RSAC 2016: Thoughts and Memories

Three things stood out to me at RSAC this year:

  1. Diversity
  2. Business and Innovation
  3. Collaboration


Usually I have some general unease or complaint in this category. Not this year. While I did tweet there was an annoying lack of diversity in keynote speakers, overall the conference felt more diverse than ever before.

Walking the expo and the conference talks felt like being in a major international city. Waves of experienced and new, young and old, male and female were noticed, with many cultures clothing type and styles easily found. It felt like security community was being represented across an extremely wide spectrum, wider than I had ever seen before. I talked briefly with a woman wearing a Niqab attending sessions (might have to do this myself next year). And while it was easy to hear the big delegations of Israelis, Chinese, Russians, Germans wandering around I also was happy to run into a Palestinian cryptographer who wanted to talk Cloud.

Business and Innovation

Every year I do an extensive tour of the Expo and interviews to find useful products. Some tend to argue “security 1%-ers” are the only people who really would benefit from the expo and everything is positioned to be a silver bullet. That’s obviously untrue.

Adi Shamir walked with me to a booth, for example, so I could show him what I thought to be an interesting development in hardware authentication. The conversation went something like this:

  • Me: it’s interesting to see a stereo jack token form-factor. resilient, easy…
  • Adi: one form, another form, who cares. use the USB port instead. they’re all just form factors. energy harvesting? AHA! now THAT is interesting
  • Me: form factor is a problem space that needs better solutions. energy harvest wouldn’t get users excited but the security issues are something to review
  • Adi: yes, the things we can do with energy
  • Me: given low capacity we can blast with energy to cause to fail, break, overheat
  • Adi: this is not that interesting, but there are other things…

He and I were approaching things from completely different objectives. I was thinking about how to solve for user requirements; can we get these in hands immediately to improve multi-factor usage rates. He was thinking about how to solve for engineering requirements; can we break this thing.

Tools we were looking at and discussing with the vendors were not for the 1%. They were not silver bullets. They were meant for mainstream use and very focused in their application. Many such tools could be found. The problem really is not that this kind of every-person stuff does not exist. The problem is marketing is actually extremely hard in security. If you think the buzzwords, costumes and flashing plastic garbage are annoying, you’re probably right. It just verifies how hard it is to do marketing well, to reach a wide audience with a tight message.

And that’s one of the coolest things about RSAC. So many different approaches and ideas are launched just to see if they work; we might actually find something good. It is an opportunity to find or develop mainstream tools from a diverse field of ideas. This is where people are talking about all kinds of solutions and partnerships.

On the other hand, it’s also important to look carefully for 1%-er solutions.

About five years ago at RSAC I spoke with a flash memory vendor promoting their new devices, and quickly I figured out we were going to have problems with data destruction. It was a 1%-er issue then, an early look into what was coming. In the following years I saw papers being published, almost exactly like the conversation at RSAC, about ease of extracting data from flash. And now this year I found this 1%-er issue has gone mainstream: vendors push specialized products (an extreme opposite of silver bullet) towards commodity prices to close a gap. If you have flash devices and need to destroy data, there were some small engineering-oriented vendors you should have been talking with.

Intelligence and knowledge systems are the 1%-er space of today, which actually parallels a trend in general IT. Stock up on “threat” feeds, run analysis on it with visualization, and maybe even apply learning algorithms or think about how to leverage artificial intelligence. While I could beat up our industry for going all 1%-er on this area, the wider context of overall IT puts it in context and we’d be fools if our industry didn’t jump in now. The people adopting today, or at very least discussing, are at RSAC setting the stage for what will become 99% tools five years ahead.

A customer asked me a few weeks ago to build a specific threat feed solution. So at RSAC I set about the expo floor asking every single vendor I could to give me their proposed solution. It was actually comical and fun because it challenges the marketing folks to deliver on the spot.

Symantec came across as an utter disaster. They literally could not find anyone, over two days, to speak about their products. Sophos was all ears as I ended up telling them how good their data could be if they packaged it again for the right consumers. They apparently weren’t aware of the demand types and seemed curious. Kaspersky kept shaking my hand, saying the right people need to be found, and telling me we can do business together while not actually answering technical questions. Fireeye sent me to their head of a new group focused on the exact problem. Very impressed with the response and quick, competent handlers. Clownstrike said they have what we need and then just walked away. LOL. Recorded Future gave me a long and detailed hands-on demonstration that was very helpful…all of which ends up in a report that goes to a customer.

To put it bluntly, this year felt like the rise of private intelligence and I expect to see this field of “knowledge” tools for analysts grow significantly over the next 2-3 years.

The inverse of this type of prediction exercise is noticing the buzzwords most likely to have disappeared: GRC, DLP, APT. Apparently vendors are realizing that the great analyst hype for some of these “tool” markets did not pan out. Do we blame the analysts who predicted these markets would boom, and created the product race, or blame the vendors who jumped in to run it?

Regulations and compliance seemed to be showing up everywhere, being discussed all the time, without being pushed obnoxiously as some kind of new thing to buy. HIPAA! PCI! No, we didn’t see that at all. There was no yelling about regulators, and at the same time it was mentioned in talks and product marketing. Compliance was pleasantly subtle, perhaps indicating an industry maturity level achieved.

Last but not least I was sad to see a lack of drone research. Despite having talk tracks on the subject, and a huge boom in drone-related security concerns, we really didn’t find much evidence of a market for security in this space yet. An investor literally told me he’d find us a billion dollars to solve some very specific drone security issues, yet walking the expo there were no offerings and no evidence of products or strong technical skills in this area.


With new levels of diversity, and innovation, it probably goes without saying there was an air of collaboration. While there are plenty of private parties and VIP events (literally 1,000s of side-conferences) for business to be done by old friends behind closed doors, what fascinated me was the interactions out in the open. Bumping into strangers all day and night is where things get interesting, especially as you hear “let me introduce you to…” all around.

A big concern is that there are solutions lurking around and missing their target audience. I’m speaking with some ex-Cisco guys one day who have developed a healthcare IoT fingerprinting tool. Don’t ask me why they chose healthcare, yet that’s their very narrow approach right now. The next day I’m watching my twitter feed light up about the lack of security tools designed for healthcare IoT. How do I get these two groups collaborating? RSAC is a place where I can try to make it happen.

The keynotes emphasized collaboration in a fairly formal way. Government should talk with private sector, yada yada, as we always hear. More practical is the fact that you could walk into a booth and overhear the Norwegian military discussing some use case specific to their plans for invading Finland, and then jump in and start a broader discussion about different tools and procedures for protecting doctor privacy in Africa.

Walking up and talking to strangers led to some excellent follow-on meetings and conversations around how we could work together. I dragged three friends with me into a session on hacking oil and gas, which turned out to be great fodder for conversation with a guy from NIST and an invitation to present on supply chain security to the US government.

Cloudera had a booth where I spent the better part of an hour discussing how different Big Data platforms can work together better to create a common standard for security assessors, as different staff came and went and suggested ideas. It felt like we were compressing three weeks of scheduled meetings into one impromptu intense planning session.

There are so many collaboration channels it can be overwhelming at some point because you simply can not pursue all the opportunities to be found at RSAC. If you want to meet with some of the best minds in the world trying to solve some of the hardest security problems, or you want to expose your ideas to a wide set of minds and collaborate in a short time, this conference can’t be beat. It’s massively massive, not a quiet walk in the park with known friends, and that’s not such a bad thing as our industry has to learn how to welcome in more and more people.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.