The Evolution of Cybersecurity at RSA 2019

More than ever before, the RSA Conference 2019 was “where the world talks security.” This year, over 40,000 attendees took part in 600+ sessions and visited the booths of countless technology vendors on the show floor. Keynotes, general sessions, and hands-on learning opportunities were all available on mainstay topics such as filling the cybersecurity talent pipeline, as well as advanced topics like the application of blockchain and artificial intelligence to cybersecurity. Above all, the RSA conference continues to be the most important event where security practitioners come to hone their trade, and to understand where it’s headed in the near and distant futures.

The evolution of cybsersecurity was on full display at this year’s conference. Practitioners and vendors alike spent the week discussing and strategizing innovative approaches to defend against an increasing volume and sophistication of cyber attacks. A wide variety of topics was the subject of discussion, but two stood out as central themes during the week:

1. Zero Trust
2. AI and Machine Learning

Zero Trust

The Zero-Trust security methodology isn’t new by any definition. In fact, it was introduced almost 10 years ago by former Forrester analyst John Kindervag. Despite its relative age, the ongoing redefinition of the corporate perimeter is vaulting Zero Trust into 2019’s security spotlight. Because remote work, SaaS applications, cloud hosting, and BYOD are no longer exceptions but the norm; security professionals seeking guidance are turning to Zero Trust. As this framework requires the removal of “implicit trust from the network,” multiple technologies are vying for its replacement. Nowhere has this been more evident than at this year’s conference sessions, where many provided their own definitions of the term:

• Microsoft: No More Firewalls! How Zero-Trust Networks Are Reshaping Cybersecurity
• Symantec: How to Apply a Zero-Trust Model to Cloud, Data and Identity
• MobileIron: Security for a Zero Trust World
• Cyxtera: How to Successfully Implement a Zero Trust Security Model
• Pulse Secure: Get Your Head Out of the Cloud. Zero-Trust Access for Hybrid IT
• Entrust DataCard: Zero Trust, the Goose and the Golden Ticket
  

And those were just some of the sessions with “Zero Trust” in the title! Many more mentioned Zero Trust in the context of their own sessions, while others, like Netflix, described their efforts using alternative terminology (Building Identity for an Open Perimeter). And there was no shortage of Zero-Trust presentations on the show floor, including our own covering the need for an authentication authority and multi-factor authentication as foundations for building Zero-Trust Access. We also welcomed our peers to share their own visions of how they’re impacting Zero-Trust deployments.

• iovation presented on Managing User and Device Risk in Zero Trust Environments
• ID DataWeb discussed Real Time Identity Verification for Zero Trust
• Daon reviewed Zero Trust and Biometric Security
• Simeio Solutions provided guidance on Increasing Trust from Zero with Identity Proofing
• ForcePoint covered Leveraging User and Entity Behavior Analysis for Zero Trust

Many came to the Ping booth to learn about Zero Trust and take photos with the Space Suit used in the movie First Man, also noted in CRN’s coverage of the event.

As with any popular security buzzword, great hype comes with great responsibility. As such, RSA even hosted a session designed to “separate fact from fantasy” around Zero Trust delivered by Paul Simmonds, CISO/CEO of the Global Identity Foundation. Ultimately, the underlying principles of Zero Trust were recommended for all security practitioners, no matter what they called it.

Artificial Intelligence and Machine Learning

No less prominent at the 2019 RSA Conference were the themes of artificial intelligence and machine learning. If you were a data scientist attending the conference looking for the next big problem to solve, you’d be overwhelmed by the sheer number of opportunities available to you in the field of cybersecurity. At this year’s conference, AI and ML were positioned as key enablers to predicting security breaches, vulnerability scoring, cyber-attack detection and blocking, incident response, and more.

Of particular note were educational sessions around validating a vendor’s AI and ML claims, where participants came away with research methods and qualifying questions for these assessments. To be clear, these sessions strongly advocated for the use of intelligence-based security solutions while providing attendees the tools to spot the real thing. Additionally, they provided better understanding of where AI and ML fit into broader security strategies. Armed with this knowledge, attendees could then feel confident in vetting solutions in later sessions or on the show floor. Of course, this year’s conference gave them plenty of reasons to do just that.

“Adversarial” and “offensive” were popular terms used this year to describe the use of AI and ML methods for malicious purposes, with numerous sessions highlighting these practices:

• Secure Data reviewed how hackers use ML to conduct highly targeted data exfiltration attacks while remaining undetected
• Visa discussed how they’re countering the use of ML to mimic biometric authentication factors
• Microsoft provided an overview of how hackers use AI and ML to identify security vulnerabilities

The use of complex statistical analysis in hacking is a frightening proposition. It’s why many organizations are so eager to adopt security solutions that promote intelligence over configuration, which can be insufficient to cover vulnerabilities found and exploited with AI. 

A Smarter, Less Trusting Way Forward

As it has for decades, cybersecurity will continue to evolve within and outside of the walls of the RSA conference. This year’s show revealed industry convergence around Zero Trust to address trends that have showed no signs of slowing down. It also showed an industry hyper-focused on using AI and ML to solve a wide variety of long-standing challenges in cybersecurity. The use of these tools and frameworks will continue to proliferate security architectures in ways we haven’t yet imagined, and we can all look forward to RSA Conference 2020 to see them in action!