The Biggest Stories From RSAC 2019: What Scares the Cybersecurity Experts?

March 18, 2019
| |
4 min read

RSAC 2019 has officially wrapped. The reported attendance at San Francisco’s Moscone Center was more than 42,500, but to anyone who was there, it seemed like there was at least 60,000 security professionals on the ground. Whether or not you attended, there was no possible way to take in all of the 31 keynotes, 621 sessions and more than 700 vendors in the business expo. Fortunately, the RSA show website is filled with free materials, including on-demand presentation videos, conference blog posts and slide decks to capture what you missed.

When you’re at a show as large as RSAC 2019, it’s only natural that you’ll discover perspectives that are new and, sometimes, at odds. The conference brings together luminaries and cybersecurity experts from diverse fields such as research, government, industry and nonprofit sectors. This can result in tension, like the clash in perspectives between cryptography experts and government officials around privacy rights on the show’s opening day.

The diverse viewpoints at RSAC can also facilitate intensive collaboration around much-needed solutions, such as the mini-track on Wednesday dedicated to the growing need for public interest technologists. When the perspectives of chief information security officers (CISOs) and experts at RSAC 2019 are viewed as a continuum, you can begin to see a story emerging about the state of cybersecurity in 2019 and what organizations should pay attention to moving forward.

Your Security Ecosystem Matters

In the business expo, presentations and in conversations with CISOs, there was a very real sense that the industry is moving away from distributed security solutions and products. Security leaders and vendors are increasingly realizing the risks of deploying too many standalone solutions that don’t talk to each other. It’s costly and it doesn’t create better security results for many organizations. The industry is beginning to emphasize the value of a single-pane-of-glass approach.

Rob Westervelt, research director at the International Data Corporation (IDC), believes the growing complexity of security solutions has created gaps in coverage in the enterprise because many organizations don’t understand the capabilities of the technology they have deployed. When you’re trying to manage a complex security stack, it can easily create issues with misconfiguration and policies that aren’t uniform across the enterprise.

Infrastructure Attacks Could Become a Nightmare

There was, unsurprisingly, a heightened focus on the risks of infrastructure-level attacks at the conference. Former CIA director and former secretary of defense Leon Panette’s biggest nightmare is a malware attack that disables critical parts of U.S. infrastructure. As reported by ZDNet, Panette believes that this nature of attack has the potential to be a “digital Pearl Harbor” with millions of lives lost.

Open Collaboration and New Releases

RSA Conference 2019 invariably hosts exciting new tech announcements, including the National Security Agency (NSA)’s Ghidra reverse engineering tool for open collaboration among security researchers. Reverse engineering is the technical practice of taking code of unknown origin, including malware, and analyzing components to understand the code’s capabilities. It’s a primary focus among security researchers to understand and stop emerging threats, including zero-day viruses and advanced persistent threats (APTs).

IBM announced its X-Force Red Blockchain Testing service to test vulnerabilities in blockchain platforms in the enterprise. IBM’s X-Force Red security team will provide services to test the back-end processes for networks powered by blockchain, including a comprehensive analysis of chain code, public key infrastructure, hyperledgers and the applications used for access control. In addition, this service will also assess hardware and software applications that are usually used to control access and manage blockchain networks.

Maintain Trust With Digital Risk Management

Rohit Ghai, president of RSA, is scared of the “cataclysmic results” of a possible future in which trust no longer exists. He defines trust as the ability for an organization to understand and manage risk. Ghai believes that mechanisms to ensure trust — and the presence of trust — are critical for enterprise IT to work effectively.

Ghai urged organizations to “think of security as a risk management problem; focus on minimizing impact.” To maintain an effective environment where trust can exist, Ghai advised companies to adopt solutions for digital risk management, including automated solutions for risk identification and silent security.

The Most Dangerous Hacks Are Dynamic

In a highly anticipated panel discussion, researchers from the SANS Institute presented their top exploits. Ed Skoudis, Heather Mahalik and Johannes Ullrich highlighted the risks of DNS hijacking, domain fronting and, increasingly, targeted attacks on an organization via compromised cloud accounts. According to Mahalik, attackers are increasingly learning to leverage information stored in public cloud services and using this data against users and enterprises.

Security Isn’t Funny

The final keynote at RSAC 2019 was a conversation with comedian, actress and writer Tina Fey. When asked if she saw any similarities between comedy and cybersecurity, Fey simply responded, “No.” Cybersecurity isn’t funny to Fey, and many of the 42,500 attendees at the RSA conference would likely agree with her.

Fey proceeded to draw similarities between her experience in improv comedy, perhaps inspired by her time on Saturday Night Live, and how she thinks organizations can improve. According to Fey, both improv groups and cybersecurity teams need to trust peers, collaborate and practice extensively to improve.

This perspective was echoed by IBM Security General Manager Mary O’Brien in her joint keynote with IBM Security Vice President Caleb Barlow, “Change Your Approach to Get It Right.”

“I think it’s time to rewrite our playbook,” O’Brien said. “As an industry, we face unrelenting waves of new attacks and business challenges … we need to be exponentially better.”

O’Brien called for open collaboration in the organization and new agile working models for companies. She encouraged organizations to forget everything they thought they knew about perfect security to move forward.

“We need a culture that knows failing is part of making progress, a culture that encourages other points of view and new ways of operating,” she said.

RSAC 2019 in Review

As RSAC 2019 is reviewed over the next days and weeks, it’s clear cybersecurity is no longer simply the IT department’s responsibility. CISOs are sitting closer to the board. Cybersecurity is an increasingly political and cultural issue, and new public interest technologists are needed to create effective policy and progress in government.

Threats and risks continue to evolve, and few attendees at RSAC would argue that the old ways of doing things can move anyone forward. We need new models, new security ecosystems and new types of cybersecurity experts for the industry to become “exponentially better.”

Jasmine Henry

Jasmine Henry (formerly Jasmine W. Gordon) is a Seattle-based emerging commentator and freelance journalist specializing in analytics, information security, ...
read more