Day 2 @ RSA
My second day experience at RSA was very different from the first. Day 2 was the first day when break-out sessions occur. New this year was BoF sessions facilitated by practitioners to discuss topics in a round-table format. Personally, I have mixed feelings about BoF since the success, or failure, will depend on whether participants have similar knowledge and share common perspectives.
Instead, I attended different breakout sessions which discussed security strategy and security architecture. The breakout sessions on Day 2 seemed to focus on big-picture topics. Below are some of the highlights from this year’s RSA:
- SABSA (Sherwood Applied Business Security Architecture)
SABSA was mentioned in many talks on security strategy and architecture. SABSA is adopted by different security consulting practices to link security investment with business objectives. The approach claimed to have broad applications in different industry sectors. Nevertheless, I personally believe the framework can be labour-intensive to apply and rather messy to track.
- The Cyber Kill Chain
Developed by Lockheed Martin, the Cyber Kill Chain framework was mentioned in multiple occasions in this year’s RSA. In fact, there will be dedicated sessions on kill chains tomorrow.
For those of us without a military background, a kill chain is a military concept where advanced persistent threat continues to harm the security perimeter. Different presenters mentioned the cyber kill chain maybe somewhat limited in comparison to MITRE ATT&CK when applied across platforms and scenarios. Nevertheless, the cyber kill chain provides an understandable description to aid security conversations.
- Annual Security Reports
No security conference is complete without an review of security reports. Admittedly, the security report space is now very crowded where almost every security vendor publishes some report advocating the trends they observe. Two reports worth highlighting were 2019 Verizon Data Breach Investigations Report and FireEye 2019 Mandiant M-Trends Report. These reports may present similar information year-after-year. Nevertheless, they help to keep us informed of how our security landscape is evolving.
- Australian Signals Directorate (ASD) Essential Eight Maturity Model
Perhaps a topic related to the APJ region, ASD is the equivalent of NSA in the states according to a session presenter. The Australian authority has published eight areas of practice to measure an entities maturity in dealing with cyber threats, known as the Essential Eight.
The show floor
Beyond breakout sessions, the show floor was in full-swing on the second day. My personal impression was the show floor contained a hybrid-mix of exhibitors though the majority of them were represented globally. I talked to different vendors to understand what they were working on. My general impression was the security space seemed very crowded nowadays and many vendors were competing in the same space doing similar things. The homogeneous solution portfolio also seemed to apply to different start-ups in the early stage expo. Some talented start-ups tried to break free from doing similar things, but I noticed not many attendees were at those booths. I interpreted such observation as a supply-and-demand problem, where one presenter yesterday mentioned our security industry is now reaching early-maturity. There seemed to be a predefined way of how things ought to be done, and which security solutions were going to sell to achieve commercial success.
The APJ difference
I will conclude my post by sharing what I heard from a Forrester researcher when she looked into the security trends of APJ and behaviour of APJ CISO.
- The focus of IoT and threat landscape remained top priorities to APJ CISO
- Most enterprises were understaffed and security implementation were ridden by complexity
- APJ CISO favoured technology over staff or service; thus procuring additional security tools though often with insufficient staff to utilize or maintain
- Most APJ CISO remained technical and operational; they had yet to become tactical or to break-free from being seen as an IT function
- Regulations and trends in APJ tended to be industry-specific and country-specific
- Regulatory bodies in APJ often lacked the ‘teeth’ to enforcement, thus real change like GDPR was hard to operationalize in APJ
These six points were not well-consolidated as I’d wished, though I believed it was important to highlight to conclude my second day experience. Indeed, these differences between regions were small, nevertheless were instrumental to explain the unique experience I had when attending a security conference outside of Americas.