It’s the beginning of the merry month of May and we are all back from this year’s RSA Conference—where the great and the good gathered in San Francisco for four days of informative keynotes, sessions, announcements, hallway conversations, and behind-the-scenes meetings. Now that this whirlwind of activity is behind us, we have time to reflect on the key takeaways from all that we saw, heard, and inferred.
Every year at larger-scale cybersecurity-industry events, a theme seems to emerge almost organically across talk tracks, booths, and product announcements. Last year it was zero trust; this year it was artificial intelligence (AI).
AI as an Accelerant
The topic of AI (and all its forms) permeated presentations and conversations across RSAC 2023. If this is indicative of anything, however, it is of no more than a direction of travel.
AI has been making inroads into cybersecurity for over a decade. It is already used in areas such as spam detection, website classification, AIOps, exploit detection, and malware detection—to name but a few. Until now, most of these integrations have been more under the hood, with vendors integrating AI capabilities (mostly in the form of machine learning, or ML) into core product functionality without exposing them directly to the user. Large language models (LLMs) and the ChatGPT revolution look set to change that, but we are still at the inception of the outset of the beginning of that transformation.
The “Five Most Dangerous New Attack Techniques” session, moderated by Ed Skoudis, president of the SANS Institute, is always popular, and this year was no exception. What was remarkable this year was the novelty—or lack thereof—of the techniques discussed and the fundamental nature of the recommended responses and mitigations.
Panelists discussed malicious code injection into the CI/CD pipeline, supply-chain attacks, malvertising, and search engine optimization (SEO)—all tried and tested techniques driven to greater prominence by the volume of threat actors using them. Not surprisingly, ChatGPT garnered a mention in the session, but largely as an enabling technology streamlining and turbocharging existing techniques such as social engineering, phishing, and ransomware.
Us Against the Machine
I didn’t spot any groundbreaking innovations or product announcements as I walked the floors of Moscone North and South. This year, there seemed to be more of a focus on iterative improvements and integration. There was a palpable sense of the security-vendor community finally beginning to pull together. Perhaps some of this was driven by the theme of this year’s conference, “Stronger Together”—but a lot of it was evidenced beyond slideware through increasing cross-vendor integration and cooperation.
It is heartening to see our industry acting on the essential truth that, as security vendors, our greatest competition is not one another; it is the threat actor. It is only by complementing and enhancing our mutual offerings through the entire cybersecurity stack that we more effectively empower security practitioners to beat that real competition.
My own lasting impression about RSA Conference 2023 is this: Things are about to start moving very fast. Vendor cooperation promises to drastically accelerate and enhance information security.
If you want to ride the crest of that wave, rather than be dragged along in its wake, revisit information-security fundamentals. There is no single vendor, and no silver bullet, that will give you cybersecurity, sell you zero trust, or fill your belly with threat intelligence—whatever those increasingly ill-defined terms might mean. To take full advantage of all that cybersecurity has to offer, and to better prepare for the threat landscape of the coming years, everything starts with baselining. “Know good, find evil,” as they like to say at SANS.
Moving Forward from RSAC 2023
Security starts with visibility. CISOs should be asking their suppliers of choice for greater functional integration, greater intelligence sharing, adherence to industry standards, and industry alliances that deliver something beyond a logo on a slide deck.
Your security stack should enable you to positively identify every device on your network—not just those where you can deploy an agent. It should offer you real-time visibility into communication flows, contextual enrichment, and rich historical data—helping you to “know good.” Your defense-in-depth model should never need to be single-vendor; the prospect of losing critical functionality in the event of an incident or replacement is all too real. And the burden of integration should not be on the practitioner; you already have enough burdens of your own.
Security then continues with a cooperative ecosystem—one that automates detection and triage, greasing the wheels of incident response. Defending against the proven and effective threat vector of supply-chain attacks requires an alignment of security architectures and threat-intelligence sharing across traditional IT infrastructure, DevOps, cloud, and less well-defended environments (such as, for instance, OT and IoT). All this should be buttressed with an integrated training program—preparing employees for the attacks of tomorrow, arming them against the attacks of today.
It’s a tall order, but my takeaway from RSA Conference 2023 is that it is not unattainable. We are undoubtedly stronger together.
