A CISO’s Reflections on RSA 2017

Recapping RSA 2017: Endpoint Protection, Threat Hunting, and Talent Searching Abound!
February 28, 2017
5 min. read

Another RSA show is complete and it was as exciting and overwhelming as ever. Here are the thoughts that ran through my head as I surveyed all the new security technology being offered.

Confusion with Endpoint Protection Offerings

There were more than 40 endpoint protection vendors, but it was hard to differentiate between them. The specifics of how their solutions work and their protective capabilities and interoperability were generally not articulated clearly. I know these tools operate on vastly different principles due to my recent experience in the space. All claim to use machine learning, but how are they doing it specifically? It wasn’t apparent. There could be a gulf in effectiveness without truly knowing the answers. Most endpoint protection tools detect foreign software running on an endpoint, but how many look at the services native to the operating system being run? That level of detection can mean all the difference to fully understanding all stages of an attack. Adding to the confusion were the solutions touting “hunting” use cases. Some touted hunting on the endpoints, others on networks through connection data, still others are actually meant to find rogue network devices. None of the solutions I saw tied all of these together in an effective way. Lastly, there was little explanation about the richness of these vendors’ APIs. The ability to integrate and provide clarity and automation beyond their own solutions was not evident. We need a balance of tools to truly manage endpoint security.

Threat Hunting Services Seemed Less than Full-Featured

There was an explosion of consulting firms and Managed Security Service Providers (MSPPs) offering “hunting as a service.” Threat “hunting” refers to digging through existing logs and traces on a network to find resident threats that have so far evaded detection. However, many of these outsourced threat hunters don’t seem to be using all the data across their entire client base to hunt. This takes away the primary benefit you get from outsourcing: the threat hunters should have a global view of what’s going across all their customers. If little teams are segmented from each other, they’re cut off from that threat intelligence sharing. The big value proposition is that if they uncover a new threat at one customer, they can hunt everywhere rapidly to see who else might be impacted. There also seems to be confusion between threat intelligence and threat hunting, which is resulting in a conflation of these two related but distinct functions.

Talent Search

Speaking of hunting, it seemed everyone was hunting for security talent. Businesses, the government, even some foreign governments were all looking for folks. No surprises there; there is a shortage of talent. It seemed like everyone was getting approached for recruitment. At one agency booth, they were displaying those snazzy crime scene jackets you see in movies. If you asked the agents in the booth how you could win one, they handed you a job application. Shrewd marketing.

Threat Intelligence Sharing Goes Wide

There was a big push on threat intelligence sharing (finally!). The Department of Homeland Security introduced data sharing, and it wasn’t dismissed out of hand. That was a good sign. Cisco was also leading a threat sharing alliance. All good things. It will be interesting to see how this plays out. Our F5 Labs threat intelligence team has already begun speaking with several groups about threat sharing.

Identity Management Feature Creep

In the identity management product space, there was continued amoeba-like growth and transmuting. I’m not talking about “cloudification,” because everyone is doing that now. I mean identity management solutions expanding to include additional forms of authentication. Many are becoming authentication middlemen where the user’s password is dynamically replaced with certificate-based authentication. In some cases, the user doesn’t even know their own password for many services. Many platforms are adding endpoint assessment to their identity management portfolio, which is an interesting way for this space to subsume more and more things. My question is: how rich are these identity management directory APIs? Most organizations are going to want to stitch together their directories, so ID systems brokering is getting more complex. Managing these manually is painful. We should all be demanding greater richness in these APIs to ensure we get the interoperability and control we need.

Single Analytical Framework vs. Single Pane of Glass

The concept of a single pane of glass is an old one in IT—a single console that displays all relevant information; it’s a foregone conclusion in security. But it’s become far more critical that the logging data that makes up the security analytical enterprise is unified (that is, you’re correlating data in a single place). Disparate data sources have to be correlated and combined in order to expose what is happening to all the machines that make up the network. That doesn’t mean that you need to buy all of your software and gear from a single source to ensure interoperability with your security analytical enterprise though, as many of the vendors on the floor would have you believe. It’s better to have an open system that accepts data and analytics via APIs and feeds. Service chaining between vendors is where CISOs can get visibility and take control of their environments.

The Next Big Thing

There was a lot of talk at RSA about “artificial intelligence” (AI) but not a lot of definition as to what that meant. When challenged, many were actually describing Machine Learning or Expert Systems when they tried to explain what they do. I would have preferred to hear exactly what the solution was and how it worked. I am looking for a solution that is smart and fast enough to do mass collection and correlation from a large pool of sources and present it in a useful way. Better yet, can it orchestrate defensive response actions to block or contain an attack? This is sorely needed because even if you could hire enough of the best analysts in the world (and you can’t), they can’t react fast enough to deal with the lightning speed of attacks that are rolling in 24/7. Therefore, correlation and response platforms that quickly yield highly accurate results and are interoperable with systems that can stop an attack are what I am looking for next.

Join the Discussion
Authors & Contributors
Mike Convertino (Author)
Head of Technology

What's trending?

Forward and Reverse Shells
Forward and Reverse Shells
09/15/2023 article 5 min. read
Web Shells: Understanding Attackers’ Tools and Techniques
Web Shells: Understanding Attackers’ Tools and Techniques
07/06/2023 article 6 min. read
What Is Zero Trust Architecture (ZTA)?
What Is Zero Trust Architecture (ZTA)?
07/05/2022 article 13 min. read