Wednesday, March 17, 2010

RSA 2010 – Day 4-5

The final RSA 2010 post covers the last two days: Day 4-5.
As during the previous days, I had quite a few fun meetings with people that will hopefully translates in to more business for Security Warrior Consulting.


One of the days, Branden and I did our PCI book signing (picture). First, we were shocked to learn that the book actually sold out (!) at RSA bookstore and the publisher had to rush another batch in (which actually almost sold out as well by the end of the show…)

On Friday, I went to a really interesting presentation called “Got DLP. Now What?” Some guy from Forsythe delivered a VERY well-thought-through presentation on what to do after you got that DLP box. Basically, stuff on DLP program, process, even how to think about DLP (“not for malicious attacks”, “not for malicious data theft”), etc.
Just as SIEM, DLP most often fails for political and cultural reasons, not because the technology is somehow inadequate.  His range of common DLP mistakes went all the way down to “we don’t know whether we have anything sensitive, but we think DLP will protect us” (yeah right!)
I also loved that he focused on building incident response procedures first after buying DLP (and, better, even before!). Indeed, response plan is needed first (SIEM is the same – what happens when that correlation rule triggers?). He also reminded that DLP will likely require full-time employees (or staff augmentation by a skilled consultant) to operate it.
He also said that “just run DLP and then chase alerts” approach never work. Thousands of alerts – the IDS syndrome- will kill it. Starting from a detailed DLP policy is the only way (surprise! :-)); AUP or general security policy won’t do.
Another thing I loved is the dilemma of “classify first OR discover first.”  Just as I suspected, in a perfect world , “classify first” works – just not in this one (see Rich explain it here). “Discover scan first then create policy/classification” is more useful.
Similarly, “monitor first then slowly add prevention” is the only way to successful implementation. Overall, this presentation proved to me that RSA conference is not just about business development, chasing VCs and partying :-)

Finally, the juiciest bit: The Vendor Hall.


First, the meta-observation. Security industry is baaaack!  RSA 2010 felt more like super-glam RSA 2007 than like the meager RSA 2008. Economy in crisis? Not in this sector, baby! New vendors, old vendors, large vendors, small vendors – everybody is back in business [in fact, even some folks who shouldn’t be… you, triple-dead-zombies, you :-)]
Second, I noticed a lot of new security vendors with REEEEEEEEEEEEEEEALLY bad marketing, all the way down to this [BTW, somebody mentioned that the vendor in question has pretty useful and novel technology, it’s just their marketing is a bit … ya know… dumb].  BTW, “bad” here is defined as actually ineffective, not “overly deceptive” (e.g. compliance appliance) or “somehow offensive” (e.g. utilizes boobs and, especially, augmented ones).
Yes, there was even an obligatory village idiot with “we sell SOC-in-a-box” message. As well as “<our name>= Security” (while everybody knows that their name merely stands for PCI DSS compliance). And don’t even get me started on APT marketing – Rich said it best here.
Sometimes I felt like all vendors are divided into those who know what they are doing and how to market it; those who know what they are doing, but not how to market it; those who know don’t know what they are doing, but with great skills on how to market it; and, finally, those who don’t know what they are doing and have no idea how to market it (sad).
Third, it was funny when I’d approach a booth of Log Management Vendor X and everybody (including people I don’t personally know) will say “Hi Anton.” Then I approach Log Management Vendor Y and ask them a question, while wearing my name tag, and they  will say “come talk to this press guy over here” (!) and then they will start explaining to me what a columnar database is  :-) This was indeed hilarious! BTW, there was plenty of log management and SIEM vendors [some would say too many] and most if not all of them looked pretty optimistic.
Fourth, I have not picked anything that smelled like a new technology trend. It looked like most security subspaces (well, maybe not NAC…) are experiencing a major reemergence. The only thing that jumped at me (not sure why) was a large number of authentication and “access control” (loosely defined) vendors. Cloud stuff – even if in name only! – is even louder than in 2009 (substance is a bit hard to find, of course). You can try to do a quick divination on “Securosis Guide to RSA” [PDF], but I suspect all trends have been mined from there already :-)
Here is some more fun RSA 2010 (and BSides) notes from other folks (in no particular order)
  • Martin McKeay on our compliance panel
  • Rocky DeStefano on BSides and RSA
  • Securosis team on RSA (those guys also notice amazing spurt of optimism!); read this one about APT as well (quote: “astounded at the outlandish displays of idiocy and outright deception among pundits and the vendor community”)
  • More RSA 2010 and SecurityBSides impressions are here, here, here (from RSnake) etc.
  • And of course, #rsac Twitter hash tag, if you’d like to be overwhelmed.
So, I am really looking forward to RSA 2011 :-)
Possibly related posts:

Dr Anton Chuvakin