RSA Conference 2016 Wrap-Up


Anchor had some of our key people at RSA Conference this year. RSA Conference is the largest annual conference of information security professionals and companies, and every year it is characterized by big announcements, important product releases, and interesting presentations.

Below is a summary of the major themes and announcements at this year's conference. For more details on a day-by-day basis, check out our daily summaries:
Day 0 - Day 1 -Day 2 - Day 3 - Day 4 - The Expo

                                                                                                    Word cloud derived from words used in RSA talk submissions for 2016
 THEMES
Here are some big themes we saw at RSA this year:
  • Risk Management / Security and the CEO/Board
These are actually separate topics, but because it is at the level of risk management that CEOs and boards primarily interact with security they are closely related. Over the past several years, we have seen that senior management is being held accountable for poor security when it is perceived as having led to serious breaches. The question of how to adequately communicate security requirements to senior management so that they can exercise effective oversight is an important one, and was a major topic at RSA this year.
  • DevOps and Secure Development
Modern information systems are all about the software, more so than the hardware, so attacks that hit at the root of software are very powerful and dangerous. This year's XCodeGhost malware, which involved a compromised version of a Apple's iPhone development tool, is a good example of the power of attacking the development layer. Also, one key driver of security problems in computing is vulnerable software, so decreasing the rate of vulnerabilities in software is a key initiative to improve on security. RSA Conference featured a track on application security and DevOps.
  • Cloud Security/Security for the Cloud
The "cloud" in the form of managed server hosting as well as in the form of software-as-a-service and platform-as-a-service is providing an increasing share of organizations' key information technology horsepower. Securing these types of services presents some new and difficult challenges, for which many enterprises are ill-prepared. IT leaders and technicians are looking for solutions in terms of policy, procedure, and technology to deal with the security implications of all this offloading of their IT workload.
  • Internet of Things (IoT)​
As more devices apart from "traditional computing devices" become connected to the Internet, it is becoming clear that security is still an afterthought in the development process at many device vendors. Devices from cameras and thermostats to cars and medical devices have been found to be vulnerable to attack. At RSA Conference there was a lot of talk about how vendors can make these devices more secure and how organizations can deploy them more securely in the meantime.
  • Industrial Control Systems/SCADA
Systems that control utilities, manufacturing, building systems, and other industrial and commercial activities are increasingly found to be vulnerable and to be connected to the Internet. Even where they are not directly connected to the Internet, they are typically connected for remote control to other computer that are. Because these systems are often difficult to upgrade/update, and were seldom designed with security in mind, they often contain disconcerting vulnerabilities. How to secure these critical and vulnerable systems was again a big topic at RSA this year.
  • The Human Element
While technical vulnerabilities often dominate the discussion, most breaches have a significant human element as well. No matter how much we try to "lock down" computer systems, we have to give people access to make them useful! The problem is that if humans can access your data and can send and receive data over the Internet, they can unintentionally compromise your data as well. There were a lot of talks and a lot of technology on display regarding how to educate users to avoid compromises, and how to use technology to back-stop them when they mess up. The threat of potential malicious insiders was a significant topic as well.
  • Detection and Visibility
The mantra of, "It's not if you get breached, but when," continued to come up from many experts at RSA Conference, including NSA Chief, Vice Admiral Mike Rogers. Technology to prevent breaches is obviously something we want to implement, but it is vital to also put in place technology that will allow you to see what is happening in your network and detect intruders who slip past your preventative measures.
  • Mobile
Interestingly, in terms of talks specifically focused on mobile devices and security, there were fewer than last year. However, mobile was still a major topic. The difference was that more talks on general enterprise security included mobile device security as an organic part of what they were covering. This is a good development, because mobile is increasingly an essential and integral part of IT. Tackling it as if it were a totally separate topic doesn't reflect the role of mobile in IT today. So it makes more sense to include mobile in every aspect of security: device management, perimeter security, network security, threat detection, etc.
  • Cryptography and Public Policy
Unsurprisingly for a conference whose sponsor has its roots in cryptography, RSA Conference has a lot of content on crypto every year. This year, with crypto in the media spotlight, was definitely no exception. The NSA Director, the Attorney General, and many other senior defense, intelligence, and homeland security officials were present to provide the government's perspective. The overall message from them seemed to be primarily about the need for cooperation and the requirement for intelligence and law enforcement's lawful access to information. Many of the industry and academic leaders present argued that some of the government's requests and initiatives in this area present a threat to security, privacy, and innovation.



ANNOUNCEMENTS
There were actually not as many big product and company announcements at the conference this year as in many past years.

Pentagon Opening up On Information Security?
Defense Secretary Ashton Carter announced the formation of a new Innovation Advisory Board, to be headed by former Google CEO Eric Schmidt. He also announced that the Pentagon has invited select security researchers to test DOD's external-facing web presence for vulnerabilities. These two developments have been heralded as showing a more open and collaborative approach on the part of the Defense Department.

IBM Acquiring Resilient Systems
IBM announced that they are near a deal to acquire Resilient Systems; Resilient is well known as the home of CTO Bruce Schneier. The move will enhance IBM's capabilities in the incident response field.

Microsoft to Release Advanced Anti-Malware Solution Later This Year
As part of his Tuesday keynote, Microsoft President Brad Smith showed off Microsoft's new Windows Defender, an advanced anti-malware technology that will be integrated with Windows 10. This is set to debut in the fall.

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more