Another RSA: Evolving Trends in Cyberthreats

Key conference takeaways from a long time RSA speaker

After nearly two decades of attending the RSA Conference, I continue to find the event to be useful more so for the people I encounter and the conversations I have than for navigating the expo floor or attending sessions. During my recent trip to San Francisco, I had the opportunity to meet up with numerous people including a variety of talented journalists and analysts from organizations such as Fifth Domain, Security Ledger, ITProTV, Security Management Magazine, and Securosis to discuss our industry from all angles. Below are some of my key takeaways and observations from conversations both on and off the show floor.

Blockchain For the Sake of Blockchain

Many discussions centered around the concept I like to refer to as ‘Blockchain For the Sake of Blockchain’ (BFSB), the use of Blockchain technologies for buzzword compliance rather than to meet a technical requirement. While I did see some valid applications for blockchain and tokens, they were vastly outnumbered by pointless uses in centralized applications that could be far better served by a simple database.

GDPR Panic – The Mad Dash to Comply

Any company that does business within the EU, or collects / processes the PII of any EU citizen, should be preparing for the EU’s General Data Protection Regulation (GDPR) to go into effect in late May this year. That means every business. It was clear throughout the conference that many organizations are still scrambling to work on compliance; and failure to do so could cost them millions of dollars.

Humans Are Still the Weakest Link

Security training continues to be a booming industry, despite the fact that humans will always fall for today’s sophisticated attacks in significant numbers. Training does seem to be effective against un-targeted phishing and fills a need to do something about the fact that technical security solutions aren’t getting the job done either. The real need is for human tolerant security solutions.

The IoT Security Tidal Wave

There were many debates over what the makers of IoT devices should be doing differently to make them more secure. While companies have ideas on how to execute a secure way to protect, wrap, or isolate the vulnerabilities that plague IoT devices, little seems to be changing at the speed we need it. The security of self-driving vehicles is a hot problem security organizations want to highlight because of the direct risk for loss of life, but there are many other ways IoT devices could lead to damaging consequences if infiltrated. For example, intelligence gathering or disruption of industrial control systems is far more likely, more distributed, and harder to fix.

The Inside is Unsafe Too

The idea that firewalls and the perimeter are becoming less important is a growing trend. There is so much opportunity for compromised devices inside the network, including BYOD laptops and phones, that we can’t think of the inside as safe anymore. If the inside is dangerous, then we need to secure all the internal surfaces to withstand attack. And if we are doing that, why not make everything easier and make them public facing? This idea is not completely crazy. It will be interesting to see how it stands up in real world use.

All in all, the 2018 RSA Conference was another great experience. It is always exciting to see how the industry evolves year over year, introducing new threats and new methods to combat them. If you are interested in learning more about my time at RSA 2018, you can check out my ITProTV interview with host Danial Lowrie, or my previous blog detailing my Peer2Peer session.