RSA Conference Your humble vulture never liked conference exhibits – even before I found myself on the show floor during a global pandemic. Showrooms are a necessary evil that are mainly visited to find gifts to take home for children.
Do organizations really choose security vendors based on a stand? The whole showroom idea seems like an outdated business model – for sellers, anyway. Although the same argument can be made for conferences in general.
For the most part, all security executives and researchers set up shop offsite – either in swanky hotels and shared offices (for the bigwigs) or on charming outdoor chess tables in Yerba Buena Gardens. . Many of them said they avoided the exhibition altogether.
A few observations from the showroom: First off, not a lot of masked faces. Fairly risky move for risk managers. Perhaps the vendors thought they could compensate for this oversight by offering a branded hand sanitizer. At every fucking booth.
trendy bingo alert
Additionally, two acronyms dominated the banners, buses and stands around Moscone: ZT and XDR. The first, Zero Trust, is not a product – though a quick walk across the floor of the display case would make it appear otherwise.
A Zero Trust security framework essentially boils down to not trusting anyone on the network, let alone anyone connecting from the outside, and assuming there has been a security breach. Instead of trusting employees or other users, devices, and networks by default, zero trust relies on using identity and behavior to verify users and machines in real time, and restricts data and access on the basis of least privilege.
National Cybersecurity Director Chris Inglis noted this during a panel alongside CISA Director Jen Easterly and NSA Cybersecurity Director Rob Joyce. Zero trust is an architecture, not a product. “I say [zero trust] is a much maligned term,” he said, adding that it is “a compromised digital architecture of technology, people and practice doctrine.”
However, many vendors seem to have missed the ZT-is-not-a-product memo.
Meanwhile, all the old endpoint security and security information and event management (SIEM) companies now sell XDR – extended detection and response. This buzzy acronym was all over Moscone’s walls and exhibit booths, as security vendors rolled out their various flavors of threat hunting, detection and prevention across all attack surfaces.
A very informal survey of my inbox found over 20 XDR product announcements from the RSA conference. IBM, in fact, announced that it had acquired Randori and plans to integrate that company’s software into its QRadar XDR capabilities on the first day of the show.
“Everyone is frustrated with the amount of talk about AI, zero trust, and XDR,” said Mike Sentonas, CTO of CrowdStrike. The register in an interview at his company’s hotel suite. “I spoke to a CISO yesterday and she was like, ‘I’m not going to go out on the floor. It’s too much. And there’s also a lot of abuse of terms.”
To be fair: CrowdStrike also announced updated XDR capabilities and new partners to its CrowdXDR Alliance at the event.
Everyone weighs on Russia
While XDR and Zero Trust won the RSA conference buzzword bingo this year, Ukraine – and the security threats surrounding the Russian invasion – were the topics on everyone’s mind. Panelists, security officials and researchers all had an opinion on Russian cyberattacks on Ukraine and why expected attacks on critical infrastructure of the United States and its allies failed to materialize.
US government cyber chiefs swore loud and clear that they had released as many details of potential threats as they had: “We knew the true intentions,” Joyce said.
“The Russians are terrible at combined arms,” said Dmitri Alperovitch, president of security-focused think tank Silverado Policy Accelerator, during his keynote address with Sandra Joyce, executive vice president of Mandiant Intelligence. “That’s what we’ve seen in cyber as well.”
Even former CISA director Chris Krebs spoke about Russia in the show’s final opening speech.
RSAC program boss Hugh Thompson, left, and former CISA director Chris Krebs chew the grease on the final day of the RSA conference
“Tactically, I would have expected the Russians to come into Ukraine and cut out all kinds of telecommunications – the ability to command and control and engage with lines of communication,” he said, adding that even Russian influence operations – like the one that claimed Ukrainian President Volodymyr Zelenskyy had died by suicide in a military bunker in Kyiv – weren’t very good.
“But it allowed the Ukrainians to completely dominate the information space,” he added, quoting the Ghost of Kyiv fighter pilot story, which was fake, and the Ukrainian grandmother who went viral on social media after offering a Russian soldier sunflower seeds to put in his pocket for flowers to grow after his death.
Still, many security professionals at the conference said it was still too early to completely ignore a Russian cyberattack, especially as the United States increases its tactical and cyber support for Ukraine.
“I don’t think Russia was ever going to wipe out nations and stop the water from flowing,” Sentonas said. “That doesn’t mean they won’t do something big. But we certainly expected [Russian cyber attacks] be much more focused, much more cautious in nature.
“We just didn’t have the attack in the face, very public,” he said. The register, noting that this does not mean that Putin’s henchmen have stayed away from other countries’ networks and systems. “There are campaigns they run. We’ve definitely seen that around the world.”
The other side of the coin, he added: While Kremlin-backed cybercriminals have turned their attention to Ukraine as the kinetic war rages on, once it is over, Sentonas expects an increase in Russian-backed ransomware attacks.
“I think we will return to very public ransomware groups affiliated with Russia,” he predicted. “We’ll start seeing more, again, at some point, but I think they’re pretty busy right now.” ®