Cyber Threats
Key Trends and Insights from RSAC 2023
Unpacking the Future of Cybersecurity
RSA Conference is back in full force, with the 2023 edition attracting tens of thousands from across the security community to San Francisco. The expo floor at Moscone mirrored the key trends, challenges, and themes the industry is facing, from resourcing and talent acquisition to operationalizing zero-trust architectures, to the rapid emergence of generative AI and LLM.
Simplifying security operations through single UI, platform approaches, and managed services also surfaced as leading themes at the show, with managed service providers and MDR firms present in numbers. We saw and heard that teams are looking to consolidate technology tools, streamline workflows and processes, reduce context-switching and alert fatigue, and bridge the gap between talent and availability with platform technologies and 24/7 threat monitoring, cyber risk management, and incident response support.
Key Trends
Generative AI takes over
Generative AI and LLM won the top prize for the most prolific trend at the show in response to the power of OpenAI's ChatGPT. While AI has already had a substantial impact in thwarting phishing and ransomware attacks, this innovation has sparked new opportunities to improve cybersecurity outcomes and security analyst experience using AI. This new wave raises questions about how AI can now help defenders in new ways — and of course, how attackers might abuse it.
Generalists and specialized functions throughout the SOC have good reason to be excited with new potential and avenues for real-time threat response, threat hunting query development, query and script translation, and investigation assistance bubbling up as top use cases.
From an executive perspective, gaining visibility and control of ChatGPT and other AI tool usage for data loss prevention, insider risk, and identity threat detection and response have grown in popularity alongside the previously mentioned security benefits. AI to monitor AI usage. Are we getting too meta yet?
Between practitioners and security leaders, we see cyber risk management (which we will dig into a bit more shortly) as a growing area ripe for AI disruption. Combining large data sets, attack path mapping, and integrated threat intelligence with new AI developments has the potential to help security teams:
- Inform proactive security decision-making
- Customize and prioritize risk reduction measures
- Anticipate attacks with more speed and accuracy
- Execute automated response and remediation
Of course, none of this would be possible without the right data sets. Security organizations with AI freshly on their checklist should look for platforms capable of accessing and ingesting high volumes of data from across the digital environment.
And while some vendors announced general availability timelines for in-app assistant-style support prior to and at RSA Conference, it's clear that no single technology developer has a competitive edge today, and the race for the most effective — and safest — AI experience is only just getting started.
Zero Trust Everywhere — and I mean, everywhere
Zero Trust, the philosophy to never trust and always verify, has been around for over a decade, but more recently has regained momentum in response to the severity of ransomware attacks the industry has experienced over the last couple of years — and new frameworks and guidance coming out of federal agencies and regulators.
The Zero Trust philosophy is sound, and vendor-neutral guidance to operationalize Zero Trust is helping modern security organizations move away from traditional and no-longer-relevant perimeter-based defense to adapt more quickly to the increased speed of attacks while also enabling more flexibility and mobility within the workforce. The benefits are proven, with organizations moving toward Zero Trust seeing a significant decrease in cyber-attack-related downtime and an increase in overall security posture. But for Zero Trust to be effective, it needs to be "everywhere." Specifically, ingrained within five key pillars — endpoints, networks, identity, data, and workloads/applications — with analytics and visibility and automation, and orchestration integrated across each pillar.
How does this broader context play out in San Francisco? Full Zero Trust frenzy on display at Moscone — everywhere.
Despite some less than meaningful claims on the show floor, no single vendor today can deliver an end-to-end Zero Trust experience, so be wary of "unified," "centralized," and "one size fits all" solutions. Instead, prioritize identifying your use cases. What risks need to be addressed, what you have deployed today, what visibility are you missing, and which platform solutions are out there that can check several boxes and work seamlessly with point solutions through purpose-built integrations?
Risk and Resilience from different angles
Resiliency and cyber risk management bubbled up from different perspectives this year as organizations work toward more proactive security strategies.
At a macro level, attack surface management, exposure management, and attack surface mapping were on full display from leading enterprise vendors to smaller shops, validating the criticality (no pun intended) of finding and inventorying both internal and internet-facing cyber assets to mitigate risk before threat actors have the chance to capitalize on exposures.
With economic headwinds swirling and headline stories around employee and developer use of ChatGPT, insider risk, and data loss prevention were extremely popular solution stories on the expo floor and an area of intrigue and discussion for attendees.
From a post-incident perspective, digital forensics and incident response solutions and services were visible as an important and less frequently covered step in the resilient strategy planning process. That is to discover, assess, mitigate — and recover when unresolved risk turns into threat activity.
And while technology and AI have massive potential to enable more resilient security strategies, we simply cannot forget about the human element. Proactively reskilling and upskilling practitioners is something that can quickly be forgotten at an event like RSAC but is one we need to keep top of mind as we face talent shortages. An exciting development in the cyber risk conversation at RSAC included solutions for training and customized plans for analysts to assist with learning and development on new technology, new skill sets, emerging threat groups (i.e., Zero Day intelligence), and new frameworks.
XDR eXplosion
If you thought we'd exhausted all the XDR announcements, you thought wrong. This RSA Conference saw several major vendor and partnership announcements for XDR and MXDR. From a user and analyst perspective, we heard a greater emphasis on the importance of NDR and capturing activity happening on the wire.
Beyond the press release hype, even more, exciting was a spark in discussion around innovation in cloud detection and response, the convergence of cloud-native with XDR, and machine learning use cases for identity and user and entity behavior and analytics. It appears identity, cloud, and data detection and response are competing as the next most important security vector for organizations to be thinking about and for vendors to be prioritizing. And while these areas are growing in need and popularity, I can't help but think of a quote this week, "Agents are HARD." The winners in the XDR battle will be those who can deliver native telemetry across these categories and other security vectors for advanced correlation with endpoint detection and response activity data.
Final thoughts on the services conversation at RSAC
Everyone wants in on a piece of the services pie. Including but not limited to traditional resellers looking to expand their offering, vendors adding more value beyond detection and response to their packaging, and cyber insurance firms converging with managed services. Even traditional managed service providers are being pressured by customers to provide more security services, and some are finding themselves entering the MSSP game.
Hungry For More
Where was prioritization?
With incredible development and innovation across the industry, this RSAC had me asking myself, "Where was prioritization?"
Prioritization is a critical tenant with more security teams demanding transparent risk assessments, vendor risk reduction recommendations, and more automation options to get in front of high-risk assets. Vendors investing in meaningful prioritization models are helping organizations reduce silos with cross-environment analysis, minimize alerts, manage risk more effectively, and focus efforts on security teams. With AI dominating conversations, there is a massive opportunity for those going the distance to deliver elite AI/ML-driven and user-informed prioritization and automation to help close the skills gap.
What's next for cyber risk quantification?
Security leaders are looking for new opportunities to make security more relatable outside of the IT and security organization among their C-level peers and the board with key performance indicators beyond MTTD, MTTR (respond or remediate), and MTTP that translate well to other types of business risk.
The largest problem with most measurements is that we — the industry — don't have the expertise currently to translate security activity into quantifiable metrics that really matter to business stakeholders.
Because what is the universal language of risk? Dollars. As the role of the cybersecurity leader continues to evolve, vendors are looking to crack the code with meaningful SOC metrics, human-readable reporting, and data visualizations to connect security outcomes and risk management strategies with business objectives as well as other initiatives like lowering cyber insurance premiums by demonstrating strong security posture.
While this theme did not crack the top five for trending topics this year, I anticipate we could see this next year as the demand grows.
Governance for generative AI
Threat researchers are acutely aware of the potential abuse of AI models, and governance for generative AI will be a top qualifying question for security teams interested in adopting this technology. With concerns around the recent ChatGPT breach, technology vendors should prioritize AI governance in tandem with building solutions to address top security use cases.
Partnerships and potential increased acquisitions volume
Side-bar conversations around consolidation within the industry were alive and well at RSAC. Several factors influenced this discussion, including:
- Security teams eyeing platform plays, fewer tools, and greater vendor consolidation
- A high volume of partnership announcements between enterprise giants and smaller vendors
- A higher emphasis on ecosystem integrations with ISVs
- Economic headwinds affecting the start-up community
Is 2023 the year we see greater convergence among vendors? Will the RSAC 2024 floor look different?