Today was the official start of RSAC 2016. The big event on Monday is the Innovation Sandbox. Where ten new cybersecurity firms are thrown into the Thunderdome to fight it out. Master Blaster might own Bartertown, but its fear and froth that owns RSA. And this year, the fear has progressed to something new – blame. As in who can we now blame for all the failures?
Before I hit RSAC today, I spent the morning at the America’s Growth Capital (AGC) event at the Westin. This is where the investors and start-ups go to make deals. It is a very different crowd. However, the messages were the similar.
Pre-RSAC Amit Keynote
AGC started with a rather casual keynote from Amit Yoran, which I suspect will be similar to his keynote tomorrow at RSAC. Yoran is once again telling us, how we are all failing. However, he was spot on about was the need to hunt for attackers in the environment. The concept of a “hunt” is what our Sherlock Managed Threat Intelligence service is based upon, so it is vindicating to hear a leader like Yoran repeat it. You cannot wait for an alert, you must actively hunt through the data for attackers before they cause a breach.
When it came time for questions, Amit conspicuously refused to answer questions about the Dell / EMC merger. He did, however, admit that RSA is dumping their cryptography and DLP business. What they are going to replace it with was a mystery. I suggested taking over Amy’s Baking Company or Norse. Two places with pretty serious leadership problems.
RSA is very clearly in a difficult transition right now. Yoran’s quick and annoyed dismissal of any Dell/EMC talk suggests something is going on. Rumors point to Yoran wanting to spinoff RSA from Dell. Yet, I suspect Dell might want to to spinoff Yoran from RSA. There is some bad news lurking under Yoran’s sleeve.
The Cisco Armada Opens Fire on the HMS Palo Alto Networks
Immediately after Yoran’s keynote, the room really began to heat up. The Security Analytics panel featured Marty Roesch from Cisco, Nir Zuk from Palo Alto Networks, Greg Clark from Blue Coat and two poor saps from IBM and RSA who wound up caught in the crossfire. This was an absolute hoot. Marty and Nir duked it out, with Marty firing off the first shots, but Nir returning fire with his typical PAN zealotries. Nir proudly proclaimed that PANW detects things they don’t know about. It is amazing that we all just accept that at face value. We are all part of the Cult of Palo Alto Networks now.
After a good 30 minutes of heated battle, Greg Clark from Blue Coat stepped in to quiet things down. You know its going to be a weird day when Greg Clark is the voice of calm in the room. Clark is a savvy businessman, but “calm” is not a word typically associated to his personality.
Cisco’s new aggression against Palo Alto was palpable. Their messaging in the early hours of RSA was also decidedly pointed at Palo Alto. This continues a trend we have seen playing out over the past year or so with Cisco giving Marty the freedom to pursue an aggressive new strategy that is all about Security Analytics. Cisco is going to put some serious pressure on PANW. Cisco has a much larger cache of armaments here. They can keep up the salvos much longer. When the smoke clears, Cisco can win this battle. In the meantime, PANW still has their loyal customer-base.
Speed Dating at AGC
After the panel discussions, I spent some time chatting up investors in the speed dating room at AGC. Its quite a sight to see a room filled with CEOs all trying to round up funding. What really amazed me was the low-quality of some of the pitches. Many of them were unfocused blathering buzzword belching bullshit. Nobody talked about why they are doing what they do. I guess Simon Sinak’s Start with Why video has not circulated among this group.
The Sandbox was in a new, larger location this year. This was good since last year they filled the room and had people sitting on the floors. The contestants were a diverse batch. There were three solid companies, a few mediocre ones, and one company that truly enraged me.
This is a radio frequency monitoring sensor with a cloud-based management console. It can identify and track ANY RF communications, including cell phones, Bluetooth headsets, embedded systems. If it puts out a radio frequencies, they can track it. I liked the simplicity of this company. They can also tag and track devices as they move through the environment. This is the ultimate rogue wireless device detector.
This company is part of a new breed of products that use “deceptions” as a detection tool. Think of this as a new type of honeypot. The idea is to seed an environment with tempting “deceptions” or false data. A good example is an Active Directory account that is easy to hack. Endpoint and network systems then monitor for anything using or relaying this “deception” data out of the environment. The idea is that if malware gets into the environment, it will quickly acquire these “deceptions” and try to report them out to a command and control network.
This deception concept is fascinating, but seems fraught with errors and issues. I can think of a lot of ways to bypass and avoid detection. Also, adding honeypots to your environment may help with attribution, but you still have to be watching the data. I am skeptical of the value of these products, even if they are technically elegant.
This company kicked off their presentation with the Beetles song Revolution, and it was all downhill from there. They call themselves a “isolation platform.” It sounded a lot like a sandbox technology, such as FireEye, to me. This company spent a heck of lot of time telling us all the big important somebodies they have on their board and partner program. I was unimpressed.
There is just too little detail behind their claims. I highly doubt they can completely eliminate malware, seeing as how there are so many ways around network-based controls.
This was the winner of the innovation sandbox and we could not agree more. This company clearly had the most valuable product. The second their presentation started, I was hooked. The first slide was a massive list of security vendors with a clear pain point, enterprises have a diverse set of products none of which talk to each other. This means all the orchestration and coordination of security must be done manual.
What followed was a strong, technical description of the product. A quick run down of their team, and a clear call to action. This is an awesome technology, at least conceptually. In practice, I suspect it is very difficult to get working, and demands a lot of tuning. However, the promise here is huge. Automating security operations really is the holy grail of Security Analytics.
Hey, Cisco, Raytheon, IBM, Blue Coat, Symantec, Splunk, etc. are you paying attention here? One if you get out the checkbook and acquire this company. You want this technology.
If Phantom was the pinnacle of the Sandbox, Prevoty was something darker. I am not sold on this company. This is an example of a product that sends software development in the exact wrong direction.
The presentation began with the age old pattern recognition vs heuristics argument. A tired argument that has little meaning today. Superficially, their product sounds like a web application firewall, which is not exactly an exciting market. The presentation did not do much for me. It was not until I did a bit more research, that I came to really dislike this company.
On Prevoty’s website is a video with their CTO Kunal Anand and Jeremiah Grossman from White Hat Security. I did not like what I heard.
Grossman makes the claim that companies are too focused on building revenue generating features for their application and cannot be bothered to fix their code. As such, we cannot expect them to fix the problems, so we need to cheat our way around the fix. Anand then steps in to say: “Install our product, and White Hat will give you a clean bill of health.”
I find this a disturbing concept. We should not be telling development teams to ignore their coding vulnerabilities. Development teams need to deal with vulnerabilities so they can make their code better. Web application testing is supposed to help developers improve, not help them cheat their way around the vulnerabilities.
I can accept a technology that is intended as a temporary “patch” for vulnerabilities, but its irresponsible to say you can ignore them. This product certainly is interesting, and I can definitely understand its business plan, but the messaging needs work.
This presentation began with a laundry list of problems. Then the pitch of being a network DVR…a packet capture platform. While this is not a bad technology, it is certainly not new. I could not figure out how this is different from Solera and RSA, who already dominate this space. Full packet capture is a difficult technology to manage, since it has immense storage requirements. This company’s solution of streaming every packet to the cloud seems problematic. Even if you set aside the performance issues, the notion of having every packet offsite at some third party location is unnerving.
This presenter began with the claim that when he was a CTO, he could never answer the question of whether his company was safe or not. He claimed that he hired pentesters, analysts, and consultants and could never get an answer. I was a bit baffled with this statement. We could consider this a relatively easy question to answer at Anitian. The presenter’s credibility was declining.
Then came a torrent of buzzwords: killchain, continuous war games, virtual hacker…ugh. Whatever credibility he had, just got rooted and erased. Honestly, I am not really sure I know what this company does, aside from hire bad consultants. It sounds like some kind of automated vulnerability testing platform.
This is an example of a company that may have an innovative idea, but they need some better messaging.
This is a containerization platform for applications. It provides a trusted platform with built in security controls on a hardened OS. The company messaging of quick, simple, and fully contained security might grab attention, but it undermines their technical capabilities. Their product looks more interesting the deeper you go. For example, the integrity checking and security co-processors are very elegant ideas.
I like this company, but their place in the market is muddy. I fear they have a limited client base. Seemed to me they would appeal to other security companies. This was validated when I noticed that they name Intel Security (McAfee) and Juniper as clients. I would encourage this company to improve their messaging around the uniqueness of their platform, and less around how quick and simple they are. Good technologies do not need to be quick and simple.
Secure data anywhere it goes. I am not sure I know how this company does what it does, but it is extremely intriguing. The idea here is that they encrypt and containerize data so they can track it regardless of where it is stored, cloud, email, USB stick, whatever. Not only that, you can control what can happen to that data.
So is this a DLP product or a file encryption product? The presentation was a bit thin on technical detail, but I remain very intrigued. Of all the products in the sandbox, this was the one I really want to try out.
From what I could tell, this sounds like software defined networking across branch locations. The presenter had a murky and rambling description. Also, I did not much care for the presenters claim that “you do not need a CISSP to deploy our product.” Yeah, but you could use a few CISSPs to help you with your messaging. As best I could tell, this a specialized software defined networking.
Honestly, I do not see a need for this product. We have NGFW with VPNs, why do we need this? What does it do that a VLAN cannot do?
After the sandbox, we were all a bit tired and worn out. We headed off for some drinks and pondering the future. We are feeling a lot of cynicism at Anitian right now. Perhaps its just fatigue from all the buzzwords. However, its Monday, we have not gotten to the real buzzword blast.
I am looking forward to the keynotes tomorrow morning. Let’s see how those go. Perhaps they can wash away this cynicism.