Thursday, April 30, 2015

2015 RSA Conference impressions

After a few days settling back to day to day routine and recovering from past week, I believe I can finally put together some thoughts about what I saw at RSA this year.

First, I'm happy with the results from my talk, "The Art of Thinking Security Clearly", about the effect of cognitive biases on information security. My research on the topic is evolving and based on some feedback and how the content was received I'll focus my work on some specific areas of the subject, specially risk assessments and user behavior change. I hope I can bring the results to another conference in the future. If it is at RSA, I just wish I won't get a Friday slot again; hard to see so many people interested in the subject not attending due to early departing flights.

Now, on the other stuff, I believe the key points I noticed were:

  • FireEye leading: interesting to see how many vendors are either comparing their products or services against FireEye or announcing integration with them. It clearly shows the name recognition that those guys were able to achieve. However...
  • Advanced malware detection is ripe for absorption: Let's face it, this capability fits perfectly as a feature to many other products, such as Next Generation Firewalls and IPS, UTM. In fact, many of those vendors are already building similar solutions on their platforms. Of course there is some secret sauce in FireEye and they also managed to get to a comfortable position where a lot of people in the field see them as best of breed. But nothing prevents the others from catching up, and some recent independent tests have shown that they may not be so much better than the others as it looks like.
  • Cloud and Big Data are now forbidden buzzwords: Due to over use during the past couple of years, every one now is trying to avoid those terms. Even during the key notes it was fun to see the speakers acting apologetically every time they had to use those words.
  • Analytics, analytics, machine learning, behavior analytics, analytics...: There must be a buzzword of the year. Analytics it is. All new products now are "analytics", and it's getting harder and harder to understand what they are actually doing and how they operate. Honestly, some vendor material, slogans, etc, looks exactly like stuff from Silicon Valley (the HBO show).
  • New way to lock-in clients - Threat Intelligence: Threat Intelligence is also a strong buzzword from this year. But the most interesting aspect from TI is seeing how a lot of vendors are trying to use their TI infrastructure to lock customers in their products. So you see that the strategy is usually to provide a platform very good to be your main TI provider. However, ask the vendor about putting TI from other sources there or integrating directly (and based on open standards) to your other tools and you'll see some funny faces. It's not only "my TI feed is bigger than yours" anymore; it's also "my TI sharing cloud is better than yours".

And, what for me is the funniest thing to notice: the huge 'cognitive dissonance' from vendors who are simultaneously telling you to rely on their uber Threat Intelligence content AND that attacks are now so 'sophisticated' that everything is tailored, from C&C infrastructure to malware pieces and phishing messages. That's right, they are telling you to look for things others have seen so you can find that stuff that was built only for you ;-)

Monday, April 27, 2015