Ogren Group Security Vibes

Hard to believe that it has been almost a week since I got home from RSA 2015! It was a whirlwind week reconnecting with friends and having fascinating security discussions at every turn. Security is riding high and this had to be the largest RSA Conference yet whether measured by numbers of attendees or exhibitors!

Of course, there is always a mix of experiences so here is my brief recap of the highs and lows of the week.

Things that made me smile:

1. The new breed of network security vendors, including Cyphort, Elastica, Lastline, and TaaSera taking dead aim on detecting malware within enterprise networks. They take different approaches, but all of them combine intelligent analysis of network and endpoint behavior to fill in the blanks between AV and IDS systems. Neat stuff!
2. FIDO and smartphone based authentication systems that elevate the prospect of widespread consumer by distributing proof of identity to remote devices. There are so many phones and devices that a person carries, that separately purchased and managed security tokens are becoming less and less appealing. I talked with Identiv, Keypasco, Nok Nok, and RSA VIA at the show and came away from each excited about the future direction of authentication.
3. A shout out to the RSA Conference itself for their edict banning booth babes. It seems like more than a few sharp female security professionals were being treated as if they were at the conference only for their looks, and of course others were there only for their ability to flaunt their curves and swipe badges. The conference committee put an end to that practice and the RSA experience was far far better as a result. Two thumbs up there!
4. Best parties? I bumped into a lot of folks at the Qualys event, and scored an autographed copy of Brian Kreb's Spam Nation for reading on a rainy New England day. I also had a great time clubbing with Royal Blood, thanks to vArmour, where it was dark enough that only a few close to me could laugh at my excuse for moves :).

Things that made me pause:

1. "Security is broken". I must have heard this a hundred times throughout the week, from CEOs to demo engineers. Unfortunately, most of the people saying "security is broken" followed it up with an upbeat description of their product's 5.2 dot release - which hasn't moved the security bar in years. I would have liked hearing more innovative attempts to fix security's problems.
2. I can't help but feel that the attention paid to Threat Intelligence is the best example of how broken security is. Think about it - it is basically tossing threat information to enterprise security and telling them to go protect themselves. Seems it is our job as security professionals to analyze security threats, protect the enterprise, and help them recover when an attack inevitably breaks through.
3. My federal government tax dollars at work. I honestly do not see how the government believes it should be in the consumer security business, and nothing has shown me that they can do the job even adequately. Yet, there were booths in the exhibit halls by the DHS, DHS Science & Technology, FBI, Federal Reserve Bank, NSA and Treasury. I get that DHS is the leading vertical for many security vendors, money talks and lively discourse is good. But wouldn't we be better served if the government figured out how to prosecute cyber-thieves, established national disclosure policies, and educated enterprises on investigative requirements for incident response plans?