CSO

Inside the RSAC expo: Buzzword bingo and the bear in the room

We mingle with the vendors so you don't have to


RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

A couple of observations from the show floor: First, not many masked faces. Pretty risky move for risk managers. Maybe the vendors thought they could make up for this oversight by offering branded hand sanitizer. At every damn booth.

Buzzword bingo alert

Also, two acronyms dominated the banners, buses and booths around Moscone: ZT and XDR. The first, zero trust, is not a product – although a quick walk through the showcase floor would make it appear otherwise.  

A zero trust security framework essentially boils down to trusting no-one on the network, let alone anyone connecting in from the outside, and assuming there has been a security breach. Instead of trusting employees or other users, devices, and networks by default, zero trust relies on using identity and behavior to verify users and machines in real time, and restricts data and access on a least-privilege basis.

National Cyber Director Chris Inglis noted this in a panel alongside CISA director Jen Easterly and NSA cybersecurity director Rob Joyce. Zero trust is an architecture – not a product. "I know [zero trust] is a much-maligned term," he said, adding that it's a "digital architecture compromised of technology, of people and practice doctrine."

Many of the vendors, however, seem to have missed the ZT-is-not-a-product memo.

Meanwhile, all of the former endpoint security and security information and event management (SIEM) companies are now selling XDR – extended detection and response. This buzzy acronym was all over Moscone's walls and expo booths, as security vendors rolled out their various flavors of threat hunting, detection and prevention across all attack surfaces. 

A very informal survey of my email inbox found more than 20 such XDR product announcements from the RSA Conference. IBM, in fact, announced it acquired Randori and plans to roll that company's software into its QRadar XDR capabilities on day one of the show.

"Everyone is frustrated with the amount of talk on AI, zero trust and XDR," CrowdStrike CTO Mike Sentonas told The Register in an interview at his company's hotel suite. "I talked to a CISO yesterday and she said to me, 'I'm not going out on the trade floor. It's too much.' And there's a lot of abuse of the terms as well."

To be fair: CrowdStrike also announced updated XDR capabilities and new partners to its CrowdXDR Alliance at the event.

Everyone weighs in on Russia

While XDR and zero trust won RSA Conference buzzword bingo this year, Ukraine – and the security threats surrounding the Russian invasion – were the topics on everyone's minds. Panelists, security execs and researchers alike all had an opinion on the Russian cyber attacks against Ukraine and why the expected attacks against US and its allies' critical infrastructure didn't materialize.

The US government's cyber chiefs swore up and down that they disclosed as much detail about potential threats as they had: ​​​​"We knew about real intentions," Joyce said. 

"The Russians are horrible at combined arms," said Dmitri Alperovitch, chair of security-centric think tank Silverado Policy Accelerator, during his keynote with Mandiant Intelligence EVP Sandra Joyce. "That's what we've seen in cyber as well."

Even former CISA director Chris Krebs weighed in on Russia during the show's final keynote. 

hugh_thompson_chris_krebs_rsa_conference_2020

RSAC program boss Hugh Thompson, left, and ex-CISA director Chris Krebs chew the fat on the last day of RSA Conference

"Tactically, I would have expected the Russians to come into Ukraine and take out any sort of telecommunications – the ability to command and control and engage with lines of communication," he said, adding that even the Russians' influence operations – like the one that claimed Ukrainian president Volodymyr Zelenskyy had died by suicide in a Kyiv military bunker – weren't very good.

"But what that did was it opened up space for the Ukrainians to completely dominate the information space," he added, citing the Ghost of Kiev fighter pilot story, which was false, and the Ukrainian grandmother who went viral on Social Media after offering a Russian soldier sunflower seeds to put in his pocket so the flowers will grow after he dies.

Still, many security practitioners at the conference said it's still too early to completely discount a Russian cyberattack, especially as the US increases its tactical and cyber support for Ukraine.

"I don't think Russia was ever going to take out nations and stop water flowing," Sentonas said. "It's not to say that they won't do something significant. But we certainly expected [Russian cyber attacks] to be a lot more targeted, a lot more careful in nature. 

"We just haven't had the in-your-face, very public attack," he told The Register, noting that this doesn't mean Putin's goons have stayed off of other countries' networks and systems. "There are campaigns that they are running. We've certainly seen that around the world."

The flip side of this, he added: while the Kremlin-backed cybercriminals have turned their attention to Ukraine as the kinetic war rages on, once it's over Sentonas expects an uptick in Russian-backed ransomware attacks. 

"I think we will get back to seeing very public ransomware groups that are affiliated with Russia," he predicted. "We'll start to see more of that, again, at some point, but I think they're pretty busy right now." ®

Broader topics


Other stories you might like

  • Threat and risk specialists signal post-COVID conference season is back on
    Well, we'll see in a week or so

    RSA Conference For the first time in over two years the streets of San Francisco have been filled by attendees at the RSA Conference and it seems that the days of physical cons are back on.

    The security conference trade has been more cautious than most when it comes to getting conferences back up to speed in the COVID years. Almost all cons were virtual with a very limited hybrid-conference season last year, including DEF CON, where masks were taken seriously. People still wanted to mingle and ShmooCon too went ahead, albeit later than usual in March.

    The RSA conference has been going for over 30 years and many security folks love going. There are usually some good talks, it's a chance to meet old friends, and certain pubs host meetups where more constructive work gets done on hard security ideas than a month or so of Zoom calls.

    Continue reading
  • Cisco EVP: We need to lift everyone above the cybersecurity poverty line
    It's going to become a human-rights issue, Jeetu Patel tells The Register

    RSA Conference Exclusive Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration.

    "It's our civic duty to ensure that everyone below the security poverty line has a level of safety, because it's gonna eventually get to be a human-rights issue," Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote. 

    "This is critical infrastructure — financial services, health care, transportation — services like your water supply, your power grid, all of those things can stop in an instant if there's a breach," he said. 

    Continue reading
  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Intel offers 'server on a card' reference design for network security
    OEMs thrown a NetSec Accelerator that plugs into server PCIe slots

    RSA Conference Intel has released a reference design for a plug-in security card aimed at delivering improved network and security processing without requiring the additional rackspace a discrete appliance would need.

    The NetSec Accelerator Reference Design [PDF] is effectively a fully functional x86 compute node delivered as a PCIe card that can be fitted into an existing server. It combines an Intel Atom processor, Intel Ethernet E810 network interface, and up to 32GB of memory to offload network security functions.

    According to Intel, the new reference design is intended to enable a secure access service edge (SASE) model, a combination of software-defined security and wide-area network (WAN) functions implemented as a cloud-native service.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • US cyber chiefs: Moving to Shields Down isn't gonna happen
    Promises new alert notices but warn 'we can sometimes predict thunderstorms but not lightning strikes'

    RSA Conference A heightened state of defensive cyber security posture is the new normal, according to federal cyber security chiefs speaking at the RSA Conference on Tuesday. This requires greater transparency and threat intel sharing between the government and private sector, they added.

    "There'll never be a time when we don't defend ourselves –— especially in cyberspace," National Cyber Director Chris Inglis said, referencing an opinion piece that he and CISA director Jen Easterly published earlier this week that described CISA's Shields Up initiative as the new normal. 

    "Now, we all know that we can't sustain the highest level of alert for an extensive period of time, which is why we're thinking about, number one, what's that relationship that government needs to have with the private sector," Easterly said on the RSA Conference panel with Inglis and National Security Agency (NSA) cybersecurity director Rob Joyce.

    Continue reading
  • Ukraine's secret cyber-defense that blunts Russian attacks: Excellent backups
    This is why Viasat attack – rated one of the biggest ever of its kind – had relatively little impact

    RSA Conference The Kremlin-backed cyberattack against satellite communications provider Viasat, which happened an hour before Russia invaded Ukraine, was "one of the biggest cyber events that we have seen, perhaps ever, and certainly in warfare," according to Dmitri Alperovitch, a co-founder and former CTO of CrowdStrike and chair of security-centric think tank Silverado Policy Accelerator.

    Alperovitch shared that opinion during a global threat briefing he delivered with Sandra Joyce, EVP of Mandiant Intelligence, at the RSA Conference on Tuesday.

    The two suggested that the primary purpose of the attack on satellite comms provider Viasat was to disrupt Ukrainian communications during the invasion, by wiping the modems' firmware remotely, it also disabled thousands of small-aperture terminals in Ukraine and across Europe. The attack therefore disrupted satellite connectivity for thousands, and disabled remote monitoring of 5,800 wind turbines in Germany.  

    Continue reading

Biting the hand that feeds IT © 1998–2022