RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids.
Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.
For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.
A couple of observations from the show floor: First, not many masked faces. Pretty risky move for risk managers. Maybe the vendors thought they could make up for this oversight by offering branded hand sanitizer. At every damn booth.
Buzzword bingo alert
Also, two acronyms dominated the banners, buses and booths around Moscone: ZT and XDR. The first, zero trust, is not a product – although a quick walk through the showcase floor would make it appear otherwise.
A zero trust security framework essentially boils down to trusting no-one on the network, let alone anyone connecting in from the outside, and assuming there has been a security breach. Instead of trusting employees or other users, devices, and networks by default, zero trust relies on using identity and behavior to verify users and machines in real time, and restricts data and access on a least-privilege basis.
National Cyber Director Chris Inglis noted this in a panel alongside CISA director Jen Easterly and NSA cybersecurity director Rob Joyce. Zero trust is an architecture – not a product. “I know [zero trust] is a much-maligned term,” he said, adding that it’s a “digital architecture compromised of technology, of people and practice doctrine.”
Many of the vendors, however, seem to have missed the ZT-is-not-a-product memo.
Meanwhile, all of the former endpoint security and security information and event management (SIEM) companies are now selling XDR – extended detection and response. This buzzy acronym was all over Moscone’s walls and expo booths, as security vendors rolled out their various flavors of threat hunting, detection and prevention across all attack surfaces.
A very informal survey of my email inbox found more than 20 such XDR product announcements from the RSA Conference. IBM, in fact, announced it acquired Randori and plans to roll that company’s software into its QRadar XDR capabilities on day one of the show.
“Everyone is frustrated with the amount of talk on AI, zero trust and XDR,” CrowdStrike CTO Mike Sentonas told The Register in an interview at his company’s hotel suite. “I talked to a CISO yesterday and she said to me, ‘I’m not going out on the trade floor. It’s too much.’ And there’s a lot of abuse of the terms as well.”
To be fair: CrowdStrike also announced updated XDR capabilities and new partners to its CrowdXDR Alliance at the event.
Everyone weighs in on Russia
While XDR and zero trust won RSA Conference buzzword bingo this year, Ukraine – and the security threats surrounding the Russian invasion – were the topics on everyone’s minds. Panelists, security execs and researchers alike all had an opinion on the Russian cyber attacks against Ukraine and why the expected attacks against US and its allies’ critical infrastructure didn’t materialize.
The US government’s cyber chiefs swore up and down that they disclosed as much detail about potential threats as they had: ”We knew about real intentions,” Joyce said.
“The Russians are horrible at combined arms,” said Dmitri Alperovitch, chair of security-centric think tank Silverado Policy Accelerator, during his keynote with Mandiant Intelligence EVP Sandra Joyce. “That’s what we’ve seen in cyber as well.”
Even former CISA director Chris Krebs weighed in on Russia during the show’s final keynote.
RSAC program boss Hugh Thompson, left, and ex-CISA director Chris Krebs chew the fat on the last day of RSA Conference
“Tactically, I would have expected the Russians to come into Ukraine and take out any sort of telecommunications – the ability to command and control and engage with lines of communication,” he said, adding that even the Russians’ influence operations – like the one that claimed Ukrainian president Volodymyr Zelenskyy had died by suicide in a Kyiv military bunker – weren’t very good.
“But what that did was it opened up space for the Ukrainians to completely dominate the information space,” he added, citing the Ghost of Kiev fighter pilot story, which was false, and the Ukrainian grandmother who went viral on Social Media after offering a Russian soldier sunflower seeds to put in his pocket so the flowers will grow after he dies.
Still, many security practitioners at the conference said it’s still too early to completely discount a Russian cyberattack, especially as the US increases its tactical and cyber support for Ukraine.
“I don’t think Russia was ever going to take out nations and stop water flowing,” Sentonas said. “It’s not to say that they won’t do something significant. But we certainly expected [Russian cyber attacks] to be a lot more targeted, a lot more careful in nature.
“We just haven’t had the in-your-face, very public attack,” he told The Register, noting that this doesn’t mean Putin’s goons have stayed off of other countries’ networks and systems. “There are campaigns that they are running. We’ve certainly seen that around the world.”
The flip side of this, he added: while the Kremlin-backed cybercriminals have turned their attention to Ukraine as the kinetic war rages on, once it’s over Sentonas expects an uptick in Russian-backed ransomware attacks.
“I think we will get back to seeing very public ransomware groups that are affiliated with Russia,” he predicted. “We’ll start to see more of that, again, at some point, but I think they’re pretty busy right now.” ®