This year's RSA conference in San Fran was an incredible success. The new layout of the Moscone Center has allowed even more exhibitors than before. It has become impossible to see everything, to follow everything, as the show has become gigantic.
Among all the sessions, several main trends emerged. The importance of the Cloud and the re-centering of security at the application level are without a doubt the most obvious.
The vulnerability exploit demos have had the usual success. Trending threats like cryptojacking, ad fraud or digital extorsion were heavily discussed. What was most surprising is the transparency with which the manipulation of social media was discussed, especially their potential impact on recent US and British votes. There is still a lot of education to be done so that users of these social networks learn to protect their accounts and check the sources of the information they receive. As the Founder/CTO of Sylint Group warned during his talk:
"There are controls in place to catch tech errors. Controls don't exist yet when it comes to misinformation. If I can convince you to pull a particular lever, then all of the other security measures don't mean anything."
DevSecOps is no longer a buzzword
Numerous talks were devoted to DevSecOps, in particular to the involvement of developers in security processes. Developers are starting to take on a new role: first responsible for data protection, responsible for its integration into the application lifecycle, in a mixed organization directly linking security development and operations.
Those who have long been disempowered from security tasks are finally associated with an effort that must be collective to be effective. It's good to finally hear a mature view of application security.
Zero Trust Initiatives, Vault7 & RITA
Another strong trend of RSAC 2019 is the increase in the number of Zero Trust initiatives. There is no question of trust in the internal, or in any hardware whatsoever. The Zero Trust and Zero Trust solutions require us to rethink access and security policies in general. It is a healthy effort that should make security policies simpler and clearer.
Protecting the software and hardware supply chain is of utmost importance, but active threats are continuously evolving. The security community continuously identifies deep & dark web marketplaces selling botnets that enable DDoS, phishing, mining or serving more ads. Moreover, there are more and more open source frameworks to support these kinds of activities. One standing out session demonstrated how a security specialist with very little programming background was able to replicate from scratch key functionality of Assassin from the Vault7 CIA hacking tools collection in less than nine months. One of the key learnings of this presentation was that no commercial tool, not even the most advanced ones based on machine learning, was able to detect either the agent or its communications with the command and control infrastructure. Another session showed that, with an increasing use of TLS certificates for phishing, more than half of all web attacks are encrypted. Ongoing adoption of TLS 1.3, DNSSEC, DNS over HTTPS or QUIC obsolete MITM protection of the users as is still commonplace in the Enterprise. Fortunately, other presentations provided insights on how to build up your protection with efficient open source counter measures such as RITA to detect and block hidden command & control channels on your endpoints or OSquery to blueprint your IT environment. All these demonstrate that your security controls need to be kept up to date and tailored to your environment and your threats.
GHIDRA is now open source
The NSA has pleased many security specialists by opening the code of one of its most famous tools: Ghidra, the reverse engineering toolbox. The NSA's plan was to publish Ghidra so that security researchers could get used to working with this program before applying for positions with the NSA or other government intelligence agencies. It is likely that Ghidra is useful to a much larger audience and helps many malware hunters.
“When you look at the amount of malware we have to get through, it's more than we have the talent or the manpower to handle.", said Robert Joyce, an NSA senior advisor.
Most presentations concluded with very useful and straightforward immediate and medium term follow-up actions to address emerging security issues by adapting processes or implementing new controls. We will remember key such follow-ups as the need for FIDO2 hardware tokens to protect your credentials and fight against phishing frameworks that already intercept OTP (SMS or app-based) two-factor web authentication mechanisms or the confirmation that signature-based security controls are easily bypassed by attackers. Obviously, user habits will have to be changed.
For most people, security guys speak in a foreign language, with words, names, standards that are unique to them. This does not help when you claim to be serving all other business units.
RSAC 2019 marked a milestone on this topic with an awareness of the importance of developing language and standards understandable by most, not just the security pros. This need for standardization is crucial at the time of integration and automation of security. NIST proposed update on their Standard Content Automation Protocol (SCAP 2.0) is a great option to improve software and vulnerability inventory that will have a positive impact on tool developers, but also users and software creators. is a good example of what should be done everywhere. So we can expect to have fewer buzzwords and more clarity in security vendors speeches.