Wednesday, April 29, 2009

RSA 2009 Impressions, Part IV or The Rest of RSA 2009

This is my final RSA 2009 impressions post; check out the previous ones here. Check out other coverage of RSA 2009 on security blogs here.

First, I did go to a few sessions; way less than I wanted. One on SIEM (which was a little sad), one on PCI (which was very exciting) and a few others mentioned below. As many other, I was shocked about how poorly the sessions were scheduled: I had situations where 4 sessions (!) running at the same time were interesting and then there were two time slots where none were (OK, maybe it is just me :-)), Also, I was amazed to see flashes of TweetDeck everywhere in the audience; amazing change from last year when Twitter was virtually unheard of.

Next, I went to Jericho Forum mini-conference, which was kinda fun in its own detached way ;-) There were a few presentations about “cloud security”, cloud cube, etc. And, which was more fun, Philippe gave his pre-keynote presentation to the Jericho club (this is where he first mentioned cloud as a possible way to “invisible/ implicit/ unavoidable”  security), which was then followed by a good discussion. Then Rich Mogul, Gunnar Peterson and Chris Hoff beat up on the Jericho folks a tiny bit ("COA is unimplementable”, “no practical examples in documents”, ”confuses data centricity”, etc). Obviously, the common sense conclusion that ‘"the cloud" is no more/no less secure’ was the pink elephant in the room; it’s what you do with it counts.

Another pinky was the idea that “security is either baked in or none" for consumers; current move to cloud computing is our second chance to bake security in. How can we not miss that chance? Since power of large end user organizations is what often drives security (e.g. trustworthy computing at MS), unless and until large organizations say “I won't use XYZ cloud vendor unless secure up to ABC standards” this second chance will not be taken advantage of [this BTW needs said ABC standard as well a few metrics to boot].

On Thursday, our log standards panel was held; it was lots of fun too and we had almost 100 people (!). Dan Blum, our moderator, has a good account of it here. However, what matters is what happened before the panel: we had a three hour working meeting and made a lot of progress on Common Event Expression (CEE) effort in particular and log standards in general (more details in the future)

On Friday I went to RSA just to see Chris Hoff and Rich Mogul do their “Disruptive Innovation and Security” session, which exuded pure awesomeness! Key items I caught:

  • Business innovation vs technology innovation vs security innovation – all 3 often seem out of sync, but security innovation is usually MORE behind.
  • Threat innovation IS business innovation – just for the criminal businesses.
  • Chris and Rich suggest that the motion from network->host-> data is not linear, but part of a cyclic circular progress; a fun idea.
  • I realized that an idea that I recently “suffered” from (“intrusion tolerance”) is the same as what Chris calls “information survivability
  • Also, I liked their technology assessment methodology: security impact vs business impact chart (with IDS is in left bottom corner with both being “low”)

Finally, the most important part: the vendor hall impressions. Every year I am trying to “soak the vendor hall in” – and then produce insight while seating in an armchair (that last part is key for being called “an armchair analyst” :-)). This year I got a bizarre sensation: a whole hall-full of vendors TOTALLY missing both a) security of cloud applications (broadly defined) and b) ability to provide security services via SaaS/cloud (yes, I know these are not the same). No, this is not some Qualys PR talk – just think about it: 23 (!) RSA sessions that mention “SaaS” or “cloud computing” combined with almost NO vendors providing either a) or b) above (apart from blatantly idiotic “cloud gods send us the virus definitions” already ridiculed here). If I were to launch a security company today, I would NEVER even think of doing software, maybe an appliance – but most likely SaaS… I bet in a few years the whole concept of “buying servers to run security on them” will be grounds for being put into asylum (I do remember the time when my employer of 2002-2006 sometimes required 17 servers to run well…)

A few more observations from the expo: vendors who add themselves to all product categories probably means “FAIL due to lack of focus.” I saw a SIEM vendor listing themselves in a whole bunch of categories, including “Vulnerability Scanning” and a scanning vendor listed, among other things, in “DRM” (!) Also, I saw amazing amount of horribly confusing marketing, all the way to “not clear one bit to a certain Ph.D. ‘security insider’” :-) People, grow up! If users don’t get what you do, they will NOT buy your stuff! Among the technologies which vanished from our collective consciousness are: NAC (in a year I bet folks will ask what the letters stand for), anti-spyware and – strangely – DLP.

Overall, awesome show!

Possibly related posts:

Dr Anton Chuvakin