The 12 Most Overhyped Cybersecurity Trends From RSA Conference 2020
CRN asks security CEOs, channel chiefs and technical leaders attending RSA Conference 2020 which cybersecurity trends seem to be more about sounding cutting-edge than keeping businesses safe.
Vendors at RSA Conference 2020 did their best to stand out among more than 600 of their cybersecurity peers, but they sometimes ended up resorting to the same buzzwords to satisfy customers, investors or other stakeholders in the company.
Some trends like artificial intelligence and zero trust made their way onto the list because the aspirational buzzwords rarely describe what a company's technology actually does. Others like deception technology and vulnerability management notched a spot due to questions around how effectively they address the critical security issues facing businesses.
An overemphasis on zero-day vulnerabilities was called out for causing customers to focus on purchasing high-end technology rather than basic security hygiene and prioritizing alerts. And more cutting-edge tools like managed detection and response can be too expensive for smaller customers or run the risk of leaving holes in their security posture since some MDR offerings address only firewalls and anti-virus.
Here’s what a number of CEOs, sales leaders and technical leaders told CRN at RSA Conference 2020 about the most overhyped cybersecurity trends in the industry today.
Managed Detection And Response
The hype around managed detection and response (MDR) is very premature given the enormous cost associated with outsourcing every element of advanced security, said Mike LaPeters, Malwarebytes’ vice president of worldwide MSP and channel operations. MDR today typically requires a five-figure-per- month investment, and LaPeters said most SMBs simply can’t afford to spend that much on security.
In addition, LaPeters said many MDR vendors are setting unrealistic expectations relative to their current capabilities. Specifically, he said these companies are promising to fulfill all of the business’ security needs in a fully managed fashion when, in reality, they’re only providing managed anti-virus or managed firewall.
Customers need to educate themselves about all the components of a secure environment before reaching out to an MDR vendor, and then make sure the vendor they’re speaking with has a story for each one of those elements. Specifically, LaPeters said businesses should get information on the MDR vendor’s threat hunting technology and processes and their adherence to compliance frameworks.
The world of zero trust is theoretically going to do away with edge-based infrastructure, meaning that businesses will be able to deploy infrastructure and applications without demarcation points like firewalls, according to Gigamon CEO Paul Hooper.
Firewalls are antithetical to a zero-trust strategy since they inherently trust items inside the perimeter, while zero trust assumes nothing is trustworthy and instead relies on credentials and access to establish trust, Hooper said. The zero-trust baseline will change the way organizations design and approach security by putting trusted relationships front and center, according to Hooper.
Eliminating the firewall will result in a pivot to network segmentation or microsegmentation focused on containing a number of devices within a given area, Hooper said. As a result, Hooper said network infrastructure will be used in a different way to communicate and control flow between devices and operate at a segment level rather than a pan-enterprise level.
The cybersecurity industry tends to prepare for the worst at the expense of preparing for the likely, resulting in excessive hype around zero-day vulnerabilities or the most sophisticated threats out there, said RSA President Rohit Ghai. Instead of going after new or hyped areas, Ghai said the industry needs to do a better job on the fundamentals like vulnerability management and multifactor authentication.
Focusing on the most complex threats has driven the wrong behavior in the security industry, causing many businesses to pursue a strategy that results in a glut of tools and lots of wasted energy moving information from one tool to the next, Ghai said. As a result, security analysts find themselves wasting resources on mundane tasks and can’t prioritize what’s important.
Hackers today are launching many of their attacks using script kiddies, so Ghai said it’s foolish for the industry to have such a technology-centric defense strategy. Instead of overwhelming analysts with alerts, Ghai said businesses should focus on correlation and prioritization to maximize their use of resources.
Building Security Into Other Technologies
Broad technology vendors like to say that security is inherent to their operating system or hypervisor, but those efforts serve to marginalize what’s a significant problem in the industry given the continued vulnerabilities and exploits in OSes and virtualized infrastructures, according to Matthew Polly, CrowdStrike’s vice president of worldwide business development, alliances and channels.
Security can’t be an afterthought that is bolted onto an OS, business application or virtualization tool by whoever designed it, Polly said. Keeping up with an adversary is a constant arms race, and a manufacturer whose primary mission is OS or virtualization isn’t likely to make the investments necessary to successfully do so, according to Polly.
Manufacturers also don’t have protection, detection and response capabilities for the customer if an adversary is able to come in and perpetrate a breach, Polly said. Public cloud vendors have been better about building some security into their infrastructure while partnering with security vendors to take care of the rest, but OS and virtualization companies often claim they can deliver all the security on their own.
Artificial intelligence and machine learning have the capacity to do amazing things, but organizations are rarely able to operationalize the technology to produce an output that reduces risk, increases automation or improves systems, said Richard Bird, Ping Identity’s chief customer information officer. The hype around AI makes people think it can deliver results today that are several years out, he said.
To optimize the capabilities of AI, Bird said there would need to be big changes in company structure and organizational processing. In essence, Bird said businesses would need to deconstruct their processes, see where AI technology could fit in, and then rebuild the processes with that in mind.
AI will eventually be a key stepping stone to usher in the next wave of technological innovation, Bird said, whether that’s quantum computing, serverless technology or something different. It’ll also serve as a building block for the identity and access controls required once people start building apps and putting them directly on the public internet rather than using a cloud provider, according to Bird.
Zero trust has been broadly misinterpreted due to vendors slapping the label on technology that has nothing to do with the original concept of de-perimeterization, according to Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy. Although the term has been misused, Kalember said it’s worth doing the work to construct an actual zero-trust architecture.
By definition, Kalember said zero trust can’t be used to describe a network perimeter or a box or virtual box that takes the role of a network perimeter. Conversely, the idea of identity or user-based controls being the new perimeter is more in the spirit of zero trust, according to Kalember.
Zero trust should mean that no one on the network is trusted and users only have access to the things they need for their job and nothing else, according to Kalember. Strict enforcement of zero trust makes lateral movement impossible, Kalember said, meaning that an adversary wouldn’t get access to an organization’s whole internal network even if they’re able to break in.
The line between deception technology or honeypots and actually creating a more secure outcome for customers is difficult to determine since simply identifying a threat actor doesn’t make an organization less likely to be attacked, according to Wendy Thomas, Secureworks’ chief product officer.
For instance, Thomas said a honeypot might tempt a threat actor into doing something that’s not a pervasive technique for compromising customers, meaning that the customer isn’t getting much bang for their buck. Businesses will benefit more from incorporating the most common scenarios seen by incident response teams who are out in the field responding to real-world incidents, Thomas said.
Basic hygiene such as patching and configuring cloud instances correctly is the most important thing businesses can do to keep themselves safe, according to Thomas.
Being presented with a list of hundreds of thousands of problems doesn’t do a CISO much good given the amount of digital assets and software in an organization, according to Unisys CTO Vishal Gupta. Continuously telling businesses what’s wrong is more of a risk identification strategy than a risk mitigation strategy, and doesn’t provide them with any better handle on the problem, Gupta said.
Too often, Gupta said what counts as mitigation in the context of vulnerability management is just creating a ticket on ServiceNow and passing the problem along to somebody else. In large organizations, Gupta said CISOs might have a list of more than 100,000 vulnerabilities at any given time, and then hold meetings to figure out who can fix which issue.
A more pragmatic approach to handling risk than traditional vulnerability management would place automation and remediation front and center, Gupta said, and leverage biometrics and micro segmentation rather than long lists with check boxes.
Secure Access Service Edge
Secure Access Service Edge (SASE) is the modern-day equivalent of a VPN, connecting edge devices to the internet at a time when the network is disappearing and being replaced by the internet, according to Philippe Courtot, chairman and CEO of Qualys. The need for SASE won’t last long since organizations are moving workloads into the cloud and the corporate network environment is shrinking, Courtot said.
As companies move more and more of their enterprise applications into the cloud, Courtot said the network will become just some wireless devices connected to the internet. Courtot said customers need to embrace digital transformation or else they won’t be in business for very long.
Many years ago, Courtot said the security industry’s resistance to the cloud was phenomenal, but today, people acknowledge that it’s not going anywhere.
Endpoint Detection And Response
Many enterprises see endpoint detection and response (EDR) as being enough to secure their company and no longer believe they have any need for anti-virus software, said Jason Eberhardt, Bitdefender’s vice president of global cloud and MSP. But EDR is a research tool to see what’s happening on an endpoint, he said, not a tool that blocks endpoints from getting infected in the first place.
As a result of the EDR push, Eberhardt said too many businesses have become complacent to the idea of an adversary being in their environment so long as the company is able to stop it before it does anything bad. But simply having a threat actor inside a company’s systems poses a threat, and Eberhardt said businesses need to become more vigilant about using technology that blocks the threat up front.
Solution providers should pitch a complete endpoint security posture to customers that includes technology to protect threat vectors from intruders in the first place, Eberhardt said.
Everybody uses the same terminology around cloud security even though they’re not talking about the same thing, and the industry is still working its way to a full definition of what securing the cloud means as the ecosystem evolves, according to Chris Carter, FireEye’s vice president of Americas channels. Some offerings that call themselves cloud security are really only touching a portion of the problem, he said.
Carter believes that cloud security should be focused on protecting workloads in the cloud since that’s where the crown jewels of an organization—its data and intellectual property—can be found. Customers care about ensuring that their data and IP are protected, and as their valuable assets move up to Amazon Web Services, Microsoft Azure or Google, Carter said they want security tools that will protect those workloads.
The idea of bringing together a vast number of cogs and information from across the enterprise is an idea that’s existed since ArcSight was founded in 2000, but back then, it was called correlation, according to Emily Mossburg, Deloitte’s global cyber leader.
Over the past two decades, correlation was rebranded as fusion and fusion was rebranded as monitoring, but fundamentally, Mossburg said it’s the same technology and the same approach. Companies in the space have improved at getting deeper into the stack, and as these vendors tried to make the latest breakthrough seem interesting and compelling, Mossburg said they came up with new things to call it.
The use case for monitoring has existed for a very long time, and although there have been advances and evolutions, Mossburg said the underlying concepts are very similar given the cyclical nature of these ideas.