At this year's RSAC, I sat down in 49 vendor briefings, each of which lasted 30 minutes, from Monday to Friday. So if you think, "Why should I believe Alissa when she tells me about the takeaways from this year's RSA?" Well ... in the memorable words of Bill Engvall, "Here's your sign."
If the show floor at RSAC is in any way indicative of the overall trends we'll see in cybersecurity controls in 2019, then I pretty much nailed it in my Aite Group report Top 10 Trends in Cybersecurity, 2019: User Experience and Machine Learning.
The words I'd use to describe the cybersecurity trends in 2019 and takeaways from this year's RSAC are “automation,” “AI,” “data,” “removing the human,” and “frictionless.” Today's cybersecurity titans and venture-backed startups are increasingly attempting to implement more automation and machine learning into their solutions in order to make them smart enough to rely less and less on human interaction, critical thinking, and response. If we are to learn from history and avoid repeating it, humans are indeed fallible, and the vendors hawking their latest wares at RSAC are increasingly removing them from the events logjam, relying more on the technology itself (based on system and network telemetry) for decision-making, and escalating fewer and fewer events up to the eighth layer of the Open Systems Interconnection (read: humans).
While many vendors are catching on and making sure last year’s buzzwords, such as “machine learning and AI” or “zero false positives,” were all but removed from their booth designs, they have replaced them with the new marketing bandwagon of “zero trust.”
As a follow-up to my previous blog on building the zero-trust enterprise, I'll be releasing a new report soon that will convey the fact that “zero trust” is nothing more than a colloquial term that refers to things we have always been doing (or should have been doing) on both the endpoint and the network, such as multifactor authentication, authorization, encryption, and network segmentation. But as I always say, "let them play." If coining a new term allows us to more easily refer to something that was historically a verbal vomit of acronyms and disjointed security control categories from the network to the endpoint, then so be it.
But I digress. Companies on the show floor certainly justify my belief that, indeed, pattern-machine engines are moving toward the direction of machine learning, and security information and event management (SIEM) is quickly becoming legacy as security orchestration and response (SOAR) and security analytics solutions move in to relegate them to redheaded-stepchild status.
In addition to the new industrial revolution happening in the security event monitoring space with SOAR and security analytics platforms, application programing interface (API) security and mobile application security is a serious concern for chief information security officers (CISOs), for whom many vendors (both new and old) are quickly attempting to bring solutions to market. Leading this charge are companies, such as Arxan, that offer app-shielding solutions for both mobile and web applications, and that attempt to address the threat of mobile app decompiling and web app threats, such as Magecart, as well as device authentication solutions, such as iovation (a TransUnion company).
During the conference, I was invited to Arxan's headquarters in San Francisco, where I got the "view from the top." I'll be releasing soon some reports on Arxan's app-shielding technology and some staggering new vulnerability findings Aite Group discovered in financial services mobile apps.
Not far behind the SOAR and "passwordless" solution train, breach and attack simulation (BAS) solutions are ushering in a new way of doing things and challenging what many are referring to as legacy vulnerability scanners. The vulnerability scanner of yesteryear (did I really just say yesteryear?) is being replaced by BAS solutions (such as platforms from Pcysys and XM Cyber) that in their first iterations simulated steps in the kill chain using agents but are now adding capabilities for actual exploitation of vulnerabilities discovered in an effort to test security controls on the network and endpoints. While I wouldn't say BAS and similar vulnerability scanning and automated exploitation platforms are ready to replace human penetration testers, they certainly present an interesting solution for those looking to add more shiny new toys to their current control stack and provide a much better navigator for figuring out how to prioritize vulnerability remediation. I'll bet all of you right now that in a year— two at the most—CISOs will begin replacing their vulnerability scanners with BAS solutions. Mark my words ... OK, I cheated; I already know two CISOs who've decommissioned their vulnerability scanners in exchange for a BAS solution.
Over the course of 2019, I will continue to bring you the unbiased, no-nonsense, no-marketing-material, in-depth research coverage you've come to rely on. I will be reporting on solutions in cloud security/cloud access security brokers, security awareness training platforms, public key infrastructure companies, crowdsourced vulnerability platforms, API security gateways, mobile and web app security, data-loss prevention, security awareness training, endpoint detection and response, network segmentation, identity access management, SOAR, machine-learning-powered network and endpoint threat detection, blockchain security, and email security, to name a few