In April, I spent a week in San Francisco with roughly 45,000 friends and information security colleagues. For the first time since the start of the COVID-19 pandemic, the RSA Conference felt like it was back in full swing. The buzz in the air was palpable, and it wasn’t just that people were excited to hear about the wide range of security topics covered at the event. People were happy—genuinely happy—just to be around one another. Everywhere you looked, people were socializing, clinking glasses, sharing meals, and just enjoying each other’s company. We did a pretty good job making the best of things during the pandemic, but there are some things you just can’t do over Zoom.
Over the course of the conference, I was fortunate enough to attend a number of informative and insightful events—but those in-person conversations with other security professionals were the highlight of the show. It’s hard to overstate how important it is to speak with other industry leaders to exchange ideas and perspectives and understand what’s really on everyone’s mind. I walked away from this year’s conference with a whole lot to think about.
Generative AI Is the Elephant in the Room
Yes, tools like ChatGPT are impressive—and there is palpable excitement about the potential impact they might have on the security industry. For now, though, it may be best to keep expectations reasonable. The sense at RSAC was that these tools aren’t quite ready for prime time, at least not as a detection or incident response mechanism. A human element is still necessary—generative AI tools don’t yet have the critical thinking and rationalization skills needed to make higher-level decisions, and in writing they often struggle with striking the right tone. They may get there someday—perhaps even someday soon—but they won’t be taking the place of human security analysts in the foreseeable future.
Organizations are also beginning to recognize one of generative AI’s biggest dangers: data loss. Generative AI tools don’t discriminate when it comes to sourcing data—if data is available to them, they will use it. This can lead tools to gather data that includes personally identifying information (PII), proprietary data, and other information that can make life easier for attackers—especially social engineers. At a time when companies are already grappling with how best to protect and control their data, generative AI adds an unpredictable new element to the struggle. Data loss prevention (DLP) was an understandably hot topic at RSAC, and it will be an interesting storyline to follow moving forward.
Exposure Management Had Strong Reception
Detection is getting more complicated, and it’s a fact not lost on this year’s RSAC attendees. This led to an increased focus on exposure management, and I heard more than a few security professionals discussing the need to be able to talk about risk in a comprehensive way that can be presented to (and understood by) corporate boards. Most boards don’t really want to talk detection and incident response unless they’ve been recently breached. However, with cybersecurity now a boardroom conversation, security pros are grappling with the best way to present risk-based data and continuous improvement.
This has led to a warm reception for new exposure management solutions. Today’s organizations need discovery, visibility, and validation—and they need to be able to contextualize all of those things. Exposure management solutions allow them to pull together significant amounts of data for a full visualization that can then be presented to leadership. Instead of presenting isolated “risk scores,” they can now aggregate resilience data for a contextual score, highlight specific threats, and communicate their security posture’s resilience to address them. This fundamentally changes what a board-level report looks like and helps CISOs more effectively contextualize the risks they face and how they are remediating them. They now also gain the ability to track performance over time against both internal and industry benchmarks. The advent of continuous threat exposure management (CTEM) programs has created a much-needed baseline for bridging communication gaps that have traditionally existed between business and technical teams.
The keynote presentations are always a highlight of RSAC, and a broad selection of security experts covered a wide range of topics at this year’s event. A few of the keynotes that caught my eye this year included:
- Identity-based challenges. Rohit Ghai, CEO of RSA Security, gave the conference’s opening keynote, which he used to drive home the continuing challenge of identity-based attacks. He touched upon the growing threat of AI-based attacks, and suggested that identity technology is now “cresting” into the third wave of its evolution.
- Cyber deterrence. U.S. Ambassador at Large for Cyberspace & Digital Policy Nathaniel Fick spoke about the need for NATO to extend deterrence “into the digital world.” He referenced the ongoing Russia/Ukraine conflict and speculated about whether a serious cyberattack might trigger NATO’s Article 5 and instigate a broader conflict. The discussion explored the reality of cyber deterrence today, and where it might go in the future—which is something everyone should keep an eye on.
- Unconventional ransomware advice. The CEO of Triton Tech Consulting offered attendees some unusual advice, should they find themselves the victim of a ransomware attack. He advocated for a rational, emotion-free approach to ransomware, urging victims to look purely at dollars and cents and make decisions based on the ultimate outcome. He noted that, “It doesn’t make sense for us to go in and spend a million dollars for a $50,000 problem.”
- DDoS attacks on critical infrastructure. There was a very informative panel on the topic of critical infrastructure attacks, where speakers argued that DDoS attacks have overtaken ransomware as the biggest threat to critical infrastructure. Panelists included representatives from VMware, AT&T Cybersecurity, and other security players, and they noted that while detection capabilities have improved over the past several years, there is still a long way to go.
- 5 most dangerous attack techniques. The SANS Institute held a presentation on the most dangerous emerging attack techniques. They touched upon the rising danger of generative AI-powered social engineering, paid advertising attacks, and other growing trends, urging attendees to stay on top of shifting attack patterns. As with many other presentations at RSA, the SANS Institute spoke at length about the significant potential for disruption that AI now poses.
RSAC is a great place for security organizations to showcase their newest innovations, and there were a number of announcements that caught my eye at this year’s conference, including:
- IBM launches a new security suite. IBM’s new threat detection and response solution includes EDR, XDR, SIEM, SOAR, and log management capabilities, and the tech giant says it is designed to maximize both speed and efficiency. It’s another example of consolidation, as IBM looks to offer consumers more solutions under a single umbrella.
- SentinelOne reveals a new threat hunting platform. Returning to the topic of generative AI, SentinelOne is launching a new threat hunting platform that uses the technology to autonomously detect and remediate attacks. It’s an interesting idea, and it will be fascinating to see how this product (and others like it) evolve moving forward.
- Cisco launches a new XDR solution. XDR was a popular topic at RSA this year—it seems like XDR solutions are finally becoming a reality as opposed to a general concept. Cisco’s solution is currently in beta, but should launch within the next couple of months. It’s always interesting to see another major provider jump into the XDR field.
- Google Cloud adds new data controls to ChromeOS. Great to see Google adding new security controls and integrations to ChromeOS, putting more tools in the hands of users when it comes to protecting their data.
- (ISC)² releases new research. (ISC)² released a new report titled ‘Global Approaches to Cyber Policy, Legislation, and Regulation,’ which focuses on cybersecurity policies around the world. The report includes analysis of security regulations in the U.S., E.U., U.K., Canada, Japan, and beyond. The research is compelling, and it’s refreshing to see a focus on the policy level.
- Cymulate sweeps the CDM Global Infosec Awards. Of course, I would be remiss if I failed to mention the multiple awards that Cymulate won at this year’s Global Infosec Awards. Cymulate was recognized in four categories: Visionary Attack Surface Management, Best Product (Breach & Attack Simulation), Most Innovative Pentesting, and Top Women in Cybersecurity. It was a personal honor to be included in that final category, and I’d like to extend a thank you to Cyber Defense Magazine for their recognition.
A Thank You to Everyone Involved
First, thank you to all who attended Cymulate’s RSA dinner at the Kokkari Esiatorio. It was great to have the opportunity to introduce members of the Cymulate leadership team to many of our partners and customers who haven’t had the opportunity to meet them face to face. It was another example of the value and importance of an in-person event, and we look forward to hosting a similar dinner next year.
Finally, I want to thank both the RSA Conference and the city of San Francisco for doing everything they could to make this event a success. This year’s conference was a return to form, and it was incredibly meaningful to so many people to be able to come together in a way that felt both safe and welcoming. The RSA Conference is an important part of San Francisco’s economy—really, the entire ecosystem of the city—and neither RSA nor the city spared any expense in creating a safe and clean environment in which to operate. There are always challenges associated with an event of this size, so thank you to all of the organizers on both the event side and the city side for making this reunion possible.
We look forward to returning to San Francisco next year!