It's been over a month since the last edition of the RSA Conference ended.
Everyone was pressing me to share my opinion of it, but the priorities of crisis committees, boards of directors, managing committees, and above all how to deal with this Black Swan called Covid-19, not only on the public health issue but also on the economic front, had not allowed me to land all the ideas.
But well, I will try to focus and give a perception of what the conference reflects about our sector.
It is still the most important security event, this year the risk may have impacted the attendance, but there was a record of more than 36,000 attendees and the Expo gathered more than 650 exhibitors. But my conclusion is that the industry does not have a clear message to convey: there are confusing strategies and we are not understanding the objective or the strategy to be applied on the Cyber Security front.
Understanding the Problem
In previous versions it was perceived that the sector was betting on some new technology or pursuing some clear objective. This was the case in 2011 when the Cloud was the target to protect. Or in 2017 when the hunt for threats and the development and application of detection models prevailed. And not to forget the fever of 2018 and 2019 with the machine learning craze.
2020 may be a turning point, but it is strange that there is no common message among manufacturers and the only way to attract attendees is with raffles, giveaways and with a Demo that in the end does not connect with the current needs of cybersecurity.
The Cybersecurity Industry Approach
Although the message is fuzzy, I think it is possible to structure some ideas of what the market has to offer, here are a group of ideas that can be highlighted by security vendors.
Cyber Security Architecture
- Micro-segmentation and protection of cloud services. Applying the Zero Trust concept for access and authentication is a security architecture strategy that I have never shared and that does not align with the reality of today's data networks supported by fast methodologies, microservices, serverless and permeable perimeters. We need to go deeper into adaptive architectures rather than trying to fit on-premise network controls into cloud networks.
- EDR fundamental in the cybersecurity strategy. It is clear that the EndPoint is an access point for attackers. And the entire protection strategy against the different current attack vectors is supported by EDR. This is a fundamental solution in cybersecurity strategies for the short and medium term.
- Will network monitoring make a comeback. I found several NDR (Network Detection & Response) solutions. We knew that the complications of the amount of RAW Data on the network, encryption and micro-segmentation had somewhat complicated these types of solutions. But the Cloud and the current capabilities have given possibilities for the evolution of this type of controls. I think we should bet on these solutions and they should be implemented over the medium and long term, in order to evolve threat hunting capabilities.
Detection and Response
- Mitre Att&ck strategy to reduce alert weariness. The number of alerts generated with the correlation rules strategy by the SIEM has evolved into a relationship between different alerts that connected together present a clear attack methodology. Different models of knowledge of attack techniques and tactics are being implemented in the tools to reduce alert fatigue and Mitre Att&ck is the most used in the market.
- From EDR to XDR losing the focus. The key source of information for detection and response is the EDR (EndPoint Detection & Response), but a strategy to exploit this element appears and it is the XDR, a solution that easily leads to set up a new security architecture within the organization as some manufacturers tried to do some years ago without much success.
- SIEM, UEBA, Security Analytics. I was particularly interested to understand what is happening with the flagship tool of Incident Management. The implementation of anomaly algorithms, outliers, data clustering is common in all SIEMs. Integration with intelligence sources and processes to improve triage and investigation is common to all. The only difference: costing and capacity models and integration of response functionalities (SOAR). But we continue to find log managers that create SIEMs in the market: be very careful with such selection.
- Managed Detection and Response Services. Last but not least, MDR (Managed Detection & Response). Very few providers that provide real detection and response services, a great opportunity in the market that few of us are taking advantage of.
Data Privacy and Security
- And what really matters, the data. The value proposition of cybersecurity is the protection of data, which generates information, which becomes the knowledge of the organizations with which they develop their competitive advantages. I have identified little evolution on this front, no evolution of DLP (Data Leakage Protection), cryptography and DRM (Data Rights Management).
- Compliance reporting. Many offers of compliance reporting services for third parties, to validate compliance, but far from being a privacy or data protection solution.
- Non privacy compliance as a right of individuals. The value proposition of these providers move more on the issue of GDPR compliance, Hippa, Graham Leach Bliley, and not in checking the real objective of the good use of personal data.
Conclusions
- The RSA 2020 conference continues to be the most important cybersecurity event globally.
- The cybersecurity sector is in a state of evolution, many of the strategies put forward by manufacturers in previous years did not give the desired result, the Dwell Time is increasing and the battle against threats we have been losing.
- The war of the Firewall with security services has fortunately ended. A control as basic as the firewall could not continue to generate so much noise in the market, while the attackers continued to win the battle. The architecture is still geared towards access control, authentication, encryption and auditing. But if we misconfigure any of these controls, be it the most expensive firewall or IPTables, we are going to lose the battle. The only key functionality ends up being adaptive security, the ability to reconfigure in the face of new threats or TTPs.
- A few years ago it was clear to me that the ability to detect or prevent an attack at the Endpoint was nil. Now all bets are on EDR. We all must have it and even more in these times of Teleworking.
- Detection and Response services are fundamental. This is not a SOC, it is the real ability to evolve to reduce attacker Dwell Time.
We will see what RSA 2021 will bring, I expect clearer messages from our industry.
Do you have any questions? Talk to one of our experts