The RSA Conference (RSAC) in San Francisco is one of the year's largest gatherings of security professionals, with a reported attendance of more than 45,000. From three-letter government agencies to startup security vendors taking the first step toward their big cash-out, the exhibit floor is filled with technology and services while enterprise security professionals, CISOs and security researchers of varying levels of respectability roam the aisles and fill conference seats. It's a good place to be if you want to get a feel for the big concerns and issues in the computer security space.
Every year, attendees and journalists are asked about their impression of the show. It's a shorthand way for people who aren't in the security field to ask what they should be afraid of, or what they should know about computer and network security. This year, there are four words that seem to be part of almost every conversation: booth presentation and sales pitch. Each contains, in its own way, information about the status of the security field in 2017.
What are those four potent words? Listing them is easy: visibility, IoT, partnership and automation. When you look inside those words things get more challenging -- and much more interesting.
The impression gained in many conversations here is that CISOs, and IT professionals in general, have but the faintest idea of what's truly happening on their networks. The level of ignorance about how many devices, what sort of devices and how many cloud services are playing on the enterprise network is profound. Why is there such a high level of ignorance? On that, opinions vary, though the explosion of IoT, the continuation of BYOD and the economic power of shadow IT are combining to make the enterprise network such a dynamic place that it's difficult to know just how many devices are attaching at any one time.
Most of the researchers I spoke with at RSAC said that the IT group consistently under-counted devices by anywhere from 50 percent to 150 percent. It's not that people think that these are malicious actors lurking about on the network and waiting to attack -- it's just that each employee now represents somewhere around 3.5 connected devices and few physical systems (think HVAC and physical security) come without many more devices than are plainly visible.
What everyone agrees on is that knowing your network is the first step in protecting your network. The lack of visibility is a huge piece of the security deficit felt by many organizations today.
Not to get all Socratic Method here, but the first thing you have to do is define "IoT." Is it all the Fitbits walking around on employee wrists? The POS terminals and thermostats in your retail outlets? The process control systems in your manufacturing facilities? All of the above? Something else entirely?
The answer, of course, varies with precisely who's doing the defining. And the nature of that answer will go some way toward explaining the visibility problem already mentioned, and toward rationalizing the CISO's attitude toward protecting the IoT.
IoT security starts with the understanding that the industrial IoT and consumer IoT are two very different things that place very different demands on enterprise security. It continues with the firm knowledge that many techniques used for securing computing endpoints aren't possible with the IT; watching traffic to and from IoT nodes may be the only way to monitor, analyze and protect IoT devices from criminals -- and the rest of the internet from the botnet trying to use IoT devices against others.
It seemed that every company on the expo floor at RSA was eager to talk about APIs -- how their API was being used by other companies, and how they were eagerly making use of APIs to bring capabilities from other companies' products into their own. At least for this year, the spirit of cooperation was in the air as each company wanted to show that they were more open and cooperative than the next.
It's important to remember, though, that an available API is only part of what's needed for a complete security infrastructure. Someone, somewhere, has to use the API to integrate two (or more) components into the solution for a security problem. In an interview with Light Reading, David Ulevitch, vice president and general manager of security business for Cisco, said, "People don't want the potential of APIs, they want the results of integration. The number of customers that harness APIs is much smaller than the number of customers taking advantage of integration."
Put another way, everyone recognizes that enterprise security is complicated and security vendors are reluctant to over-promise capabilities. An emphasis on APIs and integration means that there's at least the possibility of taking a "best of breed" approach to building a security solution. Actually getting there? Well, enterprise security is still complicated.
Security threats move at lightning speed and humans are ill-equipped to keep up the pace. That's why automation is the fourth word describing this year's RSAC. In truth, automation is a broad word that encapsulates at least a couple of other concepts. Some companies will tell you about the AI used in the product while others use the phrase "machine learning" to describe what they do. In either case, the impact on the customer is the same.
When security components can collect data, perform analysis, decide on a course of action and then take action without involving humans, then there's the possibility of responding to threats before they can cause damage. Both enterprise customers and security vendors want security systems that successfully deal with the vast majority of security incidents without ever involving humans, leaving analysts and administrators to deal with outliers, marginal cases and truly novel situations.
Five days, 45,000-plus people and four words; the story of RSAC 2017 in the tightest of nut shells.
— Curtis Franklin, Security Editor, Light Reading