RSA 2016: Strategic risk management for the security-savvy enterprise

Author:  Bar Lockwood, CISA, CISM

Compared to last year’s doom and gloom, the 2016 RSA Conference, held between February 29 and March 4 in San Francisco, was cautiously optimistic. Celebrating its 25th Anniversary, 40,000 participants enjoyed continuous content presented in hundreds of sessions covering nearly 30 interest areas. But certain topics drew like moths to a flame. Privacy was hotly debated as the tech industry rallied to support Apple’s resistance to enable the NSA to break into the San Bernardino terrorist’s phone: (Beyond Encryption: Why We Can’t Come Together on Security and Privacy–and the Catastrophes That Await Us If We Don’t). Threat Intelligence sharing gained new traction—in keynotes, in sessions, and on the Expo floor–with the recognition that effective response to cyber-attacks at both the industry and nation-state level, is only possible through cross-enterprise data sharing: (Louder Than Words). And the value of centralized security management and platform simplicity was illuminated with the naming of Phantom, a security capability orchestration platform, as “RSAC Most Innovative Startup 2016”.

On the more cautious side, some trepidation followed a discussion of the epochal paradigm change we are about to confront as we prepare for global device saturation—from 5 to 50 Billion devices–by 2020! CEO and Chief Editor of Foreign Policy Magazine reminded us that while we are focused on immediate threats and risks, this change is likely to have a profound impact not only on security matters, but on culture, economics, and international relations–perhaps challenging our most fundamental societal structures such as nation-state boundaries and monetary structures (The Great Questions of Tomorrow). And Cyberespionage is on the uptick, with fear that high end criminal enterprises will move to legitimize and offer their exploits to the highest bidder nation-state or terrorist group (The DarkWeb and Cyberespionage: Fact, fiction and Future). With these challenges—and with a reported 200,000 cyber security jobs open across the nation, it is no wonder that the Keynote speakers and tracks emphasized the need to encourage workforce education (Cyber Security Education and Workforce Development for the Nation)

Of course, there was also plenty of practical content at the Conference. My focus this year was around strategic risk as it relates to technology enterprises. Here are a few presentations I found particularly informative:

1. The Seven Most Dangerous New Attack Techniques, and What’s Coming Next

Simple exploits are a think of the past—or at least left to the more junior actors. Instead, more sophisticated attacks on SCADA systems, core platforms and infrastructure, and subversion of powerful engineering tools are becoming commonplace. This presentation digs down into 7 attack types that represent this scary new world—among them the full weaponization of Windows PowerShell.

2. Data Breach Digest – Scenarios from the Field (Verizon)

Verizon, publisher of the annual Verizon Data Breach Investigation Report, refactored its VDBIR data into a set of common breach scenarios.

3. Here, There and Everywhere: How to Harness Your Value Chain Security Beast!

CISCO did a nice job summarizing a practical, step by step approach to securing the manufacturing supply chain, end to end. While the list of requirements they use was not provided, the deck is useful as an organizing framework to ensure no important areas have been overlooked.

4. Understanding the Security Vendor Landscape Using the Cyber Defense Matrix

This presentation provides an approach to categorizing types of third-party solutions, using a simple CyberDefense matrix.