Inside the RSAC expo: Buzzword bingo and the bear in the room

We mingle with the vendors so you don't have to

RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

A couple of observations from the show floor: First, not many masked faces. Pretty risky move for risk managers. Maybe the vendors thought they could make up for this oversight by offering branded hand sanitizer. At every damn booth.

Buzzword bingo alert

Also, two acronyms dominated the banners, buses and booths around Moscone: ZT and XDR. The first, zero trust, is not a product – although a quick walk through the showcase floor would make it appear otherwise.  

A zero trust security framework essentially boils down to trusting no-one on the network, let alone anyone connecting in from the outside, and assuming there has been a security breach. Instead of trusting employees or other users, devices, and networks by default, zero trust relies on using identity and behavior to verify users and machines in real time, and restricts data and access on a least-privilege basis.

National Cyber Director Chris Inglis noted this in a panel alongside CISA director Jen Easterly and NSA cybersecurity director Rob Joyce. Zero trust is an architecture – not a product. "I know [zero trust] is a much-maligned term," he said, adding that it's a "digital architecture compromised of technology, of people and practice doctrine."

Many of the vendors, however, seem to have missed the ZT-is-not-a-product memo.

Meanwhile, all of the former endpoint security and security information and event management (SIEM) companies are now selling XDR – extended detection and response. This buzzy acronym was all over Moscone's walls and expo booths, as security vendors rolled out their various flavors of threat hunting, detection and prevention across all attack surfaces. 

A very informal survey of my email inbox found more than 20 such XDR product announcements from the RSA Conference. IBM, in fact, announced it acquired Randori and plans to roll that company's software into its QRadar XDR capabilities on day one of the show.

"Everyone is frustrated with the amount of talk on AI, zero trust and XDR," CrowdStrike CTO Mike Sentonas told The Register in an interview at his company's hotel suite. "I talked to a CISO yesterday and she said to me, 'I'm not going out on the trade floor. It's too much.' And there's a lot of abuse of the terms as well."

To be fair: CrowdStrike also announced updated XDR capabilities and new partners to its CrowdXDR Alliance at the event.

Everyone weighs in on Russia

While XDR and zero trust won RSA Conference buzzword bingo this year, Ukraine – and the security threats surrounding the Russian invasion – were the topics on everyone's minds. Panelists, security execs and researchers alike all had an opinion on the Russian cyber attacks against Ukraine and why the expected attacks against US and its allies' critical infrastructure didn't materialize.

The US government's cyber chiefs swore up and down that they disclosed as much detail about potential threats as they had: ​​​​"We knew about real intentions," Joyce said. 

"The Russians are horrible at combined arms," said Dmitri Alperovitch, chair of security-centric think tank Silverado Policy Accelerator, during his keynote with Mandiant Intelligence EVP Sandra Joyce. "That's what we've seen in cyber as well."

Even former CISA director Chris Krebs weighed in on Russia during the show's final keynote. 


RSAC program boss Hugh Thompson, left, and ex-CISA director Chris Krebs chew the fat on the last day of RSA Conference

"Tactically, I would have expected the Russians to come into Ukraine and take out any sort of telecommunications – the ability to command and control and engage with lines of communication," he said, adding that even the Russians' influence operations – like the one that claimed Ukrainian president Volodymyr Zelenskyy had died by suicide in a Kyiv military bunker – weren't very good.

"But what that did was it opened up space for the Ukrainians to completely dominate the information space," he added, citing the Ghost of Kiev fighter pilot story, which was false, and the Ukrainian grandmother who went viral on Social Media after offering a Russian soldier sunflower seeds to put in his pocket so the flowers will grow after he dies.

Still, many security practitioners at the conference said it's still too early to completely discount a Russian cyberattack, especially as the US increases its tactical and cyber support for Ukraine.

"I don't think Russia was ever going to take out nations and stop water flowing," Sentonas said. "It's not to say that they won't do something significant. But we certainly expected [Russian cyber attacks] to be a lot more targeted, a lot more careful in nature. 

"We just haven't had the in-your-face, very public attack," he told The Register, noting that this doesn't mean Putin's goons have stayed off of other countries' networks and systems. "There are campaigns that they are running. We've certainly seen that around the world."

The flip side of this, he added: while the Kremlin-backed cybercriminals have turned their attention to Ukraine as the kinetic war rages on, once it's over Sentonas expects an uptick in Russian-backed ransomware attacks. 

"I think we will get back to seeing very public ransomware groups that are affiliated with Russia," he predicted. "We'll start to see more of that, again, at some point, but I think they're pretty busy right now." ®

Broader topics

Other stories you might like

  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading
  • Threat and risk specialists signal post-COVID conference season is back on
    Well, we'll see in a week or so

    RSA Conference For the first time in over two years the streets of San Francisco have been filled by attendees at the RSA Conference and it seems that the days of physical cons are back on.

    The security conference trade has been more cautious than most when it comes to getting conferences back up to speed in the COVID years. Almost all cons were virtual with a very limited hybrid-conference season last year, including DEF CON, where masks were taken seriously. People still wanted to mingle and ShmooCon too went ahead, albeit later than usual in March.

    The RSA conference has been going for over 30 years and many security folks love going. There are usually some good talks, it's a chance to meet old friends, and certain pubs host meetups where more constructive work gets done on hard security ideas than a month or so of Zoom calls.

    Continue reading

Biting the hand that feeds IT © 1998–2022