The RSA Conference felt 3x bigger in 2019! Maybe it was because of the recent renovations to Moscone Center, or maybe it was all of the additional vendors in the infosec space. As usual, there were lots of interesting sessions and not enough time to attend them all.
Here are some highlights from the sessions I attended during my week at RSAC 2019, along with links to the materials in case you missed them.
Session #1: RSAC Innovation Sandbox Contest
If you did not attend any pre-RSAC trainings, the main (if not even the only) event to see is the Innovation Sandbox Contest. Every year, ten companies are selected for a three-minute product pitch followed by three minutes of Q&A by the panel judges. During the years, this event hosted many of the biggest names including Fortify, Imperva, Incapsula, Dome9, Webroot, Sumo Logic, Sonatype, Cylance, Bugcrowd and more…
This is a great event to see what new companies are selling. It was interesting to see that the winner this year was a company solving “the least sexy part of cybersecurity” – asset management. The company is called Axonius.
Session #2: The Cryptographers’ Panel
For sure this is the true “opening session” to RSAC since the first conference. This is the second time I managed to attend this session, and still I got the feeling of a little boy looking at his favorite rock stars. It was surprising to see that Adi Shamir (the “S” from RSA as all the media referred to him during that week) was absent from this panel. It was the first time that he was not part of this session for 28 years, and the reason was that this well-known, highly honored (Turing Award is one of them), did not manage to obtain a tourist visa for the US. Besides the discussion on this – a video of Adi talking to the crowd was played where he and others raised the question of where such security conferences should be held – I felt that the main topic was around privacy in general.
Similar to the cryptographers’ panel, Bruce Schneier is another rock star! (nostalgic alert – the first book ever read in security was Schneier’s “Applied Cryptography”, a must-read book for any security person).
This was an interesting talk on the place of us, technologists (not only security practitioners), in the public policy space. With news of how technology is being used (Facebook for privacy, Google and Microsoft for military purposes and more), regulations will come into the tech world, and it would be better to lead this process rather being led by it. Schneier called technologists to become more “Public Interested Technologists” and for schools to open more social technology-oriented subjects. A nice quote from his talk was “We are responsible for the world we build with our technology”.
In this talk, Google highlights the overwhelming prevalence of phishing – Gmail sees over 100M phishing emails per day.
To perform good phishing campaigns, attacks need to succeed in 3 domains – defeat the delivery vector (the email is not flagged), defeat the user (the user interacts with the email), defeat the target service (usage of the stolen authenticator).
G Suite implemented multiple layers of security to defeat phishing attempts. For delivery vector there are 3 methods that are implemented – feature reputation (extracting domain names, IPS, URLs and evaluate them against reputation feeds), content understanding (making sure brand names and brand logos fit), and clustering. Few techniques to defeat those type of detectors were discussed. Then several types of techniques to make a user interact with the phishing email were presented and how G Suite created defense in depth architecture to help users understand and mitigate some of the risks with phishing emails. The session closed with tips for better email framework protections. It was an interesting talk, although I hoped to learn a bit more on the ML/analytical methods being used (but I understand that security with obscurity is always necessary as well).
Great talk! This talk presented a new idea of how to generate and prioritize vulnerability remediation strategy. There is a big gap between vulnerability and actual risk probability, and this talk tried to present that although CVSS generates scores that most (if not all) vendors follow, if you evaluate the risk (does this vulnerability is being exploited in the wild), CVSS is not good in respect to Efficiency (precision) and Coverage (recall) – for CVSS 10 Efficiency is 23.1% and Coverage is 7% (a random selection of all CVSS scores will generate Efficiency of 23% and Coverage of 7.1%). This talk is a continuation of a report Kenna and Cyentia had on this topic which will be published this year.
The last event at every RSA Conference is a keynote by some well-known, non-security related figure, and this year it was the talented Tina Fey (watch it here). It was a nice talk, nothing dramatic or mind blowing, but there was one takeaway that I would like to try and implement more in my work – the use of the improv motto “Yes, and…”. Fey explained that improv comedians have to experience a lot of failure and embarrassment, to truly open their minds and get good at what they do. In technology, we brainstorm, and similar to an improv comedian we must be willing to fail to succeed. To me, this suggests that we all need to put ourselves out there a little more to really solve modern cybersecurity challenges. It’s tough to fail in front of peers, but if we’re too scared to share our ideas, we’ll never really achieve what’s possible.
As an industry, we may be solving modern cybersecurity challenges with technology solutions today, but could we do better? The answer may very well be “Yes, and…”