Search Results



Aaaand here we go. RSAC 2017 is ready to shower you with all the stupid you ever wanted. The first day often sets the tone for the rest of the show. This is not looking good. RSAC2017 may have what plants crave, but your SOC needs this Not Sure Guy.

NSS Labs vs CrowdStrike

Perhaps the most tantalizing news so far is that NSS Labs has a big endpoint report coming out tomorrow morning. Infosec darling CrowdStrike has their panties in a bunch over this report and sued to have an injunction against the publication. Late today, a district court denied CrowdStrike’s motion. It goes without saying, CrowdStrike is not happy about what is in this report. NSS Labs in our opinion consistently publishes reliable, scientifically valid reports. I am inclined to side with them on this issue. CrowdStrike’s move has all the hallmarks of lameness.

However, we will see how this drama unfolds.

On to AGC

I spent the first part of the day at the America’s Growth Capital AGC event. This is where investors and companies dance around and try to impress each other.

The panel discussions at AGC unremarkable, except in the rapid-fire of clichés. I must have heard: “we must do better,” “there are no silver bullets,” and “we need a layered defense” at least a dozen times. I feel like the industry is running out of ideas. We are starting to replay the same tired clichés, hoping people will not notice.

After pitching for dollars, I headed over to Moscone for the big event of the day.

Innovation Sandbox

Welcome to the Innovation Sandbox, where 10 companies vie for ultimate supremacy. If this was a monster truck rally, surely we would see the likes of Beef Supreme and Macho Nacho Camacho.

The Sandbox Monster Truck Rally was accelerated this year. They moved it up to 2pm start time and cut out the blathering speakers. The presentations were cut down as well. All in all these changes improved the overall event. It was more engaging.

Prior to the presentations, they always bring a few VCs on stage to talk about themselves. Adam (Anitian’s Director of Security Intelligence) turned to me at one point and lamented the condescending attitude of VCs. I replied, “come on, these are the salt of the Palo Alto earth, the common clay of the cloud, you know…assholes.” We laughed. People around us sneered.

However, one of the VCs, Bob Ackerman of Alegis Capital has the mic drop moment of the show, and maybe all of RSA when he said: “you cannot defend against stupid.”

Bob, dude, you are like blowing my mind.

Ackerman absolutely hit the nail on the head about cybersecurity. I fear this may set the tone for RSAC 2017. Cybersecurity has gone full stupid. Stupid is flying the plane. Stupid calls the shots. It is the head honcho. The big cheese.  It will also never get over Macho Grande.

You cannot reason with stupid. It is selfish, hateful, and petty in every way. Stupid is the new cyber. We have stupid products, saying the same stupid things, solving recurring stupid problems, that stupid VARs push with their stupid salespeople, that stupid CISOs buy, and shove in front of stupid employees, to make them feel stupider.

The beauty of stupid, is that it is so stupid, it cannot comprehend how stupid it is. It is stupid turtles all the stupid way down.

I feel stupid for writing this.

With Ackerman’s wisdom roiling around in my head, the Innovation Sandbox Rally got underway. This was a pretty good year. There were some compelling products, as well as some duds as well.


Grade: B+

It provides mathematic verification of networks. Every time a change is made, their product can verify it. Good presentation, clear and to the point. The idea of a mathematical assessment of a network sounds interesting. However, it was difficult to understand what exactly this product did.

UpLevel Security

Grade: C+

This tool graphs alerts. This is a good example of a company that is a feature, not a product. When asked about how they secure their client’s data, the CEO answered: “We take security seriously.” I cringed. When I hear that, I immediately think they do not take security seriously at all. However, the more the CEO talked, the more interested I became in the product. The contextualization of alerts is a huge problem for SOCs.


Grade: B+

This was the Sandbox winner, and we are not surprised. UnifyID attacks the age-old problem of passwords. As long as we have passwords, they can be hacked and stolen. Getting rid of passwords and identifying people from implicit aspects of their body or behavior is a Holy Grail of security. UnifyID appears to have this Grail. Using a complex set of indicators, like location, phone usage, and even your gate as you walk, they claim to positively identify a person 99.999% of the time, with no conscious action on the user’s part. I admit, that is cool. Maybe a bit too cool.

This technology is unnerving. It feels invasive. I cannot help wonder about adoption and a thousand other variables that could make the technology not work.

Nevertheless, we remain impressed. Congratulations, UnifyID.


Grade: C

Redlock claims to automate cloud infrastructure security. It monitors cloud workloads, and alerts you to unusual activity. This company sounds a lot like Evident.IO and/or Dome 9, but less mature. The problem of cloud proliferation is real, but this product did not seem entirely baked. Let’s check back with them in a year and see where they go.


Grade: D

This is an antiphishing product. Yes, phishing is a big problem. However, the extremely mature email security space has this mostly covered. This company’s pitch committed the sin of being “just slightly better than the competition.”  That is not innovation, it is a feature request.  However, this was the first use of the word cloudnative. Which will likely go in my Thursday blog when I catalog the buzzwords of RSA.


Grade: A

This was the highlight of the sandbox. EnVeil is one of the first commercial applications of homomorphic encryption. This is a technology that can keep data encrypted even when it is processed or used. Like VerifyID, this too is a Holy Grail technology. The idea of data remaining encrypted (and therefore secure), while processed, stored, or transmitted on commodity technology is… dare I use the cliché… a game-changer.

However, while En|Veil’s product was captivating, their CEO, Ellison Anne Williams, is a rock star. Of all the presenters, she was my favorite. She answered tough questions with confidence and clarity. Her quip “and we’re open to third party code review,” and the end of her presentation was a mic drop moment. I wanted to jump out of my seat and scream “You Rock!” This company is going places, and Ms. Williams will take them there.

Furthermore, Ms. Williams gives me a bit of hope for our industry. In a conference that is wall to wall pasty white guys, it is reassuring to see women of such strength and intelligence get center stage. I believe En|Veil deserved to win. Not because they have a woman CEO per se, but because they have a truly innovative technology with some brilliant people behind it. The practical applications of this company’s technologies are more far-reaching than VerifyID.

Contrast Security

Grade: C-

This is a product that scans code as its written or run. It might even scan the code when a developer thinks about it as well. I am not entirely sure. This product felt a bit like Prevoty from last year’s sandbox, which this blog skewered as exactly what we do not want to do with developers (RSA Conference 2016: Sandboxing the Blame). Products that promise to coverup poorly coded applications are a bad idea. Contrast sounds more like a remedy product, but some of their language was similar to Prevoty.

This was a messy, unfocused presentation. They claim to “deliver on the promise of DevSecOps” but cannot manage to deliver a coherent presentation. If you cannot master PowerPoint, you are not ready for DevSecOps.

There might be something innovative here. It was difficult to find.


Grade: B+

This is a product that provides security for Industrial Controls Systems (ICS). The product is niche, but the need is real. Of all the presenters in the Sandbox, this company sounded the most mature. They have relationships with many ICS providers and a clear vision.

Unfortunately, their product is not sexy. This put them out of the running as a sandbox winner. I suspect this company will do well, regardless of not winning.

Cato Networks

Grade: D-

Ugh, this was hands down the worst presentation. Schlomo Kramer, a respectable name in cybersecurity, meandered on stage, talked about himself, and blathered about their product. It was weak in every possible way. Also, SD WAN is about as exciting as Applebees. Forced excitement, with warmed-over ideas.

Also, their web site proclaims “Network Security is Easy Again.” It was never easy. How did it become easy again? Are we talking back in the 1950s or something? Gah, get some better marketing Schlomo.


Grade: D

This company is tied for Bromium for the dumbest company name. I am baffled at what they think it means. Adam and I summarized this company as the “productization of a checkbox on AWS.”  They make encryption easy! Like that checkbox, on AWS, where you click, and your data is encrypted. Wow.


After the sandbox, I met up with my TrueBit CyberPartners to talk shop. I shared Ackerman’s quote. The whole team also lamented how ridiculous security has become. After years and years of promises from all these vendors, how long are we going to go letting them cry wolf? When our biggest enemy is not a wolf that will eat us, but our own stupidity believing these vendors in the first place.

But we got this guy, Not Sure…