RSA Conference 2018 – The Key Cyber Security Priorities

This year’s RSA conference in San Francisco felt somewhat schizophrenic, with two distinct personalities coming through. The wise voice of reason came through first, suggesting vulnerability management and risk management should be our focus, while the younger more contemporary voice of progressive thinking pitched artificial intelligence and machine learning as the cure for all that ails us. Both are key cyber security priorities.

RSA Conference 2018 Opening Keynote – what it covered

The RSA Conference’s opening keynote, delivered by its President Rohit Ghai, focused on how we have got better at the basics since WannaCry affected so many critical systems last year. “We failed to patch a known vulnerability,” said Ghai, before he went on to suggest, “Since then, we have picked up our game with vulnerability risk management and patching IT and OT infrastructure.” This is interesting, since many of the big news stories covered during the WannaCry outbreak related not only to unpatched systems, but also computers running out-of-support software.

The UK’s National Health Service, for example, suffered a series of catastrophic failures because WannaCry infected their Windows XP desktop computer fleet. The focus here should be not on just security management, rather their overall IT service management coupled with business risk management, where an obvious lack of essential investment in technology planning and strategy led to that disaster.

Ghai’s advice on seeking a better solution for vulnerability management and risk management was repeated throughout the conference. Many of the speakers also suggested that the latest technology meme of automated response with artificial intelligence and machine learning will assist us in fixing all our vulnerability and risk management issues, while we focus our human efforts on incorporating better security into our software development lifecycle.

 

Remediation through Automation

Art Coviello, partner at Rally Ventures and the former chairman of RSA, said in an interview “There are too many things happening – too much data, too many attackers, too much of an attack surface to defend – that without those automated capabilities that you get with artificial intelligence and machine learning, you don’t have a prayer of being able to defend yourself.” This is so very true. Most companies are drowning in security information and the operations teams are overwhelmed by security incidents and alerts. Automation tools that can verify threats and follow a remediation playbook allow security operations centres to get ahead of the attackers.

Understanding Time at Risk

Artificial intelligence and machine learning technologies can help here too. Coviello said, “You’re also going to see it in the response category, and we’re seeing it with a number of orchestration companies that are not only creating playbooks to be able to respond more quickly and prioritize alerts but also to be able with machine learning to start to automate the response.” AI-assisted response was also discussed, where the technology is not fully responsible for the response process, rather it takes much of the threat verification heavy lifting off the SOC’s workload, freeing up the analyst’s time to properly investigate an incident or hunt for threats. False positives are the scourge of security operations centres, so any technology that helps improve data quality will be seen as positive progress.

 

Patching and Vulnerability Management

Organisations have taken their eye off the ball regarding some of the most basic cyber security practices. Patch management and vulnerability management, for example, are two of the most critical activities a security team can undertake, but oftentimes they are not done well, or even at all in some instances. As Flexera’s Alejandro Lavie says, “86 percent of bugs are patchable within 24 hours,” so these foundational activities need to be elevated to high-priority security activities.

The reality of patch management is that it is hard. It requires a lot of effort to get right and ensure the business focuses on continually keeping applications up-to-date. Oftentimes, more effort is expended on finding a reason why something cannot be patched than goes into finding a way to fix it; invariably leaving the organisation exposed. The underlying problem comes down to two things: knowing that a vulnerability has been discovered and then finding a way to install the patch without it adversely affecting the business or costing too much money. Yet, the requirements to expunge these vulnerabilities from production environments has never been greater.

Another of the speakers, David Hogue, NSA’s Cybersecurity Threat Operations Center leader, said attackers rarely even need to find zero-day exploits, because there are so many known flaws. “If you can live off the land, so to speak, you don’t need to dip into your toolkit,” he said. Again, using WannaCry and the UK’s National Health Service as an example: they were running Windows XP, which has been out of vendor support for some years, so any new vulnerability found in that operating system normally won’t have a patch released for it. And while in that case Microsoft went above and beyond and did release a patch for this particularly troublesome issue, very few vendors would be so forthcoming.

 

Security Through the Design Lifecycle

One of the most exciting and progressive shifts we’ve seen in the IT industry is the move away from legacy development methodologies, like Waterfall Development, to agile models such as DevOps. DevSecOps compliments DevOps and introduces security into the model at the most appropriate junctures to ensure each release either maintains or improves the security posture. Software development security has always been one of the driest subjects to cover, since it’s about deep code review and looking for injection issues, broken authentication services, misconfigurations and buffer overruns. Yet, it’s so very important that these checks are undertaken during the software development process, since it’s the vulnerabilities that remain in code once compiled and shipped that leave everyone else exposed to exploitation.

Putting your best security foot forward

This year’s RSA conference was a refreshing change as it wasn’t all about the new, cool stuff, rather it also highlighted the need to do the basics better. In terms of key cyber security priorities, organisations must focus on getting patch management, vulnerability management and risk management right and understand these are not easy and they require investment.

SOCs need to invest in tools to help automate threat verification and incident remediation, thus freeing up their analysts’ time to focus on the higher-value activities of investigating attacks and hunting for threats.

And finally, software development security has to improve, with entrenched security checks at every stage of the development lifecycle. DevSecOps is a new concept that implants security considerations throughout the agile DevOps lifecycle, meaning that each release either improves or maintains the security posture of the production application.

Hopefully, as 2018 continues we’ll hear less news stories pertaining to avoidable attacks, while the quality of software continues to improve, making the attacker’s life much harder. Security might even, finally, get on the front foot.