• United States




RSA 2018 conference recap

May 15, 20186 mins
Application SecurityData and Information SecurityIT Leadership

Memories from the greatest information security show on earth.

The RSA 2018 conference is now but a memory. The conference perennially gets larger and larger, and this year was no different. Being there for a jam-packed 4 days, here are some of my reflections of being at the conference.

On the human side, as nearly every attendee quickly noticed, and as Katie Moussouris stated in her tweet, there’s a staggering amount of homeless people in San Francisco. One is hard pressed to walk more than a few minutes without running into homeless, mentally ill or addicted people. That includes open drug use on the streets and in BART stations.

moussouris tweet Katie Moussouris

The conference finds itself in a city with a major public health crisis. It’s sad that one of the most beautiful cities in the world faces the reality that large swaths of the population must use the city streets as their toilet.

The important of information security

The growth of RSA (and other information security conferences) further validates the importance of information security. My guess is that there would likely be larger attendance at RSA, save for the dearth of affordable hotel rooms in San Francisco. There’s a limited supply given San Francisco is a relatively small city.

San Francisco is a place where getting a decent room during a large conference for $450 a night is almost a steal. With places like Las Vegas having about five times more hotel rooms than San Francisco, the conference organizers may want to consider alternative locations for future conferences.

Knowledge week

While there were countless vendors at the conference, there were also a large number of presentation. To those that could not attend, RSA has made the over 370 conference presentations freely available here.

As for me, I gave a presentation on Ransomware -How Not To Be A Victim, and What To Do When You Become One, as part the Ransomware and Destructive Attacks Summit, moderated by Andrew Hay.

My talk was preceded by Associate Deputy Attorney General Sujit Raman. In his talk, he stated that the official position of the U.S. Department of Justice is not to pay any ransom. I contrasted that by noting that if an organization has no backups, then they have no leverage and are forced to pay the ransom if they ever want to see their data again.

GDPR was a prominent topic at the conference. Both in the presentations and on the expo floor. I facilitated two P2P sessions on 35 Days to GDPR‎. Even If You Prepared, Is Your Firm Truly Ready?, to which the attendees attested to the myriad questions around the challenges and difficulties on how to comply with the largest data protection regulation ever created.

RSA Expo

There were over 650 vendors in the two expo halls. In years past, there were always vendors who touted being a single-point solution to various security issues and regulatory requirements. As to GDPR, it is so utterly complex and broad, that there wasn’t a single vendor on the expo floors making anything close to such a claim. Yes, that’s how complex GDPR is.

There were countless vendors abound; from the largest players in the industry to tiny start-ups. There were several interesting vendors I met, and some of the most intriguing ones were:

Thinkst Canary

These are small honeypots, meant to run on your internal network. Each Canary can mimic Windows, Linux, and other types of devices. They can be configured as physical, virtual or cloud-based. All of the Canary devices are managed and communicates via a management console. It’s an interesting (and relatively inexpensive) approach to use for insider threat detection and threat intelligence.

Tufin Orca

This is a security automation suite for containers and microservices. Reuven Harrison, CTO at Tufin Technologies gave me a demo of their soon to be shipping Orca tool. While many firms are deploying containers and microservice environments; they don’t have security tools to deal with the risks of these technologies. If Orca can deliver on its promises, it looks to be a great tool to deploy.

qStream random number generator

QuintessenceLabs has their qStream 100A quantum random number generator (RNG). For those needed an advanced level of RNG, this appliance is not cheap, but is critical to ensure higher levels of security.


There were a number of firms offering solutions to deal with third-part and vendor risk. The SecurityScorecard solution has a SaaS offering to understand security risks of third-parties and measures a large number of threat indicators. Each vendor’s performance is graded on an A-F scale based on 10 security factors.

While at the expo, I got a demo of the product and they ran a scan on my firm. I don’t mean to brag, but we got an A.

security summary report Ben Rothke


While Archer is the 800-pound gorilla of the GRC space; it’s price, scalability issues, and data integration issues have lead many firms to look at alternatives. With good workflow automation and ability to easily work as a SaaS approach, Rsam offers a kinder and gentler approach to GRC.


There were countless vendors in a crowded field offering threat intelligence solutions at RSA. The Cyberint Argos threat intelligence platform in interesting and provides real time views of targeted attacks, data leakage, and more.

Garner Products

Finally, while there were many awards given out at the show, I’d like to give the Most boring yet important information security product award to Garner Products. They make hardware to wipe hard drives, perform media erasure and degauss media. While it’s not the most exciting technology; any organization that does not have a formal data destruction program in place, and use products like these, is putting their organization at significant risk.

RSA networking village

RSA is legendary for myriad parties with flowing liquor. It’s also a great avenue for speaking with some of the brightest minds in the industry.

A question I pondered while at RSA, and one that would be interesting to ask in a job interview is this: which is better from a security perspective – insecure crypto protocols and secure communications protocols. Or secure crypto protocols and insecure communication channels?

After pondering on it for a while, I saw Dr. Adi Shamir after his crypto panel and posed that question to him. He quickly answered that given it’s much easier to swap out crypto protocols, than it is to change communications protocols; the insecure crypto/secure communications approach would be best. 

RSA 2019

Next year’s conference will be in early March 2019. As Dr. Ron Rivest stated in the crypto panel, he’s surprised how popular blockchains are given how little advanced security features and controls they have. So, after all these years of RSA conferences, with all the smart people and advanced technologies, the industry is still deploying things without adequate security. Plus, ça change, plus c’est la même chose.


Ben Rothke, CISSP, CISM, CISA is a senior information security specialist at Tapad and has over 16 years of industry experience in information systems security and privacy.

His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design and implementation of systems security, encryption, cryptography and security policy development.

Ben is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill). He writes security and privacy book reviews for Slashdot and Security Management and is a former columnist for Information Security, Unix Review and Solutions Integrator magazines.

He is a frequent speaker at industry conferences, such as RSA and MISTI, holds numerous industry certifications and is a member of ASIS, Society of Payment Security Professionals and InfraGard.

He holds the following certifications: CISM, CISA, CGEIT, CRISC, CISM, CISSP, SMSP, PCI QSA.

The opinions expressed in this blog are those of Ben Rothke and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.