Greetings from balmy Boston! I hope that everyone's return from the RSA Conference was smoother than mine.
As I mentioned in my blog post about last year's Black Hat floor, I always reserve some of my time at industry events to visit other vendors' booths. It is exciting to see the emerging technologies on the outskirts of the exhibit hall and get a feel for how approaches and trends are starting to change in light of perceived shortcomings of the security market. Never before has the RSA Conference felt so large as in 2014. The organizers took a new approach to the layout to accommodate the immense growth in vendors: the South Expo that sufficed for the entire market until 2013 now serves as the largest overall area, but most of the largest security vendors (including RSA, themselves) were located in the new North Expo section, which was still large enough to not feel like a satellite exhibit hall.
The emerging technologies that generated the most buzz were actually quite broad-reaching this year. I visited a large number of them, and decided to organize my observations based on the problem they aim to solve because it is so difficult to categorize innovative solutions and I don't want to detract from their value by throwing similar solutions into a generalized bucket:
- "My endpoints are exploitable" - SurfRight's HitmanPro product is designed to secure the applications running on your Windows systems. It offers the industry-proven DEP and ASLR mitigation techniques and adds system controls to protect against ransomware and webcam recording.
- "I am a target for advanced threats" - a combination of new in-stream detection techniques and new managed security services have emerged with their eyes on targeted attacks:
- Cyphort formally launched the week before the conference and offers a platform that can listen on a TAP or SPAN port in combination with their core options in a data center or private cloud.
- Hexis Cyber Solutions showed up as KEYW Corp's shiny new commercially-focused merger of three early-stage remote SOC companies and wowed visitors with their demos of detecting an APT from afar.
- eSentire invited us to "ask about the elephant in the room" (and I made off with a stuffed elephant reminder), which was that you will be hacked and offered their Active Threat Protection service to help.
- Defence Intelligence donned hockey jerseys on their trek from Canada and showed off their Nemesis behaviour- (I said Canada) based security service as advanced malware protection.
- OUTLIER's HBGary veterans came out of stealth mode with their Security Analytics as a Service with the verbal promise of "get us up and running and we'll find malware that is already running on your network."
- "Allowing my employees remote access is putting my data at risk" - I saw a couple of unique solutions to this consistent problem plaguing everyone that wants 24/7 workers:
- MirageWorks demonstrated iDesk to separate all of a PC's intranet activity from the untrusted internet browsing that is forced to run in a sandbox as a part of their 4-part solution that also allows secure file exchange between internal users.
- Zix Corp. showed their ZixOne solution to the BYOD challenge which provides a secure mobile app with all of your standard corporate email needs without ever allowing the data to reside on the device.
- "My team spends far too much time on manual incident response" - NetCitadel's ThreatOptics platform automates the collection of data relevant to the incident and attaches the data to the alerts you receive and contains them using your firewalls and web proxies.
- "I cannot make sense of the vast amount of netflow available to me" - More than a couple of security pros told me that they could not wait to "see their data" in 21CT's LYNXeon product that allows users to explore the netflow traffic between the assets on your network and their SC Award for Best Emerging Technology seemed to second this enthusiasm.
- "Our public-facing Web Apps are vulnerable to attack" - Shape Security grabbed a lot of attention by emerging from stealth mode in January with Shape Shifter, which displays different HTML code present on each code request with "real-time polymorphism". If that wasn't enough, they also announced a $40 million round of funding to bring their total raised to $66 million.
- "Passwords are not secure enough" - We have all heard this problem for the past 25 years, but a few vendors think that they have a better solution:
- Microstrategy showed off Usher, their secure mobile identity that uses a smartphone and a biometric to ensure that only I can claim to be me.
- Pindrop Security drew my attention because because of my experience helping organizations confirm identities over the phone. They claim the unique ability to need only the call audio to determine which type of phone, where in the world it is, and how risky it may be without ever having heard the phone before.
- BehavioSec takes risk-based authentication a step further than traditional device-based methods by using keystrokes and other "behavioral biometrics" to validate the identity of those attempting to log in.
- "The data in our enterprise cloud apps is readable by anyone" - While not the first solution I have seen to this problem, PerspecSys is the only one I have seen that runs on-premise and allows the customer to choose which encryption or tokenization method to use.
To once again address my biggest takeaway from the exhibit hall, it was that we as vendors (at least the agile ones) are starting to recognize that the "layered security" approach that we spent nearly a decade recommending has led to a slow and complicated security professional role, whether you are a generalist, you focus on prevention, or on incident response. Now that we have reached the point where these skilled individuals are all gainfully employed, the products and/or services need to make their efforts more efficient.
See anything amazing that I missed here? I would love to hear about it!