Cybersecurity Industry To-Do List for RSA Conference

During his keynote at last year’s RSA Security Conference (titled: Escaping Security’s Dark Ages), Amit Yoran, president of RSA, lambasted the industry as failing its customers.  In a related interview with Fortune Magazine, Yoran stated, “Let’s do things differently; let’s think differently; let’s act differently – because what the security industry has been doing has not worked.”

Now in the 10 months since last year’s industry get-together (note:  RSA 2015 was in April), the overall state of cybersecurity has only continued to devolve.  Large organizations are moving more and more workloads to public and private cloud infrastructure and proceeding further with mobile and IoT applications making it more difficult to monitor and defend sensitive IT and data assets.  Meanwhile, the global cybersecurity skills shortage has gotten even worse.  According to ESG research, 46% of organizations claim that they have a “problematic shortage” of cybersecurity skills, an 18% increase from 2015 (note: I am an ESG analyst).

With Amit’s keynote in mind, I’ll be heading to this year’s RSA conference to see if the industry has made any progress as far as thinking and acting differently – especially in light of these changes.  I’m hoping that I see advancement in the following areas:

• Decreasing the attack surface.  We need to do a better job in terms of limiting who gets access to applications and data, and segmenting traffic between network assets.  There are a lot of technologies in this area including white listing (Carbon Black, Intel Security, Kaspersky Lab), network access controls (Aruba/HP, Bradford Networks, ForeScout), and network/workload micro-segmentation (Cisco ACI, VMware NSX, Illumio, vArmour, etc.).  Data encryption and some of the CASB tools also apply here.  The real problem is that it can be time-consuming and difficult to create, monitor, and enforce these types of policies.  I’d like to see these tools further interoperate with security monitoring, and even offer cybersecurity professionals advice on better ways to lock things down.  We have to do more to decrease the attack surface with incremental steps that are easy to understand, implement, monitor, and fine-tune. 
• Increasing the productivity of cybersecurity and IT professionals.  I’ve written a lot about integrated cybersecurity orchestration platforms (ICOPs) like FirstHour, Hexadite, Phantom Cyber, Resilient Systems, and ServiceNow, and even predicted that this would be a focus area for the cybersecurity industry in 2016.  I’m bullish on this area because of its potential to streamline cybersecurity automation and automate the multitude of tedious tasks undertaken for incident detection and response.  Oh and let’s not forget that infosec teams need strong communications and collaboration with IT operations but this relationship is often handicapped by different processes, skill sets, and objectives.  I’m hopeful that ICOPs continue to gain momentum so that cybersecurity teams can use their limited time more efficiently on high-priorities.
• Improving security without disrupting users.  Ask any CISOs and he or she will tell you that this is one of the biggest challenges they face.  There are a few encouraging trends taking place.  First, next-generation endpoint security tools are often based upon extremely lightweight agents while offloading tasks like malware analysis, real-time signature creation, and IoC definition to the cloud.  Confer, CrowdStrike, Trend Micro, and Webroot come to mind.  I’m also encouraged by the industry effort to replace user name/password authentication with multi-factor alternatives – a big part of the president’s recent Cybersecurity National Action Plan (CNAP) as well.  Standards like FIDO may help make this a reality.  Finally, there is an overall trend toward collecting, processing, and analyzing a lot more data to improve security monitoring to help accelerate security decision making.  This is happening all over the place – cloud infrastructure, endpoints, networks, data usage, etc.  I’m also seeing interesting new SIEM capabilities from IBM (QRadar), LogRhythm, and Splunk as well as interesting security analytics technologies from the UBA crowd (Caspida (Splunk), Exabeam, Gurucul, etc.) and others (Arbor Networks, Forcepoint, RSA, Sqrrl).  If we can use methods like these to improve security AND the user experience, we win big. 

For the most part, Amit Yoran’s 2015 message was spot on – the industry must do more that develop and sell point tools in order to improve the overall state of cybersecurity (are you listening on Sand Hill Rd.?).  Vendors should really take the time to understand and empathize with customers and work on true solutions to their problems.  I hope Amit continues to preach this message – I know I will. 

BTW, here’s a link to the blog I posted earlier this week about what else I’m anticipating at this year’s RSA Conference.  See you next week!