The Show Must Go On
Over the past 28 years, the RSA Conference has become the world's meeting place for enterprise and technical information security professionals, with more than 43,000 people and 700 vendors gathering to show off their latest products and discuss recent innovations in cybersecurity data, innovation and thought leadership.
But the fate of this year’s RSA Conference seemed precarious after the coronavirus outbreak prompted the cancellation of Mobile World Congress in Barcelona and Facebook’s global marketing summit in San Francisco. RSA Conference officials said 1.2 percent of attendees canceled their registration, and three Platinum and Gold sponsors—IBM Security, AT&T Cybersecurity and Verizon—are among the 14 vendors to have pulled out of the show.
In an open letter to RSA attendees, San Francisco Mayor London Breed said the risk of becoming infected from coronavirus in San Francisco is low since the virus isn’t circulating in the community. Conference officials put several health and safety measures in place, including continuous disinfection of registration counters and floors and health screenings for qualified international travelers.
As we head into RSA Conference 2020 this week, CRN sat down with executives from eight prominent cybersecurity vendors to see what they expect to be the major areas of focus at this year's event. From SD-WAN and DevSecOps to asset identification and passwordless technology, here's a look at some of the security trends experts are watching for at this year's show.
State actors are now more than ever presenting challenges to organizations that have become accustomed to battling adversaries focused on monetary gain rather than maximizing business disruption, according to Mike Adler, vice president of RSA NetWitness.
Nation-state actors tend to focus on creating brand damage and economic damage by disrupting manufacturing or critical infrastructure, Adler said. That’s in sharp contract to criminal adversaries, who typically focus on going after credit card data or intellectual property that can be monetized on the black market, according to Adler.
As a result, Adler said audits need to expand from being purely focused on safeguarding credit card numbers and other personally identifiable information to examining how infrastructure like medical and manufacturing devices are protected. Companies looking to defend against nation-state attacks can reduce cyber-risk by examining the systems controlling operations and how data moves out of the company.
More Sophisticated Attackers
As recently as a couple of years ago, ransomware was typically more of a pray and spray-type attack carried out by inexperienced script kiddies, according to Sophos Chief Product Officer Dan Schiappa. But now that the industry has met the challenge of mass-market hacking, Schiappa said skilled, hands-on adversaries have taken to using ransomware for highly targeted attacks.
Highly skilled attackers try to find visibility gaps in an organization’s defenses, Schiappa said, hiding malware and other exploits in channels that are typically unexamined. Small businesses too often fail to realize that they might be the target of highly sophisticated attacks due to their position in a more prominent company’s supply chain, according to Schiappa.
In addition to helping customers better understand their unique threat landscape, Schiappa said solution providers must also be able to provide comprehensive protection against the threats they’ve helped identify or discover.
The conversation around DevSecOps has evolved from being an idealistic vision of where organizations need to be at some point in the future to a description of what theys are trying to do in the present, according to Leslie Bois, Veracode’s vice president of global channels and alliances. But customers haven’t yet completed their DevSecOps evolution since it’s not as fast as they’d like it to be, Bois said.
Successfully implementing DevSecOps requires a cultural change within organizations and an adjustment of their entire internal process in terms of how they think, act and behave, Bois said. Businesses that do the best at adopting DevSecOps have their development and security teams in the same room and create a solution that suits the needs of both departments, according to Bois.
There aren’t a lot of DevSecOps experts out there today, but Bois said businesses that are able to turn to a third-party consultant around DevSecOps tend to be more successful in implementing best practices. Teaching and training people in how to do DevSecOps better and faster will pay dividends in the long run, according to Bois.
Journey To A Passwordless World
The industry has finally reached the tipping point of being ready to talk about truly passwordless technology and now actually has a way of getting there, according to Jim Ducharme, vice president of identity and fraud and risk intelligence for RSA Security.
But the initial spike in passwordless tools has neither reduced security risks nor lowered help desk costs since users are still required to enter their password from time to time and are more likely to forget it since they’re using it less often, Ducharme said. Nowadays, if people forget their passwords, a weaker mechanism is used to verify their identity such as entering their mother’s maiden name, Ducharme said.
A more secure enrollment and recovery process would enlist a trust mechanism between two people where, for instance, a person who forgets their token can only re-enroll once they receive an invitation with a QR code from a trusted third party such as a colleague, according to Ducharme. Identity confidence scoring can also protect higher-risk applications by banning unapproved temporary access.
Zero-Trust Network Access
Zero-trust network access will revolutionize cloud migration by reducing or eliminating the network attack surface when a user is connecting to an application in the cloud, according to Al Caravelli, Zscaler’s vice president of worldwide channels and alliances. In the past, Caravelli said companies needed to enter the network and use a VPN in order to securely access the cloud.
But zero-trust network access greatly reduces the likelihood of a credential breach from a contractor since no IPs are ever published and third parties wouldn’t have access to the network or any applications, Caravelli said. By eliminating the attack surface, Caravelli said zero-trust network access puts users ahead of the adversary.
As companies migrate apps to the cloud and 5G start to come onto the scene, Caravelli said zero-trust network access will provide users with a secure and direct connection to the internet without ever having to access the network. This should greatly reduce the impact of any potential breach as well as the likelihood of a breach altogether.
The SD-WAN architectural shift should be about more than just connectivity, but customers for too long have been working with separate vendors for SD-WAN and security, according to Samantha Madrid, Juniper Networks’ vice president of security business and strategy. Using a single vendor for both the networking and security elements of SD-WAN will simplify the architectures and deployment, she said.
Security must be part of the initial SD-WAN architecture and shouldn’t be bolted on, and organizations making architectural design changes should be considering security from the get-go, Madrid said. If security is incorporated into the SD-WAN architecture, Madrid said customers benefit from built-in architecture that’s specific to their location, user, device and access type portfolio.
A end-to-end security strategy around SD-WAN addresses everything from initializing the connection to application access and quality assurance to being able to do deep packet inspection and file analysis themselves, according to Madrid.
CISOs Becoming Part Of Boardroom Conversation
Cybersecurity is becoming a constant part of the boardroom conversation since businesses now face very real material threats at the stroke of a key, said BitSight CEO Steve Harvey. As boards spend more time on security, Harvey said there needs to be a common language between the highly technical practitioners and the less technical board so that everyone can understand what’s being discussed.
Harvey said boards are most interested in assessing the level of risk being assumed, both in terms of what the company is doing from a security perspective and how it can do that better as well as what the business’ cyber posture is relative to a peer group, industry or segment. CISOs are therefore expected to provide their boards with a framework that assesses cyber risk in both an individual and relative basis.
As the CISO becomes more important and prominent in board conversations, Harvey said they must take the time to authenticate the quality of the cyber rating provider they’re considering.
As organizations embrace cloud infrastructure, they need a way to protect their assets in a centralized fashion since the cloud providers are focused only on safeguarding the infrastructure itself, according to Rob Cataldo, managing director of Kaspersky North America. Adversaries have created their own unique cloud malware that puts assets at risk by targeting the pathways into the cloud, Cataldo said.
Organizations have for too long overlooked the importance of safeguarding the integrity of the workspace in protecting assets, Cataldo said. But without workspace protection, Cataldo said the doors are wide open for adversaries to go after workspaces and capitalize on a more agile environment to spin themselves up quickly.
Solution providers can best protect customers from these types of threats by aligning themselves with anti-malware providers that are focused on workspace security and central orchestration, according to Cataldo.
CISOs want a better view of what’s going on in their organization’s expanded IT ecosystem, especially the areas they don’t have direct control over, according to David Walter, vice president of RSA Archer. In order for businesses to protect an asset, Walter said they first need to know it’s there.
Asset identification has become more difficult since departments are purchasing technology on their own, meaning that IT can no longer rely on a configuration management database (CMDB), according to Walter. In addition, Walter said the embrace of cloud, IoT and other types of digital infrastructure means that businesses are more frequently operating or storing critical assets in third-party ecosystems.
Startups have excelled at collecting information on IoT devices, cloud assets and accounts, third-party access, and digital assets and putting that information in the context of what matters to the business, Walter said. By leveraging machine learning and network monitoring and bringing new algorithms, analytics and context to data that already exists, businesses can reassert control over their IT assets.
Too many companies exhibiting at the RSA Conference have either point products or stand-alone features that don’t even add up to a product, according to John Maddison, Fortinet’s executive vice president of product and chief marketing officer.
In order to roll out automation, Maddison said vendors must have a platform that spans across several different cybersecurity technologies. It’s simply impossible for customers to take advantage of automated workflows if they’re having to depend on 10 different vendors, according to Maddison.
A platform approach allows businesses to have a holistic view across their entire infrastructure, meaning that businesses can leverage automation to monitor what’s happening in their infrastructure, Maddison said. Having automated workflows across the entire infrastructure means that businesses can respond promptly to threats and abnormalities whether they’re in the factory or in the data center, he said.