonight. It was a huge success. We filled the “Wine Pub” Jamber with a mixture of friends, customers, and technology executives. Thank you all who attended.
It would not be RSA without some new buzzwords. Here are some we keep hearing, and our take on each:
- Blindspots: They are everywhere and they are full of malware, hackers, exploits, vulnerabilities, ticks, fleas, mites, ants, and boogers.
- Threat Intelligence: It is like a unicorn that craps ice cream; you want it, but have no idea where it comes from or how to handle it.
- Next-Generation: Something that gets praise, attention, and sales regardless of quality, capability, or experience.
- Machine Learning: Automating security to the point where the CISO can just stare at a giant green dot on a dashboard all day.
- Analytics: Making somebody or something else tell you what to do.
- Risk Management: Determining the density of excuses necessary to avoid the appearance of negligence.
- SIEM: An expensive and largely useless technology that consumes data and produces headaches.
- Raytheon: A cool new security start-up that has a trillion dollar development lab in its garage.
I cannot help thinking about Christofer Hoff’s keynote disaster. Juniper is no small company. They have immense resources and Hoff is a smart guy. Despite all his plans to communicate to us, he failed. Security is like that. It does not follow predictable patterns. You have to be able to think on your feet.
My generation is cynical. Born in 1969, I am GenX and we are stuck between the selfish Boomers and the selfish Millennials, which breeds cynicism. It makes us scoff at the foibles and mistakes of others. We stick our snoots in the air to proclaim “can you believe that!” “Look at what those stupid users do!” “They did not even encrypt their data!”
It could have been any of us up there with Christofer. Just like it could be any of us standing tall before a leadership team, as Brian Krebs reports on a huge breach at our company. Our generation needs to get off the ice-cream-crapping unicorns we believe we have bred and remember that all of us are on some journey. All of us have failed and will fail sometimes. All of us are learning something. It is easy to sit in the audience and chuckle at the misery of others. It takes real courage to put ourselves in others’ shoes and empathize with them.
If we are ever to make security work, we need to get off our ivory towers, stop lecturing, frothing, and spreading FUD, and be helpful. The world needs great security leaders and we cannot build them if all we know how to do is put down people.
I am sorry for making fun of your keynote, Christofer. I heard your message. Oddly, it came through loud and clear.