The RSA Conference is one of the largest conferences globally for the cybersecurity industry (if not the largest), and I attended this year’s event with interest once more. It provides a great opportunity for analysts such as myself to take the pulse on the industry and see where the technology is going. This year, there were over 600 vendors present, and I believe cybersecurity as a discipline is settling in nicely into the mainstream of media attention.
This means that the FUD messaging has become somewhat diluted. Security vendors are less interested in talking about breaches to those already in the space. It’s old news and primarily targeted for those outside the industry and most security professionals don’t need to be sold on the dangers of cybercrime, data leaks, and espionage. The pitches are more targeted around security technology development, which is as it should be in any security event of this size. The big themes this year revolved around ‘smart’ and ‘IoT’. Of course, mobile, threat intelligence, as well as network and endpoint security still loom large on the security spectrum. However, the industry is paying close attention to the changing digital environment and how their technologies should evolve alongside it.
Smart security is all about leveraging machine learning, behavioral analytics, pattern recognition, predictive analysis and automation to advance defensive security. The aim is to lower the burden for the human element (due to skills gap shortage and sheer quantity of threats and vectors plaguing organizations today), and enable such tools to move from defensive to response, and eventually to risk mitigation and prevention. A lot of the marketing terminology at RSA encompassed AI, although I don’t believe we are anywhere near true AI in cybersecurity technologies. Both AI and cognitive are the end goals of smart security. With the interesting advances by IBM’s Watson, and even Google’s AlphaGo, we may expect many of those promises to be fulfilled in the next 5 years. AI that can truly advance cybersecurity in a transformative fashion, not just in terms of sharpening defense mechanics, but in speeding up and automating incident response, and enabling true offensive security is still a much longer term realization.
ML and UBA for example are still largely enablers for security professionals, rather than technologies that can prop an independently operating cybersecurity tool. Human oversight by competent analysts is still sorely required in the response, intelligence, and offensive space. I think it may be a little early to talk about true AI or even cognitive, but I don’t doubt that the industry is on the fast track to expanding that opportunity. There is a series of trust exercises that need to be completed first with regards to the technology, and their successful resolution will depend on bringing down those false positives to an acceptable rate, capturing and translating all kinds of unstructured data that may be relevant, and attributing the right levels of risk and mitigation strategies to various events. Of course, all this needs to be done while simultaneously analyzing the ecosystem and landscape around the organization. A few companies making headlong strides in the space whom I met with during the conference include RedSeal, Balabit, Prevalent, Prevoty, Securonix, Rapid7, Plixer, Empow, Zvelo, NuData Security, Sepio, DeepInstinct, and TrendMicro. Automated cyber resilience is the target, and AI the umbrella technology to propel its adoption.
The other big theme was IoT security, which is primarily focused on how to address the vulnerabilities of operational technologies, and how best vendors will be able to adapt traditional IT security to the OT world. Vendors are pivoting some of their core technologies in this space, although there is a lot of hype in the message, and lesser concrete commercial implementations. This is in large part due to reluctance outside of the security space to adopt or invest in security for OT. The security industry is very much at the education and awareness raising stage for IoT, with many consortiums and collaborations on-going in terms of guidelines, best practices, standards, etc. Firms like TopSpin and Firmitas are exclusively focused on OT, and looking to step in where there is still a massive gap in cybersecurity coverage.
For those companies that are pivoting, one of the primary areas of pivot is for authentication services for the IoT, to enable secure OTA and managed services for the increasing number of connected devices. The challenge will be to identify, authenticate, provide access control, and encryption key management, among other functions, to millions of devices of varying nature: from low-end sensors and field devices to large complex appliances and machinery. This will not be an easy feat, with vendors touting both PKI as well as symmetric key mechanisms (including quantum) to solve some of these problems. I met with a few companies trying to crack the problem from either a hardware, software or a services perspective including Intertrust, Quintessence Labs, Rubicon Labs, Intel, Mocana, Utimaco, and Entrust Datacard.
The trust anchor for many of these solutions will be with the hardware, and embedded security is an increasingly focused area of research and development for many vendors, which is expanding slowly towards OEMs. However, some are focusing on software-only solutions, unconvinced that the security posture of OEMs will change dramatically in the coming years. I suspect a few sectors will make it their focus, notably those in critical infrastructure or dealing with functional safety requirements, but many outside of those sectors will wait and see if any liability through new regulation or court cases is ascribed to them, or significant reputational damage should make them reconsider investment in hardware based security.
Overall, the themes at RSAC this year amplified the discussion currently in the cybersecurity industry. We are in a mature and competitive market; security is still not always well implemented or adopted by organizations around the world, but millions are certainly being spent by larger companies and governments keen to protect their assets. The goal now is to ensure that security spending is smart; that risks and incidents can be effectively minimized to an acceptable degree. This is where AI technologies will play a significant role. Further, IoT is the next frontier for many organizations, and there is little doubt that security is becoming critical as IT and OT converge. I look forward to the BlackHat and Defcon events this year which will shed ever more light on the insecurities of things, and the increasingly exploitable vectors of the connected world.