Trends in 2019 for cybersecurity according to the show floor at the RSA Security Conference
Before you doubt my capacity to speak in any authoritative voice to the theme of this year's RSAC, consider that I sat down in forty-nine briefings with vendors from Monday-Friday that each lasted 30 minutes long. So before you think "why should I believe Alissa on what she thinks was the takeaways from this year's RSA?" Well... in the memorable words of Bill Engvall, "Here's your sign."
If you're only looking to read the first few paragraphs of this article than stop after this paragraph. The words I'd describe for trends in cybersecurity in 2019 as a takeaway from this year's RSAC is automation, AI, data, removing the human, and frictionless. Today's cybersecurity titans and venture backed startups are increasingly attempting to implement more automation into their solutions and machine learning in order to make them smart enough to rely less and less on human interaction, critical thinking, and response. If we are to learn from history lest we repeat it, humans are indeed fallible and the vendors hawking their latest wares at RSAC is more than an indication that they are increasingly being removed from the logjam of events to rely more on the technology itself for decision-making based on system and network telemetry -- escalating fewer and fewer events up to the 8th layer of the OSI (read: humans).
While many vendors are catching on to making sure the latest buzzwords such as "machine learning and AI or zero false positives" were all but removed from their booth designs from last year, they have certainly been replaced by the new marketing bandwagon of "zero trust."
As a follow-up to my previous article on building the Zero Trust (ZT) enterprise, I'll be releasing a new article soon that above all, will make sure to convey the fact that ZT is nothing more than a colloquial term that refers to things we've historically always (or should have been) doing on both the endpoint and network, such as multi-factor authentication, authorization, encryption, and network segmentation. But as I always say "let them play." If coining a new term to refer to something that was historically a verbal vomit of acronyms and disjointed security control categories from the network to the endpoint, then so be it. If you can say something in two words like "zero trust" as opposed to 10 or 20, great. Work smart, not hard. I just turned forty, life is short.
But I digress on the ZT debate. Having said that, in addition to ML and AI being used to move us away from pattern-matching detection; companies on the show floor certainly justify my belief that indeed, SIEM is quickly becoming legacy as security orchestration and response (SOAR) and security analytics solutions move in to relegate them to the status of the red headed stepchild that CISOs don't want.
In addition to the new industrial revolution happening in the security event monitoring space with SOAR and security analytics platforms, API security and mobile application security is without contestation a serious concern for CISOs that many vendors (both new and old) are quickly attempting to bring solutions to market for. Leading this charge are companies, such as Arxan who offer app shielding solutions for both mobile and web applications in an attempt to address the threat of mobile app decompiling and web app threats, such as Magecart as well as device authentication solutions, such as iovation (a Transunion company).
During the conference, I was invited to Arxan's headquarters in San Francisco where I certainly got the "view from the top." I'll be releasing some reports on Arxan's app shielding technology soon and some staggering new vulnerability findings we discovered in financial services mobile apps that begs to ask why companies aren't using solutions to obfuscate their mobile apps.
Not far behind the SOAR and "passwordless" solution train ushering in a new way of doing things are BAS solutions, which are challenging what many are referring to now as -- dare I say, legacy, vulnerability scanners. The days of vulnerability plugins and wondering if a step-update of an RPM is causing a false positive are being rendered obsolete as CISOs look to answer the age-old question of "what vulnerabilities do I remediate first" as many -- albeit a religious debate -- consider CVSS scoring to be nothing short of useless in making that decision. The vulnerability scanner of yesteryear (did I really just say yesteryear?) is now being replaced by breach and attack simulation (BAS) solutions whose first iteration was to simulate steps in the kill chain using agents now adding capabilities for actual exploitation of vulnerabilities discovered in an effort to test security controls on the network and endpoints, such as those platforms from Pcysys and XM Cyber.
While I wouldn't say BAS and other similar vulnerability scanning and automated exploitation platforms are ready to replace human penetration testers, they certainly pose an interesting solution to those looking to add more shiny new toys to their current control stack and certainly a much better GPS for figuring out how to prioritize vulnerability remediation. I'll bet all of you right now that in a year -- two at the most, CISOs will begin replacing their current budgets into vulnerability scanners with BAS solutions instead. Mark my words.. Okay, I cheated, I already know two CISOs who've decommissioned their vulnerability scanners for a BAS solution.
Over the course of this year I will be bringing you the level of unbiased, no-nonsense, no regurgitation of marketing material, in-depth research coverage you've come to rely on me for of solutions in cloud security/CASB, security awareness training platforms, PKI companies, crowd-sourced vulnerability platforms, API security gateways, mobile and web app security, dataloss prevention, security awareness training, endpoint detection and response (EDR), network segmentation, identity access management (IAM), security orchestration and response (SOAR), ML-powered network and endpoint threat detection, blockchain security, and email security to name a few.