Wednesday, March 02, 2011

RSA 2011 Conference Notes

Here is my account of RSA 2011 conference – with all its awesomeness! I LOVE RSA and I always say that if you can only attend one security event a year – make it RSA. Now, it takes some [admittedly, small] effort to get value out of your RSA experience: the conference is not about the keynotes and not really about [way too many] tracks of presentations. It is about our industry gathering – pretty much the entire security industry as it exists in 2011! For security training you go to SANS, for latest attacks – to BlackHat/DEFCON (or, increasingly, to smaller conferences),  but for getting a sense of the entire security industry … SECURITY BUSINESS, if I may… you MUST go to RSA.

I spent my first RSA2011 day – Monday (aka The Valentine’s Day) at Metricon.  This year Metricon – and I admit to only attending about 2/3 of the day – just disappointed. This is the second year I am sacrificing all sorts of fun RSA-related events – CSA, AGC, etc – for security metrics and I promise I won’t do it again. Metricon this year was a shoutfest, not a conversation, about metrics. Yes, there was awesomeness there, for sure: Verizon crew showed their early results from Veris community incident data collection (“Baker, Wade and Alex Hutton - Veris Data/Veris Community”). I loved the presentation on log analysis of DNS server data (“Fruhwirth, Proschinger, Lendl, Savola - Name Server Log Data”) which did show a few new log tricks. Then a guy from Finnish CERT talked about automated incident reporting.  Chris Eng  on “Critical Consumption of Infosec Stats” was fun to watch as well, although it did turn loud a few times… A few other presentation turned into a mess, and I won’t go into details – it was painful enough being there.
RSA proper started for me on Tuesday, since – yes, I know, it is unbelievable – I spent Monday evening celebrating Valentine’s Day instead. But before, there was one awesomeness-induced day at SecurityBSides San Francisco, where I presented on SIEM (to be covered in a separate blog post).

So, apart from current and future client meetings (these always “taste better” at RSA somehow :-)), I had a chance to spent some time in RSA Vendor Exhibition on Tuesday. Usually I allocate 5-6 hours to walk the vendor hall, talk to people (old and new) and figure what’s up – and who’s down (=HBGary, obviously, this year). What did I see?
  • Since I expected the cloud to be a huge oppressive presence, I was not surprised. In fact, I was surprised that some booths did NOT have cloud written all over them. Cloud, BTW, is not just “a security trend of the day” ! It is part of a massive “trifecta of security evil”- Virtualization + Cloud + Mobile – which will absolutely change the way we do information security in the next 3-5 years and possibly longer.
  • BTW, I learned a new definition of “virtualization security” at RSA: “a belief that your virtual infrastructure is as secure as your physical infrastructure”…. aka "secured by faith" 
  • The third leg of the trifecta – mobile – was not visible at all. I am not talking about the silly “mobile anti-virus” stuff, but about security solutions focused on mobile security problems (no, viruses is not one of them!). After RSA, somebody introduced me to Nukona which will serve here as an example of mobile security solutions focused on mobile security problems (no, I am not on their advisory board Smile)
  • I didn’t see enough application security, even counting all incarnations. Obviously, application security plays a leading role in security of the above “trifecta of security evil”, but somehow I have not noticed enough new approaches to appsec. I did notice a bit more whitelisting, I guess, and this approach definitely deserves to finally go into the mainstream.
  • Funnily, I noticed some sad loser vendors with big booths. What’s up, dudes? Have you blown your entire 2011 marketing budget on that RSA booth and now somebody will surely acquire you?
  • Maybe it is just me , but I have never noticed Asian companies at RSA before  – this year there were a few. Is this a new trend?
  • It was also interesting to see a theme of “we unify security and compliance” (as if compliance ever existed on its own ..well…it kinda did, unfortunately). What’s going on here is vendors sold a lot of gear for compliance and now need to “sell” the worldview that all that gear is useful for security – what a shocker!
  • I also noticed a lot of network traffic and flow analysis, but absolutely no DLP. Has DLP fallen into that pig trough of disillusionment?
  • Yes, booth babes are mostly gone (except for the NSA booth, but that is totally different). However, it seems like booth monkeys are in: I had an unfortunate experience of talking with people at booths who had a very, very vague idea about security, despite having lofty titles like “VP of Marketing.” If you show up at RSA, please do your homework!
  • And sorry for a mildly idiotic final point, but why don’t we use email encryption in 2011? There was not even one vendor with a new and creative email encryption scheme. Even without painful HBGary reminder, it seems clear that organizations treat email as sensitive protected data. How dumb is that? Please remember the old saying: unless you encrypt, email is a postcard…
On Wednesday, apart from more meetings, I did another interview with PCI Council’s Bob Russo (to be published under separate cover).

The rest of Wednesday was spent in fun meetings with potential clients (and a quick trip to Palo Alto …don’t ask Smile). Thursday was spend advancing CEE log standard and even – surprise! – attending a few RSA sessions.

Fridays at RSA are always fun – not too many people at the sessions. I spent my morning  at BUS-402 “analyst roundtable” session with Kupplinger Cole, Gartner and Forrester, moderated by Asheem Chandna from Greylock VC firm.  Most “analyst takeaways” from RSA 2011 were pretty much about cloud and mobility. I’ve heard a fun opinion on IT consumerizatiion: if you deal with the security of employee devices by banning them, you will automatically make your organization unattractive to the best employees – thus increasing, not reducing, your business risk (not sure how true it is, really). Also, I  didn’t realize that virtualization platform vendors abandon security; this was strangely stated as a fact by the analysts.

Finally, I went to President Clinton keynote. After tolerating the ever-so-annoying Hugh Thompson, we got the full “Clinton experience” for more than an hour. Clinton keynote was great – unexpectedly so. He mentioned tea Party 3x times of his mentions of Obama (in the form of “Obamacare”), spoke how he is a “socially progressive / fiscally conservative” (which is pretty awesome, IMHO). I am still shocked that I’d appreciate the politician speech at a security conference that much. He was more specific and fact-based than a few other keynoters at RSA2011… If the video of his keynote surfaces (maybe), do listen, just for fun.

Other fun RSA2011 accounts are tagged here: A few fun example are “Change we can believe in?”, “RSA 2011: In Summary”, “RSA 2011: What’s My Theme?

Possibly related posts:

Dr Anton Chuvakin