5 Top Cybersecurity Themes at RSA 2018Artificial Intelligence, Bug Squashing, Secure DevOps and More
The theme of this year's RSA conference in San Francisco was "now matters."
See Also: 何謂下一代反洗錢 (AML) 技術？
But what matters most, right now, to today's information security community, overwhelmed by an increasing number of not only attacks, but also regulations, quantity of solutions and inability to separate snake oil from reality?
"Artificial intelligence for anti-malware is very, very big."
"WannaCry ... was our wakeup call," RSA President Rohit Ghai told conference attendees in his opening keynote presentation (see Life After WannaCry's Wake-Up Call: What's Next?). "We failed to patch a known vulnerability. ... Since then, we have picked up our game with vulnerability risk management and patching IT and OT [operational technology] infrastructure."
Other security experts echoed his focus on vulnerability and risk management and the need for better patching. Many are also looking to artificial intelligence and machine learning to help, as well as incorporating better security into software development practices.
Cybersecurity: In Automation We Trust
One dominant theme at RSA 2018 was this: Manual-based efforts are out, automated-learning efforts are in.
"There are too many things happening - too much data, too many attackers, too much of an attack surface to defend - that without those automated capabilities that you get with artificial intelligence and machine learning, you don't have a prayer of being able to defend yourself," Art Coviello, a partner at Rally Ventures and the former chairman of RSA, told me (see Art Coviello Talks Breach Detection and Prevention).
Of course, any mention of artificial intelligence or machine learning should carry a "warning: buzzword" alert.
"Last year we saw a lot of folks slapping the words AI or machine learning on just about everything," said Chris Pierson, president of Binary Sun Cyber Risk Advisers (see RSA 2018: Hot Cybersecurity Trends).
AI: Rubber Meets the Road
But this year, Pierson told me, endpoint security players have been building or acquiring these capabilities, which makes for very interesting opportunities for the likes of Symantec, Trend Micro and McAfee, which have so much data from so many different end users that they're operating in a different league from startups.
"The amount of data they have - the treasure trove of data they sit on - is large and vast and global, so it makes sense to be able to plug that into a behavioral-based learning methodology," he said.
Already, Coviello said, "artificial intelligence for anti-malware is very, very big."
"It's clearly already happened in the anti-malware space," he said, noting that any anti-malware technology that cannot stop 100 percent of all malware leaves room for improvement. "The signature-based technologies - we've been saying for years and years that they're just not catching the viruses and they can't keep up with the morphing and changing," Coviello said. "So artificial intelligence in anti-malware is here; it's now."
SOCs: Overwhelming Alert Fatigue
Security operations centers are also in desperate need of automation help, given the sheer quantity of alerts facing today's SOC workers and the resulting burnout and high rate of employee turnover.
Expect to see machine learning help here too. "You're also going to see it in the response category, and we're seeing it with a number of orchestration companies that are not only creating playbooks to be able to respond more quickly and prioritize alerts but also to be able with machine learning to start to automate the response," Coviello said.
Not all such efforts are yet ready for prime time. "Now, obviously you have to be careful with false positives and not quarantine something that shouldn't be quarantined, but we will get there and I think there's a lot of hope for machine learning and artificial intelligence just generally," he said.
Pierson says not all efforts have to be fully automated. Firms should also explore AI-assisted response, he said, asking themselves: "How do they leverage the data inside their own shops to then take action either in an automated fashion or in a manual-based fashion but something that is prompted by different learning algorithms that they have?"
Vulnerability Management Redux
As an industry, we've been talking about bugs, and the need to manage and patch these flaws, for years. The problem was so bad that in January 2002, Microsoft launched its Trustworthy Computing Initiative to attempt to deliver less buggy and more trusted code.
But the challenge has remained. "The whole area of vulnerability assessment and management has had quite the renaissance, and technologies are getting more capable in that area to be able to detect attacks before they're underway and spot those vulnerabilities and correct them," Coviello said.
Alejandro Lavie, director of security strategy for Flexera, told me that the company's Secunia Research team counted 19,954 flaws last year in 2,000 products built by 200 vendors. The quantity of flaws it counted had also increased by 14 percent from 2016 to 2017 (see Vulnerability Management: Why the Problem Can't Be Solved).
Of course, organizations do not always stay on top of those flaws, as last year's massive Equifax breach demonstrated (see Equifax's Colossal Error: Not Patching Apache Struts Flaw).
The need to eradicate bugs from production environments has never been greater. Speaking at the conference, David Hogue, who heads the NSA's Cybersecurity Threat Operations Center - in charge of defending unclassified Department of Defense networks - says attackers haven't bothered using a zero-day exploit in 24 months, simply because there are so many known flaws to exploit. "If you can live off the land, so to speak, you don't need to dip into your toolkit," he said (see NSA: The Silence of the Zero Days).
DevSecOps: Finally, More Secure Code?
As an industry, we've also been talking about the need to build more secure code for years. But it's a deeply unsexy topic, despite the U.S. National Institute of Standards and Technology - NIST - reporting more than 15 years ago that inadequate software testing leads to a massive increase in costs.
Since then, old-school waterfall software development - specify everything that should be in software, then build and implement what's already outdated code - has given way to agile development practices. Agile favors frequent iterations, via build sprints that may last just two to four weeks, as well as teams composed not just of developers but also users.
Too often, however, security can still be an afterthought, leaving quickly built - yet still buggy and exploitable - code in its wake. "In an age of agile development, the developers have the party and the security operations center people have the hangover," Coviello said. "We need to, in this age of agile development, have the tools that prevent the software from having vulnerabilities in it."
Shannon Lietz, who heads penetration testing and red-teaming for financial software giant Intuit, at RSA traced for me the rise of DevSecOps, which focuses on ensuring that security is a part of the agile development lifecycle (see Real-World Application Security: Top 10 Threats).
About five years ago, Lietz founded the organization known as DevSecOps. "It's an organization dedicated to building community around better, safer software, sooner practices and the security pipeline for software development," she told me. That effort has included "sciencing the heck out of things" that pose security problems to the development lifecycle in an attempt to find better approaches.
"We're finally getting to a point where we're realizing that as a security practice, it's really about making things easier to digest, making it so that a developer doesn't necessarily have to spend all their time understanding security, but they have the services and capabilities at their disposal that they can use in their software," Lietz said.
Another innovation: Intuit's red team handles not only penetration testing but also the organization's threat intelligence and adversary tracking. The impetus, Lietz says, is to "understand what it takes to remove them from software" as well as to build and maintain software that is "meeting our customers' demands, but not our adversaries' demands."
Now that's a theme to carry into 2019 and beyond.