Key Takeaways from RSA 2015

RSA 2015 drew more than 28,000 security-minded people to its latest week-long conference in San Francisco. The key takeaways from the discussions, workshops, and keynotes were highlighted by the tech, business, and mainstream press.

The Associated Press coverage pointed out that attending RSA is a particularly sobering experience for those not involved in the security industry. The reporter noted that many breaches are the result of human error – one click on a link in a phishing e-mail, malicious text message, or website can open a network to attack. “Verizon researchers estimate one in five phishing emails were read by their targets and one in 10 persuaded someone to open an attached file,” the reporter noted, adding that the newest phishing exploit features emails with official looking attachments purporting to be fax or voicemail messages.

AP went on to list other “easy targets” including IoT (especially those “things” that are intended for home use), such as devices and apps that control lights, thermostats, and garage door openers. The concern here is not so much that a hacker will wreak havoc on your home’s temperature controls, but that eavesdropping on the data flow can reveal sensitive information about resident’s daily schedules, allowing, for example, criminals to know the times when people are not home.

The article also noted that Hackers are better at sharing information about software vulnerabilities than companies are about sharing what they know about emerging threats and lessons learned.

Techweek Europe’s report looked at better ways to protect networks with new visibility tools and technologies. The article discusses the value of architecting increased compartmentalization into networks. “Flat networks are non-compartmentalized, so once one user is compromised, an attacker can pivot, use some form of privilege escalation bypass and get access to an entire network.” Or, as security researcher Chris Roberts describes it, a flat network enables “security hopscotch.” (BAI’s Compromise Assessment service addresses this important issue, with an analysis of anomalies across all endpoints of a network.)

CSO lamented the “Blinking Light Box” approach to security, stating that “vendors are trending towards what the public wants; and sadly what they’re looking for are boxes with blinking lights that you can plug-in and walk away from. In short, most products could be compared to a big button that eliminates attacks (or attackers) and offers “threat intelligence” as a bonus. On the plus side, that big blinking box can generate pretty reports. So along with eye candy and lights, the boxes on display also promise to help organizations meet several regulatory and compliance requirements. Oh joy!”

Pointing out that the “checkbox-driven mindset for security is nothing but trouble,” CSO expressed a fervent hope that businesses aren’t going to think a device will ever be an adequate replacement for properly-trained security staffers.

Network World highlighted “visibility, data center security, two-factor authentication, and services” as the stars of RSA 2015. The reporter also made an interesting point about how RSA is now drawing participants from outside of the security-centric world. “DHS had its own booth at the show while the State of Maryland crowed about its cybersecurity education and public/private partnership. There was also an area of the show floor dedicated to Israeli cybersecurity innovation, ditto for Germany,” the reporter noted.

“Yes, it’s nice to see that our little industry has grown up, but let’s remember that the RSA Conference popularity is a function of just how dangerous the threat landscape has become. This reality should sober up the industry after its annual RSA party and subsequent hangover,” Network World concluded. We couldn’t agree more.

BAI-Logo