RSA Conference 2016 Wrap-Up


Anchor had some of our key people at RSA Conference this year. RSA Conference is the largest annual conference of information security professionals and companies, and every year it is characterized by big announcements, important product releases, and interesting presentations.

Below is a summary of the major themes and announcements at this year's conference. For more details on a day-by-day basis, check out our daily summaries:
Day 0 - Day 1 -Day 2 - Day 3 - Day 4 - The Expo

                                                                                                    Word cloud derived from words used in RSA talk submissions for 2016
THEMES
Here are some big themes we saw at RSA this year:
  • Risk Management / Security and the CEO/Board
These are actually separate topics, but because it is at the level of risk management that CEOs and boards primarily interact with security they are closely related. Over the past several years, we have seen that senior management is being held accountable for poor security when it is perceived as having led to serious breaches. The question of how to adequately communicate security requirements to senior management so that they can exercise effective oversight is an important one, and was a major topic at RSA this year.
  • DevOps and Secure Development
Modern information systems are all about the software, more so than the hardware, so attacks that hit at the root of software are very powerful and dangerous. This year's XCodeGhost malware, which involved a compromised version of a Apple's iPhone development tool, is a good example of the power of attacking the development layer. Also, one key driver of security problems in computing is vulnerable software, so decreasing the rate of vulnerabilities in software is a key initiative to improve on security. RSA Conference featured a track on application security and DevOps.
  • Cloud Security/Security for the Cloud
The "cloud" in the form of managed server hosting as well as in the form of software-as-a-service and platform-as-a-service is providing an increasing share of organizations' key information technology horsepower. Securing these types of services presents some new and difficult challenges, for which many enterprises are ill-prepared. IT leaders and technicians are looking for solutions in terms of policy, procedure, and technology to deal with the security implications of all this offloading of their IT workload.
  • Internet of Things (IoT)​
As more devices apart from "traditional computing devices" become connected to the Internet, it is becoming clear that security is still an afterthought in the development process at many device vendors. Devices from cameras and thermostats to cars and medical devices have been found to be vulnerable to attack. At RSA Conference there was a lot of talk about how vendors can make these devices more secure and how organizations can deploy them more securely in the meantime.
  • Industrial Control Systems/SCADA
Systems that control utilities, manufacturing, building systems, and other industrial and commercial activities are increasingly found to be vulnerable and to be connected to the Internet. Even where they are not directly connected to the Internet, they are typically connected for remote control to other computer that are. Because these systems are often difficult to upgrade/update, and were seldom designed with security in mind, they often contain disconcerting vulnerabilities. How to secure these critical and vulnerable systems was again a big topic at RSA this year.
  • The Human Element
While technical vulnerabilities often dominate the discussion, most breaches have a significant human element as well. No matter how much we try to "lock down" computer systems, we have to give people access to make them useful! The problem is that if humans can access your data and can send and receive data over the Internet, they can unintentionally compromise your data as well. There were a lot of talks and a lot of technology on display regarding how to educate users to avoid compromises, and how to use technology to back-stop them when they mess up. The threat of potential malicious insiders was a significant topic as well.
  • Detection and Visibility
The mantra of, "It's not if you get breached, but when," continued to come up from many experts at RSA Conference, including NSA Chief, Vice Admiral Mike Rogers. Technology to prevent breaches is obviously something we want to implement, but it is vital to also put in place technology that will allow you to see what is happening in your network and detect intruders who slip past your preventative measures.
  • Mobile
Interestingly, in terms of talks specifically focused on mobile devices and security, there were fewer than last year. However, mobile was still a major topic. The difference was that more talks on general enterprise security included mobile device security as an organic part of what they were covering. This is a good development, because mobile is increasingly an essential and integral part of IT. Tackling it as if it were a totally separate topic doesn't reflect the role of mobile in IT today. So it makes more sense to include mobile in every aspect of security: device management, perimeter security, network security, threat detection, etc.
  • Cryptography and Public Policy
Unsurprisingly for a conference whose sponsor has its roots in cryptography, RSA Conference has a lot of content on crypto every year. This year, with crypto in the media spotlight, was definitely no exception. The NSA Director, the Attorney General, and many other senior defense, intelligence, and homeland security officials were present to provide the government's perspective. The overall message from them seemed to be primarily about the need for cooperation and the requirement for intelligence and law enforcement's lawful access to information. Many of the industry and academic leaders present argued that some of the government's requests and initiatives in this area present a threat to security, privacy, and innovation.




ANNOUNCEMENTS
There were actually not as many big product and company announcements at the conference this year as in many past years.

Pentagon Opening up On Information Security?
Defense Secretary Ashton Carter announced the formation of a new Innovation Advisory Board, to be headed by former Google CEO Eric Schmidt. He also announced that the Pentagon has invited select security researchers to test DOD's external-facing web presence for vulnerabilities. These two developments have been heralded as showing a more open and collaborative approach on the part of the Defense Department.

IBM Acquiring Resilient Systems
IBM announced that they are near a deal to acquire Resilient Systems; Resilient is well known as the home of CTO Bruce Schneier. The move will enhance IBM's capabilities in the incident response field.

Microsoft to Release Advanced Anti-Malware Solution Later This Year
As part of his Tuesday keynote, Microsoft President Brad Smith showed off Microsoft's new Windows Defender, an advanced anti-malware technology that will be integrated with Windows 10. This is set to debut in the fall.

Comments

Popular posts from this blog

The Implications of Encrypted Web Traffic for Security

Weekly Infosec News Brief: 15-21 May 2017

RSA Conference 2016 - The Expo!