10 Cybersecurity Issues To Watch For At RSA Conference 2021
As RSA Conference 2021 kicks off next week, CRN speaks with C-suite executives from nine prominent vendors to see what cybersecurity issues they expect to be the talk of this year’s event.
Virtual Show, Real-World Problems
Over the past 29 years, the RSA Conference has become the world’s meeting place for enterprise and technical information security professionals, with more than 36,000 people gathering last year amid darkening COVID-19 storm clouds to discuss the latest innovations in cybersecurity data, innovation and thought leadership.
More than 650 companies packed two floors at San Francisco’s Moscone Center in late February 2020 to show off their latest products, while some 520 educational sessions covered topics ranging from privacy and open source tools to machine learning and blockchain. But the in-person gathering came at a price, with four Exabeam staff testing positive for COVID-19 and one spending two weeks in an induced coma.
This year’s RSA Conference will be a fully virtual affair, with over 300 sessions across 20 educational tracks with keynotes, partner seminars, interactive sessions and sponsor briefings. Organizers in May 2020 delayed RSA Conference 2021 from the week of Feb. 8 to the week of May 17 in hopes of having both a virtual and physical event, but threw in the towel on the physical event in November 2020.
As we head into RSA Conference 2021 next week, CRN spoke with C-suite leaders from nine prominent cybersecurity vendors to see what they expect to be the major areas of focus at this year’s event. From human-operated ransomware and the increased weaponization of vulnerabilities to protecting remote workers and automating security intelligence, here’s what the brightest security minds are watching for.
Neutering Ransomware Through XDR
Ransomware groups typically shoehorn their way into a victim organization and then employ a variety of techniques to move laterally throughout the victim’s network, said Sophos CEO Kris Hagerman. It often becomes a footrace between the attacker moving from one estate to the next to find and exfiltrate valuable information while the defenders try to close doors and block hallways to minimize exfiltration.
Well-implemented XDR (extended detection and response) technology can make the attacker’s life more difficult by removing the gaps between network, endpoint, server, and email security products, he said. Humans have struggled to look quickly across all of a company’s data and get actionable insights on their own, and Hagerman said businesses should leverage automation and ML to accelerate that process.
At the same time, Hagerman said human analysts have a very important role to play when it comes to pattern recognition around more advanced attacks. By putting all of an organization’s information in the same place with a rich set of telemetry and granular data, Hagerman said appropriately executed XDR can prevent and detect ransomware attacks.
Emergence Of The Edge
Businesses have over the past year shifted their focus away from assets that live inside the data center and more closely examined what’s taking place outside the corporate network, according to RSA CEO Rohit Ghai. This has led to renewed interest around identity and access management, IoT and OT monitoring, and endpoint detection and response, Ghai said.
Securing the edge starts with establishing users as legitimate actors on the corporate network, which Ghai said requires verifying identity both at the time credentials are provisioned as well as when the user is actually conducting work on the network. Since identifies can be compromised at any time, Ghai said it’s vital that they be verified continuously and not just at the time of log-in.
Robust identity offerings are vital when an organization doesn’t fully control the environment its users are operating in such as a home network or critical infrastructure setting, according to Ghai. “In an environment you don’t control, you can’t trust anyone,” Ghai said.
Human adversaries are able to find the most painful part of a victim organization to hold for ransom and can execute an attack plan that’s able to move beyond the defender’s traditional controls, according to McAfee CTO Steve Grobman. Specifically, Grobman said human operators can perform reconnaissance to get a better sense of the victim’s threat surface, and then tailor their attack based on what they see.
Human operators can try multiple things in the victim organization until they find something that works, moving from one particular exploit to the next, Grobman said. And if a targeted business is found to have vulnerable applications, configurations, or operating systems, Grobman said the humans can make real-time decisions around how to capitalize on that information to build a lethal and successful attack.
The best way to outsmart a human adversary is with a well-trained cyber operations team armed with the best detection technology, he said. Acts of performing reconnaissance will show up as suspicious activity on an EDR (endpoint detection and response) or XDR (extended detection and response) tool, allowing a well-trained cyber defense team to locate the hackers before they inflict much damage.
Cyber insurance underwriters are demanding more investment from the companies they cover to help keep the number of claims filed under control, said Rob Cataldo, managing director of Kaspersky North America. Specifically, Cataldo said insurers are requiring that school districts and other policyholders have both an endpoint detection and response (EDR) offering and an incident response retainer in place.
Detecting suspicious activity isn’t enough to keep organizations safe, and insurers therefore want to ensure policyholders can conduct a full-fledged digital forensic investigation to respond to and recover from security incidents. Having an incident response retainer makes it easier for the victim to change their configuration and security posture to prevent a similar compromise from happening again, he said.
As cyber insurance becomes more of an industry standard and regulatory requirement, Cataldo said it paradoxically gives hackers more incentive to carry out ransomware attacks since the victim now has access to resources (via their insurance policy) that will allow them to pay the ransom. Cyber insurance is pervasive among the Global 2000 and school districts, with adoption accelerating in the SMB space.
Weaponization Of Vulnerabilities
Hackers have become much more effective at weaponizing hardware and software vulnerabilities, with adversaries investing substantial resources into scouring products for points of weakness, according to SonicWall President and CEO Bill Conner. As a result, Conner said defenders need to ensure they’re keeping current with all operating systems and conducting penetration testing on an ongoing basis.
“They’re testing you daily, and these new techniques have a half-life of weeks, not years,” Conner said. “People can’t be lethargic. They must update and keep current.”
Businesses need to re-examine their whole authentication scheme from network administrators on down since adversaries are going after key users in both customer and partner organizations, Conner said. Defenders must go beyond network segmentation and include multiple administrators dealing with applications concurrently to make impersonation attempts more difficult, according to Conner.
Automating Security Intelligence
Nearly every security intelligence function from setting policies and addressing vulnerabilities to detecting threats and anomalies used to be very manual in nature, said Jeetu Patel, SVP and GM of Cisco Security and Collaboration. But the signal-to-noise ratio has become increasingly unmanageable, Patel said, with most companies possessing so much data that they can’t find the needle in the haystack.
Organizations are looking for help prioritizing what needs to be done, and Patel said this can be accomplished by leveraging machine learning models and intelligent pattern detection to correlate events more effectively. From assessing risk to addressing anomalous behaviors, Patel said there needs to be automated intelligence baked in to make the offering usable for customers.
Businesses can reduce friction for network operations and security operational professionals by making it possible for them to set policies and approve applications from a single location, Patel said. Machine learning can be leveraged to suggest default settings and policies for businesses, massively simplifying the mundane parts of security management so that professionals can focus on higher-value tasks.
Cutting Through The Noise Around XDR
A slew of security companies that grab, correlate and synthesize data from different places are now calling themselves XDR (extended detection and response) vendors, and customers need a way to cut through the noise and figure out who actually has a broad enough portfolio to deliver telemetry from multiple places, according to Trend Micro Chief Operating Officer Kevin Simzer.
Discerning customers should look for broad offerings that provide out-of-the-box hookups for endpoint, email, network and cloud workloads without any integration or professional services work required, Simzer said. Lots of XDR vendors claim they can ingest data from a variety of places, but if the setup requires a lot of additional effort, Simzer said it can be quite difficult for many enterprises to pull off.
Customers should also examine the data lake and console capabilities of vendors claiming to offer XDR to ensure their threat hunting and forensic analysis offerings are up to snuff, Simzer said. Given how pervasive breaches are, Simzer said XDR vendors should be able to get to the bottom of a security incident and figure out what’s truly going on in the customer’s environment.
Securing Remote Workers
Businesses are looking for help rationalizing, simplifying, and streamlining their IT ecosystem as users increasingly purchase SaaS products on their own without the IT department’s knowledge, said Cisco Security Chief Strategy Officer Dug Song. At the same time, Song said companies are having to defend a much larger and more complex attack surface following the COVID-driven shift to remote work.
The shift from having employees on corporate devices and networks to having workers use personal computers and access corporate resources outside the network has exposed endpoints to new and different threats, Song said. Businesses should seek out greater context by consolidating their visibility across their entire fleet of endpoints, including those endpoints the company doesn’t itself manage.
Organizations can reduce their IT footprint by consolidating all their VPNs and appliances into a single cloud-managed entity and pursuing one-click integrations for the deployment of cloud security or SD-WAN, according to Song. Companies can also benefit from advanced visibility into their endpoint estate that supports telemetry and threat hunting as well as basic IT operations use cases, Song said.
Stemming The Bleeding From Ransomware
Companies are laser-focused on reducing their mean time to recovery as well as the loss of sensitive customer data during a ransomware attack, according to IBM Security General Manager Mary O’Brien. As the SolarWinds attack demonstrated, malware can come in on a trojan and be silent for an extended period of time, meaning that businesses should maintain several copies of their backups, O’Brien said.
Specifically, O’Brien said companies need to make sure they’re not backing up to a point in time when their system was also infected. Customers have increasingly embraced the idea of having multiple backups from multiple points in time to accelerate the recovery and ensure customer data isn’t lost, according to O’Brien.
Aside from backups, O’Brien said network segmentation helps contain potential damage by minimizing the hacker’s access to anything that’s deeply sensitive or valuable. Customers concerns about ransomware span the gamut from extortion and destroying core business infrastructure to losing customer data and running afoul of compliance mandates, according to O’Brien.
Extorting Ransomware Victims
Companies have begun thinking more seriously about their exposure in relation to a ransomware attack both from a brand and liability perspective, according to Fidelis Cybersecurity President and CEO Anup Ghosh. Businesses face potential liability from the leaking of customer data as well as potential brand damage if the exposed data casts the company in an unfavorable or embarrassing light, Ghosh said.
Specifically, Ghosh said internal emails and trade secrets can be very sensitive and cause significant harm to an organization if they’re publicly disclosed. By taking advantage of the victims fear and emotion, Ghosh said hackers can strongarm organizations into paying a ransom and avoiding the public spotlight.
It’s important for customers to have a comprehensive view across their endpoint, network and cloud to maintain visibility into the high-profile attacks that have been seen recently, according to Ghosh. He’d also like to see the federal government play a role in3 helping private sector organizations respond to ransomware attacks against critical infrastructure.