Another RSA has come and gone, and I made it out the other side (after stumbling around the expo floor in an information-overload-induced haze,pummeled mercilessly with messages of fear, uncertainty, and doubt by hundreds of vendors).
Here are the topics that came up again and again in vendor booths and 1-1 discussions that I feel warrant further attention.
1. Machine Learning is table stakes. Now you have to prove it works.
Nobody cares if you say you have advanced ML. Everyone else is saying that, too. The opportunity for real differentiation lies (as always) in the usefulness of your output.
For a security vendor to make ML/AI a competitive advantage, they have to be able to prove that the dataset their ML trains on is the best, and that its output is useful, actionable, and delivers the promised results.
That's not to say ML (or AI, if we must), is useless. Far from it. AI/ML is the future of cybersecurity in so many ways. It is so important that it will be woven into the fabric of every next generation platform with any kind of analytics component. It will just be How Things Work. The marketing around AI/ML will die off, and mentions of it will be relegated to the spec sheets that fly around during procurement.
This is a good thing, but we're not quite there yet—so if you're going to talk about your AI/ML, you'd better have the evidence to back it up.
2. Perfect Forward Secrecy (PFS) is scary. Decryption is a differentiator.
Security teams need visibility. Encrypted data is hard to mine for insight. Even weakly encrypted data creates a visibility gap many security vendors can't handle, leaving their customers in the dark. With the ratification of TLS 1.3 and its default PFS setting, the visibility gap is going to get even worse.
The standard response from vendors about how they provide visibility and analytics in a situation with lots of encrypted data is either:
"You don't need to decrypt data. We get enough insight from headers and metadata to show you everything you need."
"You have to disable your encryption for us if you want full visibility."
These are both incorrect. Decrypted data provides a hell of a lot more insight than just headers and metadata, and disabling encryption is a nonstarter. Businesses seeking visibility in an increasingly encrypted network environment should be wary of vendors who claim you can't access the visibility you need while reaping the benefits of encryption.
There is a way to have your cake and eat it, too. Watch this short video to learn how to passively decrypt PFS sessions.
3. Everyone Needs A Security Architecture That Works, But Nobody Sells That
Almost none of the vendors on the expo floor at RSA talk about their products in the context of an overall security analytics architecture. The tunnel vision is severe.
Everyone sells products and solutions that fit into a neat market category. Bonus points if one of the analyst firms has already blessed the market category your vendor chose. Few vendors are leading the charge on how their customers can build an overall successful security architecture. Vendors who depend mostly on logs, endpoint data, or netflow rarely acknowledge the blind spots that inherently arise when you rely on a single data source.
It makes sense. Vendors don't want to point out their own weaknesses.
But what enterprises really need is an honest reckoning of which data sources are necessary, how to get insight out of them, and how to integrate those insights into a cohesive whole that security practitioners can act on effectively.
Jon Oltsik, Sr. Principal Analyst at ESG, will be leading a webinar on just this topic on May 17th. Tune into A Bias for Action: Security Analytics for the Advanced SOC to learn how to build an efficient, effective security architecture that actually supports a proactive SOC. Register here!