The key takeaways from RSA Conference 2018
Tom Wright looks at the key themes at this year's RSA Conference and asks whether the event is still as useful as it has been in a saturated cybersecurity market
A lot has changed since the last RSA Conference was held in February last year.
Cybersecurity may have been creeping into the spotlight then, after a handful of well-documented breaches occurred, but it well and truly stole the show in the following May when the WannaCry cyberattack indiscriminately crippled organisations across the world.
The increased attention, along with the burgeoning number of vendors and categories in the industry, could make an event such as RSA daunting for even the most seasoned security veteran.
Partners who attended this year's conference, in its home of San Francisco, say that the event was perhaps one of greater maturity - focusing not on how new, flashy technology is light-years ahead of legacy vendors, but on how technology can be used to help struggling security professionals.
The increasing amount of data churned out by systems, and reports generated by security software, have shackled security analysts and made it difficult for them to spend time assessing genuine threats.
Colin Williams, chief technologist at Computacenter, said that the industry has taken steps to address this issue by introducing artificial intelligence and machine learning into threat intelligence solutions, which does a lot of the legwork for these employees.
These solutions, he said, formed the underlying theme of the RSA Conference.
"The only thing that jumped out to me this year was the abundance of threat intelligence companies," he said.
"The blood and guts of the conference was all around the importance of using AI, machine learning, threat detection services and threat intelligence insight to allow overworked security operations staff to do a better job than they are currently doing.
"That seemed to be the overriding theme above anything. Last year the end-point wars were still being fought - there was still a lot of end-point-related commentary and new vendors this year - but in the main, the thing that jumped out was the emphasis on threat intelligence."
With cybersecurity no longer an IT issue, but instead on the board-level agenda, organisations are scrambling to fill security vacancies but are struggling to find enough candidates.
"If you approach the RSA event without a plan, you'll burn an awful lot of time in the wrong places. You'll stop at the first stand that looks interesting and before you know it you've wasted an hour," Colin Williams, Computacenter
These threat intelligence solutions, Williams explained, are designed partially to mitigate the lack of skilled security workers.
They don't represent a fundamental shift in the industry, he added, but the addition of AI and ML can take a significant amount of weight from the shoulders of swamped analysts.
"If you are running an operational security environment, threat intelligence is nothing new," Williams explained.
"If you run a SOC you've had threat intelligence feeds for years and they are hardly sexy, but if you take threat intelligence and AI, you can genuinely use that massive inbound insight to allow your analysts to be the best analysts in the world, because their own insight is augmented by this wonderful pool of intelligence.
"They can come out with answers to questions they didn't even know existed."
People skills
Employees aren't just the greatest asset that an organisation has when it comes to protecting its infrastructure - but perhaps also the greatest threat.
Logicalis' vice president of security solutions Ron Temske said that a number of prominent solutions at the RSA event were centred on minimising the damage that employees - either maliciously or accidentally - can do to an organisation.
He highlighted solutions around email security and behavioural analytics as garnering much attention.
"On the solutions side there was a lot of focus around employee education and admitting that the employees are our greatest risk," he said.
"From a product standpoint there was a lot of focus on behavioural analytics - everyone was trying to show they have some flavour in that arena - and a recognition that email is emerging again as the primary attack vector.
"What email has in common with UEBA [user and entity behaviour analysis] is that it largely relies on humans - whether bad actors can convince you to do something on email that you really shouldn't do. UEBA falls in that same category.
"So much is people based - it isn't all malware and other things that are detectable, so you have to look at what human beings are doing that is suspicious."
Despite highlighting these areas as being prominent, Temske said there was a general lack of differentiation at the conference this year, with a lot of vendors using the same buzzwords and blurring into one. He added that he didn't see anything especially groundbreaking on show from a tech perspective.
"There wasn't anything revolutionary that stuck out - at least to me - from a technology standpoint," Temske explained. "If I were to make a generalist comment, I'd say there was a lack of differentiation. After a day of walking around the vendor hall I was thinking that everything sounds the same. There wasn't anything that stood out.
"Everyone has AI-this and machine learning-that. It has started to blend together so there was a lack of anything that stood out there."
This view was echoed by Sean Remnant, chief strategy officer at security distributor Ignition, who explained that the growing number of vendors in the space means there is less chance of a specific type of technology stealing the show at an event like RSA.
"The market is maturing so you're not getting these lighthouse themes shining through, because the event is so big," he explained.
"There is still some exciting stuff and some key areas - end-point, identity and automation is probably what there was most of - but there wasn't one massive thing. Last year end-point was absolutely screaming but there wasn't that kind of buzz this year; it was more about the market maturing and pointing to the areas people should be looking at. I don't think it's a problem though because there was still lots of great tech out there."
Remnant however agreed that a lot of the vendors on show were focusing more on how to manipulate the vast amounts of data churned out by security solutions, rather than on the tech that actively prevents threats.
"Some of these solutions are providing a lot of data rather than a lot of information, so we just need to make things easier because nobody has the resources to spend a lot of time on every single point solution," he explained. "It's about making better budget decisions on those security solutions so we get more value."
The end-point wars
Perhaps no market entrance has caused more waves in the cybersecurity arena over recent years than when the likes of Cylance and Sentinel One arrived with next-generation anti-virus, slamming their legacy competitors in the process.
The ripples of their entrance are still being felt, Computacenter's Williams said, adding that the market disruption is likely drawing to a close.
"If you're an angel investor or a VC, your enthusiasm to invest in end-point start-ups with the potential for a massive bounty might be waning. But because the end-point, and anything that effects the user, is deemed one of the most important attack vectors, end-point protection hasn't gone away," Williams explained.
"It is fundamentally important and I think what you're seeing is that people have aligned with their end-point choice and they've placed their bets now; a market entrant will find it challenging.
"If you arrived [as a vendor] right now and your whole thing was AI and ML, how would you beat Cylance which has a three-year advantage over you? It would be hard."
Still useful?
The less-coherent messaging coming out of RSA this year raises the question of whether the event still offers value to channel partners spending thousands of pounds to travel to San Francisco.
A few grumblings on Twitter and LinkedIn suggested that the "RSA bubble had burst", and that the sheer volume of vendors exhibiting made it too difficult to unearth genuine opportunities.
Computacenter's Williams admitted that the vendor hall has become more difficult to navigate over recent years, but said any partner arriving at the event with a clear plan of action will not leave disappointed.
"If you approach the RSA event without a plan, you'll burn an awful lot of time in the wrong places," he said. "You'll stop at the first stand that looks interesting and before you know it you've wasted an hour.
"You go there to confirm certain decisions, reinforce certain decisions and get new ideas. I knew exactly the vendors I was going to see, and if I didn't know the vendor, I knew the areas I was investigating.
"If threat intelligence was the area I was looking at but I didn't know the vendor, I still knew what the specific outcome was. It's still a formidable event and there is nothing like it. You can almost get all your decision making for a year done in four days."