At this year's RSA Security Conference, product managers continued to tout machine learning (ML) and artificial intelligence (AI) as technologies that could detect compromises, find vulnerabilities, and respond to attacks.
For the most part, however, security professionals are taking a more critical stance on vendors' claims about the technology. Clint Gibler, research director at NCC Group, an information assurance firm, sees potential in AI and ML—for better detection of code issues and potential attacks—but has not seen a good implementation in the field yet.
"It is a promising area, and has broad application to many domains, and in the future, it has massive implications, but I don't see anyone doing it well yet."
—Clint Gibler
The RSA Security Conference continues to deal with a fundamental truth in the world of information and software security: There are still far more problems than effective solutions. Against the backdrop of worries over the spread of the latest coronavirus, COVID-19, the perennial analogies of computer security to public health brought a bit more attention.
Information sharing? We need to do more. Fixing problems such as software vulnerabilities? We need to do it faster, said Steve Grobman, CTO at the cybersecurity firm McAfee.
"Data suggests we are not moving fast enough."
—Steve Grobman
At this year's conference, the focus seemed to be on how to achieve that speed. Here are the top takeaways for your security team.
1. Move away from complexity
Simplicity should be a major focus for all facets of security, from development teams employing DevSecOps to security operations centers looking to find attackers in business's daily network traffic. Companies should move away from complex scanning technologies for software security, such as static application security testing (SAST) and dynamic application security testing (DAST), and toward simpler test-based checks that developers can run when they check in code, said NCC Group's Gibler.
Checking that the application is secure by default and using secure wrapper libraries should make it much harder for developers to write insecure code, he said, comparing such checks to the safety features on a car.
"Instead of having a very complex investigation into your car about all the possible ways that things could go wrong, just build nice, easy seatbelts and awesome airbags that make it so that, even if something goes wrong, you are mostly fine."
—Clint Gibler
[ See TechBeacon's special coverage of RSA Conference 2020. Plus: Don't miss the post-conference highlights from RSAC 2020. ]
2. Machine learning does not replace experts
The rush to ML as a way to consume security data and produce threat intelligence has largely slowed as vendors' promises have not panned out and security managers find that their workload has not necessarily been reduced, said Mario Daigle, vice president at Micro Focus' Interset. The problem is that, while ML and AI can have some big benefits, the vendors are over-promising, he said.
"Either a CISO will believe the marketing and get their expectations crushed, or they will leave, saying that this is all smoke and there is nothing of value. The reality is that the truth is somewhere in the middle."
—Mario Daigle
A fundamental reality, though, is that companies will still need experts to work with any AI system: They still need a human to help.
3. Infrastructure as code is essential
For developers, a key advance is the increasing use of infrastructure as code and continuous deployment. When networking and server configuration are part of the application configuration, the settings can be checked for weaknesses in the same way as other application components, said NCC Group's Gibler. "You can run security checks on your infrastructure code before it is even deployed. And it makes it easy to avoid any drift over time, and get back to a pristine state," he said.
In the DevSecOps model, infrastructure as code allows continuous code and security scanning to also handle infrastructure configurations, and that removes the security team from potentially blocking development with time-consuming tests.
“Companies are trying to figure out a minimum security bar that everything has to pass before it gets released. That leads to security at development speed.”
—Clint Gibler
4. Cloud-native threats form
Companies that do not use such technologies and approaches to security put themselves at a disadvantage, McAfee's Grobman told the audience during his keynote. He demonstrated an attack that used cloud-native technologies in an unforeseen way to get a reverse shell into an Amazon Web Services instance.
Configuring the cloud is difficult, because cloud requires inherently more sophisticated policies, which add complexity and are subject to error, he said.
"This is made worse in that often things default access to the Internet, a public network. So it is easier to make errors, and when you make those errors, they are exposed to the world."
—Steve Grobman
5. Insider software-supply chain threats
Finally, the increasing use of open-source software has started to reveal a downside. Some projects have been compromised by a malicious contributor submitting vulnerable code. Because many open-source projects need development help, they may not closely check out potential contributors.
"A lot of libraries that projects are using are run by a single person or a small group, and when someone offers to push code to the project, they accept the help. We need better processes to detect bad actors."
—Clint Gibler
Buzzwords live on
RSA was not buzzword-free, of course. Quantum security continues to gain traction as a worry for the future. In his keynote, McAfee's Grobman acknowledged that the technology might not be ready now, but because data is being stolen and stored, it could be vulnerable to hacking in 10 years.
More than 70% of all network traffic is encrypted and our most critical data lives in the cloud, he said.
"Cybercriminals and nation-states can siphon off that data today and unlock it tomorrow when quantum crypto-analysis becomes practical. So let's ask, Does it matter if your data can be unlocked in five, 10, 15 years from now?"
—Steve Grobman
Security needs to mentor developers
In his talk, NCC Group’s Gibler surveyed the current state of DevSecOps and found that most companies have embarked on creating their own infrastructure for integrating security into the DevOps process.
The end goal is always the same, however. Many companies all have the same problems. They have a handful of security engineers and hundreds or thousands of software developers.
"The overall meta-goal is how do we enable the business but do it in a way that is secure? To do that, security has to move from being a group of gatekeepers, and more like coaches and mentors.”
—Clint Gibler
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
