RSAC 2017 in 4 Words

The RSA Conference (RSAC) in San Francisco is one of the year's largest gatherings of security professionals, with a reported attendance of more than 45,000. From three-letter government agencies to startup security vendors taking the first step toward their big cash-out, the exhibit floor is filled with technology and services while enterprise security professionals, CISOs and security researchers of varying levels of respectability roam the aisles and fill conference seats. It's a good place to be if you want to get a feel for the big concerns and issues in the computer security space.

Every year, attendees and journalists are asked about their impression of the show. It's a shorthand way for people who aren't in the security field to ask what they should be afraid of, or what they should know about computer and network security. This year, there are four words that seem to be part of almost every conversation: booth presentation and sales pitch. Each contains, in its own way, information about the status of the security field in 2017.

What are those four potent words? Listing them is easy: visibility, IoT, partnership and automation. When you look inside those words things get more challenging -- and much more interesting.

The impression gained in many conversations here is that CISOs, and IT professionals in general, have but the faintest idea of what's truly happening on their networks. The level of ignorance about how many devices, what sort of devices and how many cloud services are playing on the enterprise network is profound. Why is there such a high level of ignorance? On that, opinions vary, though the explosion of IoT, the continuation of BYOD and the economic power of shadow IT are combining to make the enterprise network such a dynamic place that it's difficult to know just how many devices are attaching at any one time.

Most of the researchers I spoke with at RSAC said that the IT group consistently under-counted devices by anywhere from 50 percent to 150 percent. It's not that people think that these are malicious actors lurking about on the network and waiting to attack -- it's just that each employee now represents somewhere around 3.5 connected devices and few physical systems (think HVAC and physical security) come without many more devices than are plainly visible.

What everyone agrees on is that knowing your network is the first step in protecting your network. The lack of visibility is a huge piece of the security deficit felt by many organizations today.

Not to get all Socratic Method here, but the first thing you have to do is define "IoT." Is it all the Fitbits walking around on employee wrists? The POS terminals and thermostats in your retail outlets? The process control systems in your manufacturing facilities? All of the above? Something else entirely?

The answer, of course, varies with precisely who's doing the defining. And the nature of that answer will go some way toward explaining the visibility problem already mentioned, and toward rationalizing the CISO's attitude toward protecting the IoT.

IoT security starts with the understanding that the industrial IoT and consumer IoT are two very different things that place very different demands on enterprise security. It continues with the firm knowledge that many techniques used for securing computing endpoints aren't possible with the IT; watching traffic to and from IoT nodes may be the only way to monitor, analyze and protect IoT devices from criminals -- and the rest of the internet from the botnet trying to use IoT devices against others.

It seemed that every company on the expo floor at RSA was eager to talk about APIs -- how their API was being used by other companies, and how they were eagerly making use of APIs to bring capabilities from other companies' products into their own. At least for this year, the spirit of cooperation was in the air as each company wanted to show that they were more open and cooperative than the next.

It's important to remember, though, that an available API is only part of what's needed for a complete security infrastructure. Someone, somewhere, has to use the API to integrate two (or more) components into the solution for a security problem. In an interview with Light Reading, David Ulevitch, vice president and general manager of security business for Cisco, said, "People don't want the potential of APIs, they want the results of integration. The number of customers that harness APIs is much smaller than the number of customers taking advantage of integration."

Put another way, everyone recognizes that enterprise security is complicated and security vendors are reluctant to over-promise capabilities. An emphasis on APIs and integration means that there's at least the possibility of taking a "best of breed" approach to building a security solution. Actually getting there? Well, enterprise security is still complicated.

Security threats move at lightning speed and humans are ill-equipped to keep up the pace. That's why automation is the fourth word describing this year's RSAC. In truth, automation is a broad word that encapsulates at least a couple of other concepts. Some companies will tell you about the AI used in the product while others use the phrase "machine learning" to describe what they do. In either case, the impact on the customer is the same.

When security components can collect data, perform analysis, decide on a course of action and then take action without involving humans, then there's the possibility of responding to threats before they can cause damage. Both enterprise customers and security vendors want security systems that successfully deal with the vast majority of security incidents without ever involving humans, leaving analysts and administrators to deal with outliers, marginal cases and truly novel situations.

Five days, 45,000-plus people and four words; the story of RSAC 2017 in the tightest of nut shells.

— Curtis Franklin, Security Editor, Light Reading

Curtis Franklin 2/21/2017 | 3:06:45 PM
Re: IoT elements mhui0, I'd quibble with your start date in a couple of ways:

In one direction, the IoT is even older, since embedded control systems were using proprietary networks for command and control back into the 1970s. In 1988, I became editor in chieft at Circuit Cellar INK, and we were certainly doing a lot with networked sensor and control systems.

In another direction, the use of the Internet as a key part of widespread embedded command and control is much more recent. I'm certain that TCP/IP was used for some control purposes prior to 1988, but it would have been in a research environment. I strongly suspect that we didn't start seeing any serious use until the late 90s, though I'm certainly willing to be corrected.

In any case, your basic point is sound: While we're getting alll excited about the IoT, the essential concepts (and even much of the technology) aren't new -- the only thing that's really changing is the scale of deployment and that, I think we can agree, is changing in a huge way!
Curtis Franklin 2/21/2017 | 2:55:56 PM
Re: IoT elements Joe, I think there are a lot of folks at companies like Intel that would absolutely agree with you. When I interviewed the head of Intel's drone program a few months back, I was struck by his labeling their massed-drone system a "compute platform."

To paraphrase a much older saying, if every tool is a computer, then every problem starts to look like software. Maybe it's just a short jump from where we are to the Internet of Everything.
Curtis Franklin 2/21/2017 | 2:53:16 PM
Re: Secure, secure, secure Michelle, the blended threat angle is interesting and the anwer is mostly, "Work with other systems to provide security in depth." Now, there are some companies that will say that they provide all the layers a company might need, but a growing number of vendors seem quite happy with taking a piece of the pie rather than trying to get you to make them a one-stop-shop for everything in security.
mhui0 2/18/2017 | 8:26:30 PM
Re: IoT elements The original IoT started back in 1988:


1988 - Qualcomm pioneers M2M communications

  • In August of 1988, the Company launches OmniTRACS, a satellite-based data communications system for the transportation industry that enables truck fleet operators to effectively track and monitor their vehicles in the field.
  • Later this year, Qualcomm receives its first major OmniTRACS order from Schneider National Trucking Company. Qualcomm is still a fledgling company and the order provides it with a much-needed capital infusion.

1985 - Qualcomm is founded

  • In July of 1985, seven people – Dr. Irwin M. Jacobs, Dr. Andrew Viterbi, Harvey White, Franklin Antonio, Andrew Cohen, Klein Gilhousen, and Adelia Coffman found Qualcomm, opening the Company's first office in La Jolla, California.
  • That same year, Qualcomm lands its first contract and begins working with CDMA, a unique digital wireless technology used by the U.S. military for secure communications.
Joe Stanganelli 2/18/2017 | 2:06:28 PM
IoT elements > The answer, of course, varies with precisely who's doing the defining.

I remember an IoT conference from a few years ago when one of the speakers told the audience that Uber qualified as IoT.

Note that this was well before Uber started using self-driving cars.

So to call Uber part of the Internet of Things as far back as 2014 was using an extremely liberal definition of IoT -- one that would potentially include email and all electronic communications systems as IoT.

It inspired me to write up my own analysis/story on the subject (link), and the definition I worked up boiled down to few key elements: automation, the non-necessity of a display, and the ability to effect real-world change (beyond merely pinging a human with a message).

From this perspective, IoT begins to look a lot like the beginnings of AI.
Michelle 2/17/2017 | 2:37:39 PM
Secure, secure, secure You're saying there's a lot to be secured, eh? Ever more sophisticated attacks are on the horizon, I'm sure. What are companies doing to protect against blended threats?
Sign In