securosis guide to rsac 2015

Securosis, L.L.C. 515 E. Carefree Highway, Suite 766 Phoenix, AZ 85085 T 602-412-3051 [email protected] www.securosis.com 1

KEY THEMESSee what the Securosis folks think will (and won’t) be the talk of the show this year.

DISASTER RECOVERY BREAKFAST

Of course we are hosting breakfast again. Duh!

COVERAGE AREA DEEP DIVES

A deeper dive into each of our subject areas.

CHECK OUT OUR RESEARCH

A list of the drivel we’ve published lately with links to

our video blogs.

WHERE TO SEE USWhere you can see us speak,

hang, and/or drink at the show.

DINING AND BEVERAGE GUIDE

What you need to know to survive a week in close proximity to Moscone.

Welcome to the RSA Conference Guide 2015 Way back in 2010, we here at Securosis decided to put together a little guide to the RSA Conference. Sure, there’s the official conference schedule, session descriptions, show floor map, and heck, even an entire website, but we thought people would appreciate an actual hands-on guide with a little analysis. You know, things like key themes we expect to see, analysis of major security segments, recommendations for decent restaurants, and even a breakdown of vendors based on what they actually do.

This year, the fine folks at the RSA Conference decided to let us post the content on their official blog, and offered to host the final PDF for conference attendees. All without any filters or editing. We are fairly certain someone is going to get fired. We almost feel kind of bad about that.

We realize not all of you are familiar with Securosis or how we do things, so to kick off this year’s Guide, I thought I’d give you a little background on how we produce the research and what to expect. As an analyst firm, we spend most of our time drinking and pontificating in a variety of media. Seriously. It’s a real job.

But more seriously we are fully committed to open research, which means we draft nearly everything in public on our blog, collect public comments, and then compile it into a paper. That way the world gets to see the research as we draft it, and can participate with comments and criticism ̶ we call it Totally Transparent Research. Sometimes we even draft everything on GitHub, where you can see and participate in

mailto:[email protected]?subject=


http://www.securosis.com


http://viewer.epaperflip.com/Viewer.aspx?docid=356afde4-1af3-4f39-923f-a43e00011cbd%23?page=0

http://viewer.epaperflip.com/Viewer.aspx?docid=356afde4-1af3-4f39-923f-a43e00011cbd%23?page=0

http://www.rsaconference.com/events/us15

http://www.rsaconference.com/events/us15

http://securosis.com/

http://securosis.com/

https://securosis.com/about/totally-transparent-research

https://securosis.com/about/totally-transparent-research


the entire editing process. We follow the same process for this Guide to the RSA Conference (RSAC-G for short).

The RSA Conference is the single biggest event in our industry. Love it or hate it, there is no better place to put your thumb on the security industry and get a sense of where things have been and where they are headed. But navigating such a large event and filtering out all the BS only gets harder as the event continues to grow. The goal of this RSAC-G is to help you better plan for, and take advantage of, the event.

We’ve been going to the conference over 15 years, which means at least a couple of us are closing in on spending four months of our lives wandering the halls of the Moscone Center. No, that isn’t something we are proud of, but by now we’ve learned the best combination of protein bars (ThinkThin), beverages (water and coffee, Gatorade to help with the hangover), and clothing (a good hoodie and jeans) to survive the week. And it is a week now ̶ the days of the three-day RSA Conference seem like a distant memory.

We break the RSAC-G into three major sections; and always add a good dose of snark, memes, and humor into the Guide just to keep you guessing. It starts with what we expect to be the major themes for the show ̶ the threads you’ll see woven throughout sessions and marketing material on the show floor. Then we dive into the major security technology areas, going deeper on what you can expect to see.

Over the years we’ve learned that RSAC, not December 31, is the best time to take stock of the security year. It’s the delineating event that many vendors plan their entire marketing cycles around. So this guide has evolved from a simple overview of a conference to an in-depth annual review of our industry. At least that’s what our enormous egos tell us.

As always, we’d like to thank all our Contributing Analysts who pitch in on this massive project every year: David Mortman, James Arlen, Dave Lewis, Gunnar Peterson, Gal Shpantzer, and Jennifer Minella ̶ and our ever-vigilant editor, Chris Pepper. And this year we’d like to thank the RSA Conference team for taking such a big risk in letting a bunch of snarky analysts post whatever we want on their official site.

Rich, Mike, and Adrian

So it’s a surprise that we write for a living? We have faces made for radio… and podcasts…






Every year we like to start the RSAC Guide with a review of major themes you will most likely see woven through presentations and marketing materials on the show floor. These themes are a bit like channel-surfing late-night TV ̶ the words and images themselves illustrate our collective psychology more than particular needs. It is easy to get excited about the latest diet supplement or workout DVD, and all too easy to be pulled along by the constant onslaught of finely-crafted messaging, but in the end what matters to you? What is the reality behind the theme? Which works? Is it low-carb, slow-carb, or all carb? Is it all nonsense designed to extract your limited financial resources? How can you glean useful nuggets from the noise?

This year we went a little nutty, and decided to theme our coverage with a sports and fitness flavor. It seemed fitting, considering the growth of security ̶ and the massive muscle behind the sports, diet, and fitness markets.

ChangeThis year at RSAC the vendors are 18% more engaged, solutions are 22% more secure, and a whopping 73% of products and solutions are new. Or are they? To the untrained eye the conference floor is filled with new and sensational technologies, ripe for consumption ̶ cutting-edge alongside bleeding-edge ̶ where the world comes to talk security. While those percentages may be fabricated horse crap, our underlying message is about perceptions of ̶ and influence over ̶ real change.

“It’s like deja-vu, all over again,” as Yogi Berra once mused. Flipping through the conference guide, that will be the reaction of observers who have made their way by watching the ebbs and flows of our industry for years. The immediate recognition of companies acquired, products rebranded, and solutions washed in marketing to make them 84% shinier, feeds strong skepticism that we are actually making progress through this growth we call ‘change’. So here is our Public Service Announcement: change is not necessarily improvement.

Change can be good, bad, or neutral, but for some reason our human brains crave it when we are at an impasse. When we hit a wall or bonk ̶ when we are frustrated, confused, or just pissed off ̶ we seek change. Not only seek, but force and abuse it. We wield change in unusual and unnatural ways because something that’s crappy in a new and different

Key ThemesHow many times have you shown up at the RSA Conference to see the hype machine fully engaged on a topic or two? Remember how 1999 was going to be the Year of PKI? And 2000. And 2001. And 2002. And how every company had a solution to stop APTs in 2011. And 2012. Wait, it’s still the year of the APT. Oy. So what will be the news of the show this year? Here is a quick list of some key topics that will likely be top of mind at RSAC, along with why you should care.






way is better than the current crap we already have. At least with change there’s a chance for improvement, right? And there is something to be said for that. Coach John Wooden said “Failure is not fatal, but failure to change might be.” If we keep changing ̶ if we keep taking more shots on goal ̶ eventually we’ll score.

But are we changing the right things? Does reorganizing, rebranding, or reinventing the cloud or the IoT help in a meaningful way? Perhaps, but you are not simply at the mercy of change around you. You, too, can influence change. This year as you walk around the sessions, workshops, and booths at RSAC, look for opportunities to change other things. Change your perspective, change your circle of influence, change your approach, or change your habits. Ask questions, meet new people, and consider the unimaginable. We guarantee at least 19% change with a 12% effort, 99% of the time.

(Jen Minella, Contributing Analyst)

The Security BonkFor better or worse, a bunch of the Securosis team have become endurance athletes. Probably more an indication of age impacting our explosiveness, and constant travel impacting our waistlines, than anything else. So we’re all too familiar with the concept of ‘bonking’: hitting the wall and capitulating. You may not give up, but you are just going through the motions.

Sound familiar to you security folks? It should. You get bonked over the head with hundreds or thousands of alerts every day. You can maybe deal with 5, and that’s a good day. So choosing the right 5 is the difference between being hacked today vs. tomorrow. Alert fatigue will be a key theme at RSA Conference 2015. You’ll see a lot of companies and sessions (wait, there are sessions at RSAC?) talking about more actionable alerts. Or increasing the signal to noise ratio. Or some similarly trite and annoying term for prioritization.

Vendors come at the problem of prioritization from different perspectives. Some will highlight shiny new

analytical techniques (time for the Big Data drinking game!) to help figure out which attack represents the greatest risk. Others will talk about profiling users and looking for anomalous behavior. Yet another group will focus on understanding the adversary and sharing information about them. All with the same goal: to help you optimize limited resources before you reach the point of security bonk.

To carry the sports analogy to the next step, you are like the general manager of a football team. You’ve got holes all over your roster (attack surface) and you need to stay within your salary cap (budget). You spend a bunch of money on tools and analytics to figure out how to allocate your resources, but success depends more on people and consistent process implementation. Unfortunately people are a major constraint, given the limited number of skilled resources available. You can get staffers through free agency (expensive experienced folks, who generally want long-term deals) or draft and develop talent, which takes a long time.






And in two years, if your draft picks don’t pan out or your high-priced free agents decide to join a consulting firm, you get fired. Who said security wasn’t like life? The football life, anyway!

(Mike Rothman, President)

Get Bigger (Data) Now!!!

This year at RSAC we will no doubt see the return of big data to the show floor. This comes along with all the muscle confusion it generates ̶ not unlike CrossFit. Before you hoist me to the scaffolding or pummel me with your running shoes, let’s think about this. Other than the acolytes of this exercise regimen, who truly understands it? Say “Big Data” out loud. Does that hold any meaning for you, other than a shiny marketing buzzword and marketing imagery? It does? Excellent. If you say it three times out loud a project manager will appear, but sadly you will still need to fight for your budget.

Last year we leveraged the tired (okay, exhausted) analogy of sex in high school. Everyone talks about it but... yeah. You get the idea. Every large company out there today has a treasure trove of data available, but they have yet to truly gain any aerobic benefit from it. Certainly they are leveraging this information, but who is approaching it in a coherent fashion? Surprisingly, quite a few folks. Projects such as the Centers for Disease Control’s data visualizations, Twitter’s “Topography of Tweets”, SETI’s search for aliens, and even Yelp’s hipster tracking map. They all leverage big data in new and interesting ways. Hmm, SETI and Yelp should probably compare notes on their data sets.

These projects are happening, often despite the best intentions of organizational IT security departments. Big data is here and security teams need to get their collective heads around the situation rather than hanging about doing kipping pull-ups. As security practitioners we need to find sane ways to tackle the security aspects of these projects, to help guard against inadvertent data leakage as they thrust forward with their walking lunges. One thing we recommend is a hike out on the show floor to visit some vendors you’ve never heard of. There will be a handful of vendors developing tools specifically to protect big data clusters, and some delivering tools to keep sensitive data out of big data pools. And your Garmin will record a couple thousand more steps in the process. Additionally, just like many big data platforms and features are built by the open source community, so are security tools. These will be under-represented at the show, but a quick Google search for Apache security tools will find additional options.

Your internal security teams need to be aware of the issues with big data projects while striking a balance supporting business units. That will truly cause muscle confusion for some. If you’re looking for the big data security purveyors, they will most likely be the ones on the show floor quietly licking wounds from their workouts while pounding back energy drinks.

(Dave Lewis, Advisor)






DevOpsX GamesDevOps is one of the hottest trends in all IT ̶ sailing over every barrier in front of it like a boardercross racer catching big air on the last roller before the drop to the finish. (We’d translate that, but don’t want to make you feel too old and out of touch).

We here at Securosis are major fans of DevOps. We think it provides opportunities for security and resiliency our profession has long dreamed of. DevOps has been a major focus of our research, and even driven some of us back to writing code, because that’s really the only way to fully understand the implications.

But just because we like something doesn’t mean it won’t get distorted. Part of the problem comes from DevOps itself: there is no single definition (as with the closely related Agile development methodology), and it is as much as a cultural approach as a collection of technical tools and techniques. The name alone conveys a sense of desegregation of duties ̶ the sort of thing that rings security alarm bells. We now see DevOps discussed and used at nearly every major enterprise and startup we talk with, to varying degrees.

DevOps is a bit like extreme sports. It pushes the envelope, creating incredible outcomes that seem nearly magical from the outside. But when it crashes and burns it happens faster than that ski jumper suffering the agony of defeat (for those who remember NBC’s Wide World of Sports... it’s on YouTube now; look it up, young’ns).

Extreme sports (if that term even applies anymore) is all about your ability to execute, just like DevOps. It’s about getting the job done better and faster to improve agility, resiliency, and economics. You can’t really fake your way through building a continuous deployment pipeline, any more than you could backflip a snowmobile (really, we can’t make this stuff up ̶ YouTube, people). We believe DevOps isn’t merely trendy, it’s our future ̶ but that doesn’t mean people who don’t fully understand it won’t try to ride the wave.

This year expect to see a lot more DevOps. Some will be good, like the DevOps.com pre-RSAC day the Monday before the conference starts. And vendors updating products to integrate security assessment into that continuous deployment pipeline. But expect plenty of bad too, especially presentations on the ‘risks’ of DevOps that show someone doesn’t understand DevOps doesn’t actually allow developers to modify production environments despite policy. As for the expo floor? We look forward to seeing that ourselves... and as with anything new, we expect to see plenty of banners proclaiming antivirus is “DevOps ready”.

Posers. (Rich Mogull, CEO)






Go Pro or Go HomeIn some sports the line between amateur and pro athletes can be a bit murky. Take rugby, for example, where club teams compete in a bracket system to earn their spot up (or down) the ranks of European rugby series. Imagine the Seattle Seahawks moving down to a lesser series next season as a result of their 2015 Superbowl loss, and you start to understand the blurred lines for some professional athletes.

In the security world pressure also runs both ways. Our profession no longer needs to prove the world has a security problem ̶ the headlines scream it nearly every day. And some people still who think they are playing club security suddenly wake up to find themselves playing in the World Cup without understanding how they got there. In only a few years our entire industry rocketed into the majors, like it or not. And to further muddle our metaphor, no fair few armchair quarterbacks are in the big leagues now, and need to put up or shut up.

All right, maybe we pushed that a little too far. Here’s the situation: information security is on the front lines of protecting our economies and infrastructure. It’s a level of validation many security professionals have wanted for years, but now that it’s here it exposes personal and professional weaknesses. There is massive demand for pragmatic security pros who can get the job done, but not enough of us to fill all the positions. It is a scarcity that must be filled, despite the skills shortage. This creates a revolving door as people pop up to positions of trust, fail to meet the requirements, and get pushed back down.

You’ll see this skills shortage play out throughout the conference. On the floor it will show as more and more companies offering services and emphasizing automation and reduction of operational costs. In presentations it will manifest as professional development and making do with less. Behind it all is a challenge: how can you go pro and stay there? The answer isn’t easy, but it isn’t a

mystery either. Follow our going pro advice, and your rankings will soar.

Seek these five I’s to “Go Pro” at RSAC:

1. Integration: Create more value by connecting data points for automated actions and defense. You’ll see a lot of talks and solutions touting integration this year at RSAC. Seek out and soak in anything that could help your environment.

2. Iteration: Explore continuous improvement through DevOps and Agile methodologies. Things that build security in, rather than trying to protect from outside.

3. Intelligence: Effectively applying threat intelligence will boost your abilities. Out of the 350 breakout sessions at RSAC this year, it seems like 178 involve threat intelligence, so you have plenty of opportunity. As Michael Jordan says, “Talent wins games, but teamwork and intelligence wins championships.”

4. Innovation: Show you can go pro by sifting through marketing fluff to find the real innovation at RSAC. Oh yeah, it’s there, hiding in the haystack, and around the perimeter of the show floor.

5. Information: Don’t just consume it ̶ give it back. Just remember that data is valued more than opinion. Opinions are like... well, you know the saying.

RSAC is the Goliath of information security conferences. Despite our critical raised brows at many vendors’ sugar-coated crap, the truth is there is a huge opportunity to learn and teach throughout the week. If you can’t find some value on your path to going pro... that’s your problem.

(Jen Minella, Contributing Analyst)






IoWTF

Have you heard a vendor brag about how their old product now protects the Internet of Things? No, it isn’t a pull-up bar ̶ it’s an Iron Bar CrossFit (TM) Dominator!

You should be mentally prepared for the Official RSA Conference IoT Onslaught (TM). But when a vendor asks how you are protecting IoT, there’s really only one appropriate response:

“I do not think that means what you think it means.”

Not that there are no risks for Internet-connected devices. But we warned you that it would hit the hype bandwagon, way back in 2013’s Securosis Guide to RSAC:

We are only at the earliest edge of the Internet of Things, a term applied to all the myriad of devices that infuse our lives with oft-unnoticed Internet connectivity. This won’t be a big deal this year, nor for a few years, but from a security standpoint we are talking about a collection of wireless, Internet-enabled devices that employees won’t even think about bringing everywhere. Most of these won’t have any material security concerns for enterprise IT. Seriously, who cares if someone can sniff out how many steps your employees take in a day (maybe your insurance underwriter). But some of these things, especially the ones with web servers or access to data, are likely to become a much bigger problem.

We have reached the point where IoT has become the least understood and most misused term in common usage ̶ among not just the media, but also IT people and random members of the public. Just as “cloud” spent a few years as “the Internet”, IoT will spend a few years as “anything you connect to the Internet”.

If we dig into the definitional deformation on the show floor, IoT seems to be falling into two distinct classes of product: (a) commercial/industrial things that used to be part of the industrial control world like PLCs, HVAC controls, access management systems, building controls, occupancy sensors, etc.; and (b) products for the consumer market ̶ either from established players (D-Link, Belkin, etc.) or complete unknowns who got their start on Kickstarter or Indiegogo.

There are real issues here, especially in areas like process control systems that predate ‘IoT’ by about 50 years, but little evidence that most of these products are actually ready to address the issues, except the ones which have long targeted those segments. As for the consumer side, like fitness bands? Security is risk management, and that is so low on priority lists that it is about as valuable as a detoxifying foot pad. We aren’t dismissing all consumer product risks, but worry about web apps before lightbulbs.

At RSAC this year we will see ‘IoT-washing’ in the same way we have seen ‘cloud-washing’ for years ̶ lots of mature technology rebranded as IoT. What we won’t see is any meaningful response to consumer IoT infiltration in the business. This lack of meaningful response nicely illustrates the other kinds of change we still need in the field: security people who can think about and understand IPv6, LoPAN, BLE, non-standard ISM radios, and proprietary protocols. SciFi writers have told us what IoT is going to look like ̶ everything connected, all the time ̶ so now we’d better get the learning done so we can be ready for the change that is already underway, and make meaningful risk decisions, not based on fear-mongering. (James Arlen, Contributing Analyst)






P.Compliance.90X

Compliance. It’s a principal driver for security spending, and vendors know this. That’s why each year compliance plays a major role in vendor messaging on the RSAC show floor. A plethora of companies claiming to be “the leader in enterprise compliance products” all market the same basic message: “We protect you at all levels with a single, easy-to-use platform.” and “Our enterprise-class capabilities ensure complete data security and compliance.” Right.

The topic that best exemplifies our fitness meme is compliance. Most companies treat compliance as the end goal: you hold meetings, buy software, and generate reports, so you’re over the finish line, right? Not so much. Compliance is supposed to be like a motivational poster on a wall in the break room, encouraging you to do better ̶ not the point itself. Buying compliance software is a little like that time you bought a Chuck Norris Total Gym for Christmas. You were psyched for fitness and harbored subconscious dreams it would turn you into a Chuck Norris badass. I mean, c’mon, it’s endorsed by Chuck Friggin’ Norris! But it sat in your bedroom unused, right next to the NordicTrack you bough a few years earlier. By March you hadn’t lost any weight, and come October the only thing it was good for was hanging laundry on, so your significant other dumped it on Craigslist.

The other side of the compliance game is the substitution of certifications and policy development for the real work of reducing risk. PCI-DSS certification suggests you care about security but does not mean you are secure ̶ the same way chugging 1,000-calorie fruit smoothies may make you look like you care about fitness, but won’t

get you healthy. Fitness requires a balance of diet and exercise over a long period; compliance requires hard work and consistent management toward the goal over years. Your compliance requirements may hinge on security, privacy, fraud reduction, or something else entirely, but success demands a huge amount of hard work.

So we chide vendors on the yearly claims about compliance made easy, and that the fastest way to get compliant is to buy this vendor’s class-leading product. But this year we think it will be a little more difficult for vendors, because there is a new sheriff in town. No, not Chuck Norris ̶ a new set of buyers. As in every period of disruptive innovation, developers have once again begun to play a key role in making decisions on what facilities are appropriate for newer technology stacks. Big data, cloud, mobile, and analytics are owned by the fitness freaks who build these systems. Think of them as the leaner, meaner P90X fitness crowd, working their asses off and seeing the results of new technologies. They don’t invest in fancy stuff that cannot immediately show value: anything that cannot improve both productivity and reliability isn’t worth their time. Most of the value statements generated by the vendor hype machine look like Olivia Newton-John’s workout gear to this crowd ̶ sorely out of date and totally inappropriate. Still, we look forward to watching these two worlds collide on the show floor.

(Adrian Lane, CTO)






Once again Securosis and friends are hosting our RSA Conference Disaster Recovery Breakfast at Jillian’s Thursday, April 23, from 8 to 11 am.

This is the seventh year for this event, and we are considering delivering a bloody head to Jillian’s in homage to Se7en. Maybe that wouldn’t be the best idea ‒ it might ruin our appetites. Though given how big the DRB has become, we probably should consider tactics to cut back ‒ we pay for insane amounts of bacon.

Kidding aside, we are grateful that so many of our friends, clients, and colleagues enjoy a couple hours away from the glitzy show floor and club scene that is now the RSAC. By Thursday if you’re anything like us you will be a disaster, and need to kick back, have some conversations at a normal decibel level, and grab a nice breakfast. Did we mention there will be bacon?

With the continued support of MSLGROUP and Kulesa Faul, as well as our new partner LEWIS PR, we are happy to provide an oasis in a morass of hyperbole, booth babes, and tchotchke hunters. RSVP and enjoy a nice quiet breakfast with plenty of food, coffee, recovery items (aspirin & Tums), and even the hair of the dog for those of you not quite ready to sober up.

Don’t Miss the DR Breakfast





https://en.wikipedia.org/wiki/Seven_(1995_film)

https://en.wikipedia.org/wiki/Seven_(1995_film)

http://www.schwartzmsl.com/

http://www.schwartzmsl.com/

http://kulesafaul.com/

http://kulesafaul.com/

http://www.lewispr.com/




mailto:[email protected]?subject=DR%20Breakfast%20RSVP

mailto:[email protected]?subject=DR%20Breakfast%20RSVP


Welcome to OurCoverage Area Deep Dives

Everyone likes to talk about the “security market” or the “security industry” but security in practice is more a collection of markets, tools, and practices all competing for our time, attention, and dollars. Here at Securosis we have a massive coverage map (just for fun, which doesn’t say much now that you’ve experienced some of our sense of humor), which includes seven major focus areas (including network, endpoint, and data security), and dozens of different practice and product segments.

It’s always fun to whip out when vendors are pitching us on why CISOs should spend money on their single-point defense widget instead of the hundreds of other things on the list, many of them mandated by auditors using standards that get updated once every decade or so.

Our next sections dig into the seven major coverage areas and detail what you can expect to see, based largely on what users and vendors have been talking about for the past year. You will notice considerable overlap. Cloud and DevOps, for example, affect multiple coverage areas in different ways, and the cloud is a coverage area all its own.

When you walk into the conference you are there for a reason. You already have some burning issues you want to figure out, or specific project needs. These sections will let you know what to expect and what to look for.

The information is based, in many cases, on dozens of vendor briefings and discussions with security practitioners. We try to illuminate what questions to ask, where to watch for snake oil, and what key criteria to focus on, based on successes and failures from peers who tried it first.

The earlier general themes are fun and interesting, but for those of you facing real projects these deep dives will be much more practical.






Cloud SecurityBefore delving into the world of cloud security we’d like to remind you of a little basic physics. Today’s lesson is on velocity vs. acceleration. Velocity is how fast you are going, and acceleration is how fast velocity increases. They affect our perceptions differently. No one thinks much of driving at 60mph. Ride a motorcycle at 60mph, or plunge down a ski slope at 50mph (not that uncommon), and you get a thrill.

But accelerate from 0mph to 60mph in 2.7 seconds in a sports car (yep, they do that), and you might need new underwear. That’s pretty much the cloud security situation right now.

Cloud computing is, still, the most disruptive force hitting all corners of IT, including security. It has pretty well become a force of nature at this point, and we still haven’t hit the peak. Don’t believe us? That’s cool ̶ not believing in that truck barreling towards you is always a good way to ensure you make it into work tomorrow morning.

(Please don’t try that ̶ we don’t want your family to sue us).

Clouds EverywhereThe most surprising cloud security phenomena are how widespread cloud computing has spread, and the increasing involvement of security teams... sort of. Last year we mentioned seeing ever more large organizations dipping their toes into cloud computing, and this year it’s

hard to find any large organization without active cloud projects. Including some with regulated data.

Companies that told us they wouldn’t use public clouds a year or two ago are now running multiple active projects. Not unapproved shadow IT, but honest to goodness sanctioned projects. Every one of these cloud consumers also tells us they are planning to move more and more to the cloud over time.

Typically these start as well-defined projects rather than move-everything initiatives. A bunch we are seeing involve either data analysis (where the cloud is perfect for bursty workloads) or new consumer-facing web projects. We call these “cloud native” projects because once the customer digs in they design architectures with the cloud in mind.

We also see some demand to move existing systems to the cloud, but frequently those are projects where the architecture isn’t going to change, so the customer won’t gain the full agility, resiliency, and economic benefits of cloud computing. We call these “cloud tourists” and consider these projects ripe for failure because all they typically end up doing is virtualizing already paid-for hardware, adding the complexity of remote management, and increasing operational costs to manage the cloud environment on top of still managing just as many servers and apps.

Not that we don’t like tourists. They spend lots of money.

One big surprise is that we are seeing security teams engaging more deeply, more quickly, and more positively than in past years, when they sat still and watched the






cloud rush past. There is definitely a skills gap, but we meet many more security pros who are quickly coming up to speed on cloud computing. The profession is moving past denial and anger, through bargaining (for budget, of course), deep into acceptance and... DevOps.

Okay, maybe we forced that analogy. But this year we feel comfortable saying cloud security is becoming part of mainstream security. It’s the early edge, but the age of denial and willful ignorance is drawing to a close.

Wherever You Go, There You Aren’tOkay, you get it, the cloud is happening, security is engaging, and now it’s time for some good standards and checklists for us to keep the auditors happy and get those controls in place.

Wait, containers, what? Where did everybody go?

Not only is cloud adoption accelerating, but so is cloud technology. Encryption in the cloud too complex? That’s okay ̶ Amazon just launched a simple and cheap key management service, fully integrated with the rest of their services. Nailed down your virtual server controls for VMWare? How well do those work with Docker? Okay, with whichever networking stack you picked for your Docker on AWS deployment ̶ which uses a different management structure than your Docker on VMWare deployment.

Your security vendor finally offers their product as a virtual appliance? Great! How does it work in Microsoft Azure, now that you have moved to a PaaS model where you don’t control network flow? You finally got CloudTrail data into your SIEM? Nice job, but your primary competitor now offers live alerts on streaming API data via Lambda. Got those Chef and Puppet security templates set? Darn, the dev team switched everything to custom images and rollouts via autoscaling groups.

None of that make sense? Too bad ̶ those are all real issues from real organizations.

This is what your vendors will be doing on the show floor when you ask them questions about how their

cloud works…

Photo credit: https://flic.kr/p/5TWaQh





https://flic.kr/p/5TWaQh

https://flic.kr/p/5TWaQh


Everything is changing so quickly that even vendors trying to keep up are constantly dancing to fit new deployment and operations models. We are past the worst cloudwashing days, but we will still see companies on the floor struggling to talk about new technologies (especially containers); how they offer value over capabilities Amazon, Microsoft, and other major providers have added to their services, and why their products are still necessary with the new architectural models.

The good news is that not everything lives on the bleeding edge. The bad news is that this rate of change won’t let up any time soon, and the bleeding edge seems to become early mainstream more quickly than it used to.

This theme is more about what you won’t see than what you will. SIEM vendors won’t be talking much about how they compete with a cloud-based ELK stack, encryption vendors will struggle to differentiate themselves from Amazon’s Key Management Service, AV vendors sure won’t be talking about immutable servers, and network security vendors won’t really talk about the security value of their product in a properly designed cloud architecture.

On the upside not everyone lives on the leading edge. But if you attend the cloud security sessions, or talk to people actively engaged in cloud projects, you will likely see some really interesting and practical ways of managing security for cloud computing that don’t rely on ‘traditional’ approaches.

Bump in the CloudLast year we included a section on emerging SaaS security tools, and boy has that market taken off. We call them Cloud Security Gateways and Gartner calls them Cloud Access and Security Brokers (you only get to use 3-letter acronyms for product categories, even if you’re Gartner, or a kitten dies).

There are at least a dozen vendors in the market now, and on the surface most of them look exactly the same. That’s because the market has a reasonably clear set of requirements, and there are only so many ways to message that target. You want products to find out what cloud stuff you are using, monitor the stuff you approve, block the stuff you don’t, and add security when your cloud provider doesn’t meet your needs.

There is actually a fair amount of differentiation between these products, but it is hard to see from the surface. Most if not all these folks will be on the show floor, and if you manage security for a mid-size or large organization, they are worth a look. But, as always, have an idea of what you need before you go in. Discovery is table stakes for this market, but there are many possible directions to take after that. From DLP, to security analysis and alerts (such as detecting account takeovers), all the way up to encryption and tokenization (often a messy approach, but also likely your only option if you do not trust your cloud provider).






One key question to ask is whether they integrate with cloud provider APIs (when available), and which. The alternative is to proxy all traffic to the cloud, which is a really crappy way to solve this problem... but often your only option. Fortunately some cloud providers offer robust APIs that reduce or eliminate the need for a CSG (see what I did there?) to sniff the connection. If they say ‘yes’ ask for specific examples.

You might see some other vendors pushing their abilities to kinda-sorta do the same thing as a CSG. Odds are you won’t be happy with their kludges, so if this is on your list stick with folks who are putting it all on the line if the product doesn’t actually work.

Calling Mr. TufteOne thing you won’t see any shortage of is the same damn charts from every damn SIEM and analytics vendor. Seriously ̶ we have been briefed by pretty much all of them, and they all look the same. Down to the color palette.

The upside is that they now include cloud data. Mostly just Amazon CloudTrail, because no other IaaS platform offers management plane data yet (rumor has it Microsoft is coming soon).

We understand there are only so many ways to visualize this data, but the vendors also seem to be struggling to explain how their cloud data and analytics are superior to competitors’. Pretty charts are great, but you look at these things to find actionable information ̶ probably not because you enjoy staring at traffic graphs. Especially now that Amazon allows you to directly set security alerts and review activity in their own console.

Cloud Taylor SwiftYou have probably noticed that we tend to focus on Amazon Web Services. That isn’t bias ̶ simply a reflection of Amazon’s significant market dominance. After AWS we see a lot of Microsoft Azure, and then a steep drop-off.

The interesting change is that we see much less demand for information on other providers. Demand has declined from previous years.

So don’t be surprised if vendors and sessions skew the same. Amazon really does have a big lead on everyone else, and only Microsoft (and maybe Google) is in the ballpark. That will show through in sessions and on the floor.

DevOps, Automation, Blah, Blah, BlahWe hate to dump our favorite topics into a side note at the bottom of this section, but we already went long, and are covering those topics... in pretty much every other section of this Guide. DevOps and automation are as disruptive to process as cloud is to infrastructure and architecture.

If you are interested check out our speaking schedule. Rich is leading off the Cloud and Virtualization track with Chris Hoff, and the entire Securosis team is delivering a learning lab on Pragmatic SecDevOps Wednesday at 10:20am (bring a laptop ̶ it’s hands-on). We also recommend the Cloud Security Alliance and DevOps.com events if you are in San Francisco Monday.

It’s the future of our profession, folks ̶ there is no shortage of things to talk about. Which you probably figured out 500 words ago, about when you stopped reading this drivel.






Data SecurityData security is the toughest area to write up this year. It reminds us of those bad apocalypse films, where everyone runs around building DIY tanks and improvising explosives to “save the children”, before driving off to battle the undead hordes ̶ leaving the kids with a couple spoons, some dirt, and a can of corned beef hash.

We have long argued for information-centric security ̶ protecting data needs to be an equal or higher priority with defending infrastructure itself. Thanks to a succession of major breaches and a country or two treating our corporate intellectual property like a Metallica song during Napster’s heyday, CEOs and directors now get it: data security matters. It not only matters ̶ it permeates everything we do across the practice of security (except for DDoS).

That also means data security appears in every section of this year’s RSAC Guide. But it doesn’t mean anyone has the slightest clue how to stop the hemorrhaging.

Anyone Have a Bigger Hammer?From secret-stealing APTs, to credit card munching cybercrime syndicates, our most immediate response is... more network and endpoint security.

That’s right ̶ the biggest trends in data security are network and endpoint security. Better firewalls, sandboxes, endpoint whitelisting, and all the other stuff in those two buckets. When a company gets breached the first step (after hiring an incident response firm to quote in the press release, saying it was a “sophisticated attack”) is to double down on new anti-malware and analytics.

It makes sense. That’s how the bad guys most frequently get in. But it also misses the point.

Years ago we wrote up something called the “Data Breach Triangle”. A breach requires three things: an exploit (a way in), something to steal (data) and an egress (way out). Take

1. That moment when you realize data security is dependent on endpoint security…

2. You’re screwed. 3. See #1 and replace endpoint with network…

Big3






away any side of that triangle, and no breach. But the exploit is probably the hardest, most expensive side to stop ̶ especially because we have spent the last thirty years working on it... unsuccessfully.

The vast majority of data security you’ll see at this conference, from presentations to the show floor, will be more of the same stuff we have always seen, but newer and shinier. As if throwing more money at the same failed solutions will really solve the problem. Look ̶ you need network and endpoint security, but doubling down doesn’t seem to be changing the odds. Perhaps a little diversification is in order.

The Cloud Ate My BabiesData security is still one of the top two concerns we run into when working with clients on cloud projects ̶ the other is compliance. Vendors are listening, so you will see no shortage of banners and barkers offering to protect your data in the cloud.

Which is weird, because if you pick a decent cloud provider the odds are that your data is far safer with them than in your self-managed data center. Why? Economics. Cloud providers know they can easily lose vast numbers of

customers if they are breached. The startups aren’t always there, but the established providers really don’t mess around ̶ they devote far more budget and effort to protecting customer data than nearly any enterprise we have worked with.

Really, how many of you require dual authorization to access any data? Exclusively through a monitored portal, with all activity completely audited and two-factor authentication enforced? That’s table stakes for these guys.

Before investing in extra data security for the cloud, ask yourself what you are protecting it from. If the data is regulated you may need extra assurance and logging for compliance. Maybe you aren’t using a major provider. But for most data, in most situations, we bet you don’t need anything too extreme. If a cloud data protection solution mostly offers to protect you from an administrator at your provider, you might want to just give them a fake number.

BYOD NABDOne area trending down is concern over data loss from portable devices. It is hard to justify spending money here when we find almost no cases of material losses or public disclosures from someone using a properly-secured phone or tablet. Especially on iOS, which is so secure the FBI is begging Congress to force Apple to add a back door (we won’t make a joke here ̶ we don’t want to get our editor fired).

You will still see it on the show floor, and maybe a few sessions (probably panels) where there’s a lot of FUD, but we mostly see this being wrapped up into Mobile Device Management and Cloud Security Gateways, and by the providers themselves. It’s still on the list ̶ just not a priority.






Encrypt, Tokenize, or Die Trying

Many organizations are beginning to realize they don’t need to encrypt every piece of data in data centers and at cloud providers, but there are still a couple massive categories where you’d better encrypt or you can kiss your job goodbye. Payment data, some PII, and some medical data demand belt and suspenders.

What’s fascinating is that we see encryption of this data being pushed up the stack into applications. Whether in the cloud or on-premise, there is increasing recognition that merely encrypting some hard drives won’t cut it. Organizations are increasingly encrypting or tokenizing at the point of collection. Tokenization is generally preferred for existing apps, and encryption for new ones.

Unless you are looking at payment networks, which use both.

You might actually see this more in sessions than on the show floor. While there are some new encryption and tokenization vendors, it is mostly the same names we have been working with for nearly 10 years. Because encryption is hard.

Don’t get hung up on different tokenization methods; the security and performance of the token vault itself matters more. Walk in with a list of your programming languages and architectural requirements, because each of these products has very different levels of support for integrating with your projects. The lack of a good SDK in the language you need, or a REST API, can set you back months.

Cloud Encryption Gets FunkyWant to use a cloud provider but still control your own encryption keys? Want your cloud provider to offer a complete encryption and key management service? Want to NSA proof your cloud?

Done. Done. And sort of doable.

The biggest encryption news this year comes from the cloud providers themselves, and you will start seeing it all over the place. Box now lets you manage the encryption keys used by their platform. Amazon has two different customer-managed encryption options, one of them slowly being baked into every one of their services, and the other configurable in a way you can use to prevent government snooping. Even Microsoft is getting into the game with customer managed keys for Azure (we hear).

None of this makes the independent encryption vendors happy. Especially the startups.

But it is good news for customers, and we expect to see this trend continue each year. It just doesn’t always make sense to try bolting encryption onto the outside of your cloud. Performance and fundamental application functionality become issues. If your provider can offer it while you retain control? Then you’re golden.






Network SecurityWe had a little trouble coming up with a novel and pithy backdrop for what you will see in the Network Security space at RSAC 2015. We wonder if this year we will see the first IoT firewall, because hacking thermostats and refrigerators has made threat models go bonkers. The truth is that most customers are trying to figure out what to do with the new next-generation devices they already bought. We shouldn’t wonder why the new emperor looks a lot like the old emperor, when we dress our new ruler (NGFW) up in clothes (rules) that look so similar to our old-school port and protocol based rulesets.

But the fact is there will be some shiny stuff at this year’s conference, largely focused on detection. This is a very productive and positive trend ̶ for years we have been calling for a budget shift away from ineffective prevention technologies to detecting and investigating attacks. We see organizations with mature security programs making this shift, but far too many others continue to buy the marketing hyperbole, “of course you can block it”. Given

that no one really knows what ‘it’ is, we have a hard time understanding how we can make real progress in blocking more stuff in the coming year.

Which means you need to respond faster and better. Huh, where have we heard that before?

Giving up on Prevention…

Talking to many practitioners over the past year I felt like I was seeing a capitulation of sorts. There is finally widespread acknowledgement that it is hard to reliably prevent attacks. And we are not just talking about space alien attacks coming from a hacking UFO. It’s hard enough for most organizations to deal with Metasploit.

Of course we are not going all Jericho on you, advocating giving up on prevention on the network. Can you hear the

1. Where can I buy that UTM? — said by no one ever, again…

2. You’re not hadooping your network traffic? Get with the program…

3. Of course we can protect your cloud network. Just run everything through our box…

Big3






sighs of relief from all the QSAs? Especially the ones feeling pressure to push full isolation of protected data (as opposed to segmentation) during assessment. Most of those organizations cannot even manage one network, so let’s have them manage multiple isolated environments. That will work out just great.

There will still be a lot of the same old same old ̶ you still need a firewall and IPS to enforce both positive (access control) and negative (attack) policies on your perimeter. You just need to be realistic about what they can block ̶ even shiny NGFW models. Remember that network security devices are not just for blocking attacks. We still believe segmentation is your friend ̶ you will continue to deploy those boxes, both to keep the QSAs happy and to ensure that critical data is separated from not-so-critical data.

And you will also hear all about malware sandboxes at the RSAC this year. Again. Everyone has a sandbox ̶ just ask them. Except some don’t call them sandboxes. I guess they are discriminating against kids who like sand in today’s distinctly politically incorrect world. They might be called malware detonation devices or services. That sounds shinier, right? But if you want to troll the reps on the show

floor (and who doesn’t?), get them to debate an on-premise approach versus a cloud-based approach to detonation. It doesn’t really matter which side of the fence they are on, but it’s fun seeing them get all red in the face when you challenge them.

Finally, you may hear some lips flapping about data center firewalls. Basically just really fast segmentation devices. If they try to convince you they can detect attacks on a 40gbps data center network, and flash their hot-off-the-presses NSS Labs results, ask what happens when they turn on more than 5 rules at a time. If they bother you say you plan to run SSL on your internal networks and the device needs to inspect all traffic. But make sure an EMT is close by, as that strategy has been known to cause aneurysms.

To Focus on Detection…

If many organizations have given up trying to block all attacks, what the hell are they supposed to do? Spend tons of money on more appliances to detect attacks they missed at the perimeter, of course. And the security industrial complex keeps chugging along. You will see a lot of focus on network-based threat detection at the show. We ourselves are guilty of fanning the flames a bit with our new research on the topic.

The fact is that technology is moving forward. Analyzing network traffic patterns, profiling and baselining normal communications, and then looking for stuff that’s not normal, gives you a much better chance of finding compromised devices on your networks. Before your new product schematics are in some nondescript building in Shanghai, Chechnya, Moscow, or Tel Aviv. What’s new is the level of analysis possible with today’s better analytics. Booth personnel will bandy about terms like “big data” and “machine learning” like they understand what they even mean. But honestly baselines aren’t based only on Netflow records or DNS queries any more ̶ they can now incorporate very granular metadata from network traffic including identity, content, frequency of communication, and various other attributes that get math folks all hot and bothered.






The real issue is making sure these detection devices can work with your existing gear and aren’t just a flash in the pan, due to be integrated as features of your perimeter security gateway. Okay, we would be pulling your leg if we said any aspect of detection won’t eventually become an integrated feature of other network security gear. That’s just the way it goes. But if you really need to figure out what’s happening on your network visit these vendors.

While Consolidating Functions…

What hasn’t changed is that big organizations think they need separate devices for all their key functions. Or has it? Is best of breed (finally) dead? Well, not exactly, but that has more to do with politics than technology. Pretty much all the network security players have technologies that allow authorized traffic and block attacks. Back when category names mattered, those functions were called firewalls and IPS respectively. But now everything is a next-generation firewall, right? But it does a lot more than a firewall. It also detonates malware (or integrates with a cloud service that does). And it looks for command and control traffic patterns. All within one or many boxes, leveraging a single policy set, right?

But that’s a firewall. Just ask Gartner. Sigh. And no, we won’t troll you any more by calling it an Enterprise UTM for old time’s sake.

Product categories aside, regardless of whether a network security vendor started as a firewall player or with IPS (or both, thanks to the magic of acquisitions), they are all attacking the same real estate: what we call the network security gateway. The real question is: how can you get there? On the show floor focus on migration. You know you want to enforce both access control and attack policies on the device. You probably want to look for malware on ingress, and C&C indicators on egress. And you don’t want to wrestle with 10 different management interfaces. Challenge the SEs in the booths (you know, the folks who know what they are doing) to sketch out how they’d solve your problem on a piece of paper. Of course they’ll be wrong, but it should be fun to see what they come up with on the fly.

What do you mean we may have too many things in the device?






And Looking for Automation…

Another hot topic in network security will be automation. Because managing hundreds of firewalls is a pain in the ass. Actually, managing hundreds of any kind of complicated technology causes ulcers. So a bunch of new startups will be in the Innovation Sandbox detonating malware. No, not that kind of sandbox. RSAC’s showcase for new companies and technologies, where they will happily show you how to use an alert from your SIEM or a bad IP address from your threat intelligence provider to make changes automagically on your firewalls. They have spent a bunch of time making sure they support vintage 2007 edge routers and lots of other devices to make sure they have you covered.

But all the same, you have been flummoxed by spending 60% of your time opening ports for those pesky developers who cannot seem to understand that port 443 is a legitimate port, and they don’t need a special port. Automating some of those rote functions can free you up to do more important and strategic things. As long as the booth rep isn’t named John Connor, everything should be fine.

In the Cloud…

Even though you focus on network security, don’t think you can escape the cloud hype monster at RSAC. No chance. All the vendors will be talking about how their fancy 7-layer inspection technology is now available as a virtual machine. Of course unless they are old (like us), they won’t remember that network security appliances happened because granular inspection and policy enforcement in software did not scale. Details, we know. You are allowed to laugh when they position software-based network security as new and innovative.

They also don’t understand that inserting inspection points and bottlenecks in a cloud environment (public, private, or hybrid) breaks the whole cloud computing model. And they won’t be even paying lip service to SDN (Software Defined Networks) for the most part. SDN is currently a bit like voodoo for security people. So we guess avoidance is the best strategy at this point. Sigh, again.

The booth staff will faithfully stick to the talking points marketing gave them about how it’s the same, just in the cloud... Smile politely and then come to our Pragmatic SecDevOps lab session, where we will tell you how to really automate and protect those cloud-based thingies that are popping up everywhere like Tribbles.






Application SecurityWith so many other shiny and not-so-shiny things (including malware and retailer breaches) to fixate on, application security seems to get overshadowed every year at the RSA Conference. Then again, the hard, boring tasks of fixing applications isn’t much fun to talk about. But as long as the application is the path of least resistance, ignoring the issue will prolong your misery.

Coming Soon to an Application Near You:

DevOpsFor several years you have been hearing the wonders of Agile development, and how it has done wondrous things for software development companies. Agile development isn’t a product ̶ it is a process change, a new way for developers to communicate and work together. It’s effective enough to attract almost every firm we speak with away from traditional waterfall development. Now there is another major change on the horizon, called DevOps. Like Agile it is mostly a process change. Unlike Agile it is more operationally focused, relying heavily on tools and automation for success. That means not just your

developers will be Agile ̶ your IT and security teams will be, too!

The reason DevOps is important at RSA Conference ̶ and the reason you will hear a lot about it ̶ is that it offers a very clear and positive impact on security. Perhaps for the first time, we can automate many security requirements ̶ embedding them into daily development, QA, and operational tasks we already perform. DevOps typically

goes hand in hand with continuous integration and continuous deployment. For software development teams this means code changes go from idea to development to live production in hours rather than months. Sure, users are annoyed the customer portal never works the same way twice, but IT can deliver new code faster than sales and marketing wanted it, which is something of a miracle. Deployment speed makes a leap in the right direction, but the new pipeline provides an even more important

1. The apps run in the cloud, but you’re scared to test them in the cloud? Uh, what?

2. Isn’t DevOps just another way to get rid of all the security folks?

3. So containers allow us to port our crappy code to every platform? Awesome!

Big3






foundation for embedding security automation into processes. It’s still early, but you will see the first security tools which have been reworked for DevOps at this year’s RSA conference.

I Can Hardly Contain MyselfContainers. They’re cool. They’re hot. They... wait, what are they exactly? The new developer buzzword is Docker ̶ the name of both the company and the product ̶ which provides a tidy container for applications and all the associated stuff an application needs to do its job. The beauty of this approach comes from hiding much of the complexity around configuration, supporting libraries, OS support, and the like ̶ all nicely abstracted away from users within a container. In the same way we use abstract concepts like ‘compute’ and ‘storage’ as simple quantities with cloud service providers, a Docker container is an abstract run-anywhere unit of ‘application’. Plug it in wherever you want and run it. Most of the promise of virtualization, without most of the overhead or cost.

Sure, some old-school developers think it’s the same “write once, crash anywhere” concept Java nailed so well 20 years ago, and of course security pros fear containers as the 21st-century Trojan Horse. But containers do offer some security advantages: they wrap accepted versions of software up with secure configuration settings, and narrowly define how to interact with the container ̶ all of which reduces the dreaded application “threat surface”. You are even likely to find a couple vendors who now deploy a version of their security appliance as a Docker container for virtualized or cloud environments.

All Your Codebase R Belong to UsAs cloud services continue to advance outsourced security services are getting better, faster, and cheaper than your existing on-premise solution. Last year we saw this at the RSA Conference with anti-malware and security analytics. This year we will see it again with application development. We have already seen general adoption of the cloud for quality assurance testing; now we see services which validate open source bundles, API-driven patching, cloud-based source code scanning, and more dynamic application scanning services. To many the idea of letting anyone outside your company look at your code ̶ much less upload it to a multi-tenant cloud server ̶ is insane. But lower costs have a way of shifing opinions, and the automated, API-driven cloud model fits very well with the direction development teams are pulling.






Endpoint SecurityWhat you’ll see at the RSAC in terms of endpoint security is really more of the same. Advanced attacks blah, mobile devices blah blah, AV vendor hatred blah blah blah. Just a lot of blah... But we are still recovering from the advanced attacker hangover, which made painfully clear that existing approaches to preventing malware just don’t work. So a variety of alternatives have emerged to do it better. Check out our Advanced Endpoint and Server Protection paper to learn more about where the technology is going. None of these innovations has really hit the mainstream yet, so it looks like the status quo will prevail again in 2015. But the year of endpoint security disruption is coming ̶ perhaps 2016 will be it...

White listing becomes Mission: POSsibleSince last year’s RSAC many retailers have suffered high-profile breaches. But don’t despair ̶ if your favorite

retailer hasn’t yet sent you a disclosure notice, it will arrive with your new credit card just as soon as they discover the breach. And why are retailers so easy to pop? Mostly because many Point of Sale (POS) systems use modern operating systems like Embedded Windows XP. These devices are maintained using state-of-the-art configuration and patching infrastructures ̶ except when they aren’t. And they all have modern anti-malware protection, unless they don’t have even ineffective signature-based AV. POS systems have been sitting ducks for years. Quack quack.

Clearly this isn’t an effective way to protect devices that capture credit cards and handle money, which happen to run on circa-1998 operating systems. So retailers and everyone else dealing with kiosks and POS systems has gotten the whitelisting bug, big-time. And this bug doesn’t send customer data to carder exchanges in Eastern Europe.

What should you look for at the RSAC? Basically a rep who isn’t taking an order from some other company.

1. It’s sophisticated malware if it evades your defenses…

2. How many third world kids could you feed with your EPP renewal $$$?

3. Open up all the app stores! What could possibly go wrong?

Big3





https://securosis.com/research/advanced-endpoint-and-server-protection





Calling Dr. Quincy…

Last year we highlighted a concept which we call endpoint monitoring. It’s a method for collecting detailed and granular telemetry from endpoints, to facilitate forensic investigation after device compromise. As it turned out, that actually happened ̶ our big research friends who shall not be named have dubbed this function ETDR (Endpoint Threat Detection and Response). And ETDR is pretty shiny nowadays.

As you tour the RSAC floor, pay attention to ease of use. The good news is that some of these ETDR products have been acquired by big companies, so they will have a bunch of demo pods in their huge booths. If you want to check out a startup you might have to wait ̶ you can only fit so much in a 10’ x 10’ booth, and we expect these technologies to garner a lot of interest. And since the RSAC has outlawed booth babes (which we think is awesome), maybe the crowded booths will feature cool and innovative technology rather than spandex and leather.

While you are there you might want to poke around a bit, to figure out when your EDTR vendor will add prevention to their arsenal, so you can finally look at alternatives to EPP. Speaking of which...

Don’t look behind the EPP curtain…

The death of endpoint protection suites has been greatly exaggerated. Which continues to piss us off, to be honest. In what other business can you be largely ineffective, cost too much, and slow down the entire system, and still sell a couple billion dollars worth of product annually? The answer is none, but companies still spend money to comply. If EPP was a horse we would have shot it a long time ago.

So what is going to stop the EPP hegemony? We need something that can protect devices and drive down costs, without killing endpoint performance. It will take a vendor with some cajones. Companies offering innovative solutions tend to be content positioning them as complimentary to EPP suites. Then they don’t have to deal

with things like signature engines (to keep QSAs who are stuck in 2006 happy) or full disk encryption.

Unfortunately cajones will be in short supply at the 2015 RSAC ̶ even in a heavily male-dominated crowd. But at some point someone will muster up the courage to acknowledge the EPP emperor has been streaking through RSAC for 5 years, and finally offer a compelling package that satisfies compliance requirements.

Can you do us a favor on the show floor? Maybe drop some hints that you would be happy to divert the $500k you plan to spend renewing EPP this year to something that doesn’t suck instead.

Mobility gets citizenship…

As we stated last year, managing mobile devices is quite the commodity now. The technology keeps flying off the shelves, and MDM vendors continue to pay lip service to security. But last year devices were not really integrated into the organization’s controls and defenses. That has started to change. Thanks to a bunch of acquisitions, most MDM technology is now controlled by big IT shops, so we will start to see the first links between managing and protecting mobile devices, and the rest of infrastructure.






Leverage is wonderful, especially now we have such a severe skills gap in security.

Now that mobile devices are full citizens, what does that even mean? It means MDM environments are expected to send alerts to the SIEM and integrate with the service/operations infrastructure. They need to speak the enterprise language and play nice with other enterprise systems.

Even though there have been some high-profile mobile app problems (such as providing access to a hotel chain’s customer database), there still isn’t much focus on assessing apps and ensuring security before apps hit an app store. We don’t get it. You might check out folks assessing mobile apps (mostly for privacy issues, rather than mobile malware) and report back to your developers so they can ignore you. Again.

IoT: Not so muchIt wouldn’t be an RSAC-G if we didn’t do at least a little click baiting. Mostly just to annoy people who are hoping for all sorts of groundbreaking research on protecting the Internet of Things (IoT). At this point there doesn’t seem to be much to protect. But it is another thing to secure, so you will see vendors talking about it. Though it is still a bit early to add IoT to your RSAC buzzword bingo drinking game.

At some point a researcher will do some kind of proof of concept showing how your Roomba is the great great great great grandfather of the T1000. Click-baiting achievement unlocked! With a gratuitous Terminator reference to boot. Win!






Identity and Access ManagementOne of the biggest trends in security never gets any respect at RSAC. Maybe because identity folks still look at security folks cross-eyed. But this year things will be a bit different. Maybe.

No RespectIdentity is one of the more difficult topics to cover in our annual RSAC Guide, because identity issues and trends don’t grab headlines. Identity and Access Management vendors tend to be light-years ahead of most customers. You may be thinking “Passwords and Active Directory: What else do I need to know?”, which is pretty typical. IAM responsibilities sit in a no man’s land between security, development, and IT... and none of them wants ownership. Most big firms now have a CISO, CIO, and VP of Engineering, but when was the last time you heard of a VP of Identity? A director? We haven’t either. That means customers ̶ and cloud providers, as we will discuss in a bit ̶ are generally unaware of important advances. But those identity systems are used by every employee and customer. Unfortunately, despite ongoing innovation, much of what gets attention is somewhat backwards.

The Cutting Edge — Role-Based Access Control for the CloudRoles, roles, and more roles. You will hear a lot about Role-Based Access Controls from the ‘hot’ product vendors in cloud, mobile management, and big data. It’s ironic ̶ these segments may be cutting-edge in most ways, but they

are decidedly backwards for IAM. Kerberos, anyone? The new identity products you will hear most about at this year’s RSAC ̶ Azure Active Directory and AWS Access Control Lists ̶ are things most of the IAM segment has been trying to push past for a decade or more. We are afraid to joke about it, because an “identity wizard” to help you create ACLs “in the cloud” could become a real thing. Despite RBAC being outdated, it keeps popping up unwanted, like that annoying paper clip, because customers are comfortable with it and even look for those types of solutions. Attribute Based Access Controls, Policy Based Access Controls, real-time dynamic authorization, and fully cloud-based IDaaS are all impressive advances, available today. Heck, even Jennifer Lawrence knows why these technologies are important ̶ her iCloud account was apparently hacked because there was no brute-force replay checker to protect her. Regardless, these vendors sit unloved, on the outskirts of the convention center floor.

Standard BearerWe hear it all the time from identity vendors: “Standards-based identity instills confidence in customers”, but the





https://en.wikipedia.org/wiki/Office_Assistant

https://en.wikipedia.org/wiki/Office_Assistant


vendors cannot seem to agree on a standard. OpenID vs. SAML vs. OAuth, oh my! Customers do indeed want standards-based identity, but they fall asleep when the debate starts. There are dozens of identity standards in the CSA Guidance, but which is right for you? They all suffer from the same issue: they are filled with too many options. So interoperability is a nightmare, especially for SAML. Getting any two SAML implementations to talk to each other demands engineering time from both product teams. IAM in general, and specifically SAML, beautifully illustrate Tannenbaum’s quote: “The nice thing about standards is that you have so many to choose from.” Most customers we speak with don’t really care which standard is adopted ̶ they just want the industry to pick one and be done with it. Until then they will focus on something more productive, like firewall rules and password resets. They are waiting for it to be over so they can push a button to interoperate ̶ you do have an EZ button, right?

Good Dog, Have a BiscuitWe don’t like to admit it, but in terms of mobile payments and mobile identity the US is a laggard. Many countries we consider ‘backwards’ were using mobile payments as their principal means to move money long before Apple Pay was announced. But these solutions tend to be carrier-specific; US adoption was slowed by turf wars between banks, carriers, and mobile device vendors. Secure elements or HCE? Generic wallets or carrier payment infrastructure? Tokens or credit cards? Who owns the encryption keys? Do we need biometrics, and if so which are acceptable? Each player has a security vision which depends on and/or only supports their business model. Other than a shared desire to discontinue the practice of sending credit card numbers to merchants over SSL, there has been little agreement.

For several years now the FIDO Alliance has been working on an open and interoperable set of standards to promote mobile security. Their standard does not just establish a level playing field for identity and security vendors ̶ it defines a user experience to make mobile identity and payments easier. So it is becoming a thing. It enables vendors to hook into the framework and provide their solution as part of the ecosystem. You will notice a huge number of vendors on the show floor touting support for the FIDO standard. Many demos will look pretty similar because they all follow the same privacy, security, and ease of use standards, but all oars are finally pulling in the same direction.






Security ManagementLast year big data was all the rage at the RSAC in terms of security monitoring and management. So the big theme this year will be... (drum roll, please)... big data. Yes, it’s more of the same, though we will see security big data called a bunch of different things ̶ including insider threat detection, security analytics, situational awareness, and probably two or three more where we have no idea what they even mean.

But they all have one thing in common: math. Remember those differential equations you hated in high school and college? Be glad that helpful freshman in AP Calculus actually liked math. Those are the folks who will save your bacon, because their algorithms are helping detect attackers and attacks.

Detecting the InsiderIt feels a bit like we jumped into a time machine and ended up in back 1998. Or 2004. Or 2008. You remember ̶ that year when everyone was talking about insiders and how they were robbing your organization blind. We still haven’t solved the problem, because it’s hard. So every 4-5 years vendors get tired of using black-masked external-attacker icons in their corporate PowerPoint decks, and start talking about catching insiders instead.

This year will be no different ̶ you will hear a bunch of noise at RSAC about the insider threat. The difference this year is that the math folks I mentioned earlier have put their algorithms to work finding anomalous behaviors inside your network, and profiling what insiders typically

do while they are robbing you blind. You might even be able to catch them before Brian Krebs calls to tell you all about your breach.

These technologies and companies are pretty young, so you will see them on the outside rings of the conference hall and in the RSAC Innovation Sandbox, but they are multiplying like [name your favorite pandemic]. It won’t be long before the big SIEM players and other security management folks (yes, vulnerability management vendors, we’re looking at you) start talking about users and insiders to stay relevant. Don’t you just love the game?

Security Analytics: Bring Your PhDThe other epiphany many larger organizations had over the past few years is that they already have a crap-ton of security data. You can thank PCI-DSS for making them collect and aggregate all sorts of logs over the past few years. Then the forensics guys wanted packets, so you started capturing those too. Then you had the bright idea to put everything into a common data model.

Then what? Your security management strategy probably looked something like this:

1. Collect data.2. Put all data in one place.3. ???4. Detect attacks.






This year a bunch of vendors will be explaining how they can help with step 3, using their analytical engines to answer questions you didn’t even know to ask. They’ll use all sorts of buzzwords like ElasticSearch and Cassandra, talk about how cool their Hadoop is, lovingly describe the data scientists thinking big thoughts about how to solve the security problem, and explain how their magic platform will do just that.

Try not to laugh too hard at the salesperson. Then find an SE and have them walk you through setup and tuning of their analytics platform. Yes, it needs to be tuned regardless of what the salesperson tells you. How do you start? What data do you need? How do you refine queries? How do you validate a potential attack? Where can you send data for more detailed forensic analysis? If the SE has on dancing shoes, the product probably isn’t ready yet ̶ unless you have your own group of PhDs you can bring to the table. Make sure the analytics tool actually saves time, rather than just creating more detailed alerts you don’t have time to handle.

We’re not saying PhDs aren’t cool ̶ we think it’s great that math folks are rising in prominence. But understand that when your SOC analyst wants you to call them a “Data Scientist” it’s so they can get a 50% raise for joining another big company.

ForensicationWe have finally reached the point as an industry where practitioners don’t actually believe they can stop all attacks any more. We knew that story was less real than the tooth fairy, but way too many folks actually believed it. Now that ruse is done, so we can focus on coping with the fact that at some point soon you will be investigating an incident. You will have forensics professionals onsite, trying to figure out what actually happened.

The forensicators will ask to see your data. It’s good you have a crap-ton of security data, right? But you will increasingly be equipping your internal team for the first few steps of the investigation. So you will see a lot of forensics tools at the






RSAC, and forensics companies repositioning as security shops. They will show their forensics hooks within your endpoint security products and network security controls. Almost every vendor will have something to say about forensics. It’s so shiny!

Even better, most vendors are fielding their own incident response service. It is a popular belief that if a company can respond to an incident, they are well positioned to sell product at the back-end of the remediation/recovery. Of course that creates a bull market for folks with forensics skills. These folks can jump from company to company, driving up compensation quickly. They are on the road 5 days a week anyway, if not more, so why would they care which company is on their business cards?

This wave of focus on forensics, and the resulting innovation, has been a long time coming. The tools are still pretty raw and cater to overly sophisticated customers, but we see progress. This progress is absolutely essential ̶ there aren’t enough skilled forensics folks, so you need tools and automation to make your less skilled folks more effective. Which is a theme throughout the RSAC-G this year.

SECaaS or SUKRaaSThe other downside to an overheated security environment is that because end-user organizations can’t find skilled staff, they need to supplement with managed services. Of course that assumes your managed services provider will

have better luck finding people than you do. Again, it’s just math. There aren’t enough folks who know enough about security. Just because the company is a managed service provider doesn’t mean they have a secret fountain of security professionals. Nor is a higher being dropping those folks in some field like manna.

So make sure you aren’t buying a Sucker as a Service (SUKRaaS) offering, by contracting a multi-year deal with an organization that has a huge SOC but not enough folks to keep it staffed. Texans would call that “All SOC, no cattle.” Of course there is leverage to be found in the business, and a managed service provider will be able to scale a bit better than an enterprise. But they still have a lot of the same problems as their enterprise clients.

This is where the diligence part of the process comes in. Before you sign that 3-year deal, make sure your SECaaS (Security as a Service) partner actually has the folks. Dig into their HR and staffing plans. Understand how they train new analysts. Get a feel for turnover in their SOC, and what kinds of tools they are investing in to gain leverage in operations.

And be happy when they start talking about all the data scientists they hired and the wonderful security analytics platform they implemented over the past year. Math strikes again!






Check Out Our ResearchHave you visited our Research page? You should — we write a crap load of stuff. You can find it

at https://securosis.com/research/research-reports. The rest of the research library is pretty busted (and being overhauled), but in the meantime this list is current. And awesome.

Recently Published Papers

•The Future of Security• Endpoint Defense: Essential Practices• Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications

• Security and Privacy on the Encrypted Network•Monitoring the Hybrid Cloud• Best Practices for AWS Security• Securing Enterprise Applications• Secure Agile Development• Trends in Data Centric Security• Leveraging Threat Intelligence in Incident Response/Management

Firestarter Video Blog

•March 31 ̶ Using RSA•March 16 ̶ Cyber Cash Cow•March 2 ̶ Cyber vs. Terror (yeah, we went there)• February 16 ̶ Cyber!!!• February 9 ̶ It’s Not My Fault!• January 26 ̶ 2015 Trends• January 15 - Toddler•December 18 ̶ Predicting the Past•November 25 ̶ Numbness•October 27 ̶ It’s All in the Cloud•October 6 ̶ Hulk Bash• September 16 ̶ Apple Pay•August 18 ̶ You Can’t Handle the Gartner• July 22 ̶ Hacker Summer Camp





https://securosis.com/blog/firestarter-hacker-summer-camp

https://securosis.com/research/research-reports

https://securosis.com/research/research-reports

https://securosis.com/blog/new-paper-the-future-of-security-the-trends-and-technologies-transforming-s

https://securosis.com/blog/new-paper-the-future-of-security-the-trends-and-technologies-transforming-s

https://securosis.com/blog/new-paper-endpoint-defense-essential-practices

https://securosis.com/blog/new-paper-endpoint-defense-essential-practices

https://securosis.com/blog/new-paper-cracking-the-confusion-encryption-and-tokenization-for-data-cente






https://securosis.com/research/publication/security-and-privacy-on-the-encrypted-network

https://securosis.com/research/publication/security-and-privacy-on-the-encrypted-network

https://securosis.com/blog/new-paper-monitoring-the-hybrid-cloud

https://securosis.com/blog/new-paper-monitoring-the-hybrid-cloud

https://securosis.com/research/publication/security-best-practices-for-amazon-web-services

https://securosis.com/research/publication/security-best-practices-for-amazon-web-services

https://securosis.com/blog/securing-enterprise-applications-new-white-paper

https://securosis.com/blog/securing-enterprise-applications-new-white-paper

https://securosis.com/blog/new-paper-secure-agile-development

https://securosis.com/blog/new-paper-secure-agile-development

https://securosis.com/research/publication/trends-in-data-centric-security

https://securosis.com/research/publication/trends-in-data-centric-security

https://securosis.com/research/publication/leveraging-threat-intelligence-in-incident-response-management




https://securosis.com/blog/using-rsa

https://securosis.com/blog/using-rsa

https://securosis.com/blog/firestarter-cyber-cash-cow

https://securosis.com/blog/firestarter-cyber-cash-cow

https://securosis.com/blog/firestarter-cyber-vs.-terror-yeah-we-went-there

https://securosis.com/blog/firestarter-cyber-vs.-terror-yeah-we-went-there

https://securosis.com/blog/firestarter-cyber

https://securosis.com/blog/firestarter-cyber

https://securosis.com/blog/firestarter-its-not-my-fault

https://securosis.com/blog/firestarter-its-not-my-fault

https://securosis.com/blog/2015-trends

https://securosis.com/blog/2015-trends

https://securosis.com/blog/firestarter-full-toddler

https://securosis.com/blog/firestarter-full-toddler

https://securosis.com/blog/firestarter-predicting-the-past

https://securosis.com/blog/firestarter-predicting-the-past

https://securosis.com/blog/firestarter-numbness

https://securosis.com/blog/firestarter-numbness

https://securosis.com/blog/firestarter-its-all-in-the-cloud

https://securosis.com/blog/firestarter-its-all-in-the-cloud

https://securosis.com/blog/firestarter-hulk-bash

https://securosis.com/blog/firestarter-hulk-bash

https://securosis.com/blog/firestarter-apple-pay

https://securosis.com/blog/firestarter-apple-pay

https://securosis.com/blog/firestarter-you-cant-handle-the-gartner

https://securosis.com/blog/firestarter-you-cant-handle-the-gartner




We keep busy at RSAC each year. But we do a number of speaking sessions and make other appearances throughout the week. Here is where you can find us:

Disaster Recovery Breakfast• Everyone! It’s pretty hard to get on our schedules at the conference, so the best place to see us will be the

DRB. (Thursday 8-11am, Jillian’s at the Metreon). With our partners MSLGROUP, Kulesa Faul, and LEWIS PRhttps://securosis.com/blog/2015-recoverybreakfast.

Speaking Sessions• Rich, Mike, and Adrian: LAB-W03 ̶ Pragmatic SecDevOps [LEARNING LAB] (Wednesday 10:20-12:20,

Room 3009)• Rich (with Chris Hoff): CSV-T07R ̶ Something Awesome on Cloud and Containers (Tuesday 1:10-2:00,

Room 2014; Tuesday 3:30-4:20, Room 2020)• Mike and JJ: P2P-R04B ̶ Mindfulness: Leadership from Within (Thursday 11:30-12:20, Room 3002)• Mort (with Josh Corman): ASD-T07R ̶ Continuous Security: 5 Ways DevOps Improves Security (Tuesday

1:10-2:00, Room 3004, Tuesday 4:40-5:30, Room 2020) • Mort (with Alex Hutton): DSP-T09 ̶ Cookin’ Up Metrics with Alex and David: A Recipe for Success

(Tuesday 3:30-4:20, Room 3006) • Mort: ECO-R02 ̶ We Have Met the Future of Security and It Is Us (Thursday 9:10-10:00, Room 3008) -

panel with Jack Daniels, Katie Moussouris, and Trey Ford• Mort: CXO-R04 ̶ When Will Infosec Grow Up? (Thursday 11:30-12:20, Room 3005) ̶ panel with John

Johnson, Alex Hutton, and Jack Jones

Other Events• AGC: Monday Mike and Mort will participate in the AGC West Coast Investor Conference

• Mike will be moderating “Next Generation Security Leadership” at 9:30 with folks from RSA, Cisco, FireEye, Palo Alto Networks, and Symantec.

• Mike is also moderating “Threat Intelligence and the Security Ecosystem” at 11:30 with folks from Bit9 + Carbon Black, Check Point, Fidelis, iSIGHT Partners, and Resilient Systems.

• Mort will be on the “Cloudy with a chance of security” and “Security through abstraction” panels.

• DevOps Days: Also Monday, Rich and Mort will give talks at the DevOps Connect: DevOpsSec event.

See Securosis Speak





https://securosis.com/blog/2015-recoverybreakfast

https://securosis.com/blog/2015-recoverybreakfast

http://www.devopsconnect.com/events/rsa-san-francisco/

http://www.devopsconnect.com/events/rsa-san-francisco/


Dining and Beverage GuideOver the years we have received many requests for favorite places to grab a bite or a drink. After all these years we hate to admit how much time we’ve spent grubbing for food around the Moscone Center, especially because this isn’t the only event we attend there. Here are our recommendations with tips from friends on

Twitter.

Best breakfast that’s a little out of the way: Mo’z Cafe

Best convenient breakfast everyone knows about but might be slow: Mel’s Cafe

Best coffee/breakfast/lunch place for quick meetings: The Grove

Best place to have a drunk marketing/PR person buy you a free drink: Lobby bar at W hotel

Close food courts with decent food for lunch:

Westfield Center, Metreon

Best Drinks: Bourbon and Branch

The place to get the scoop on all the RSAC Parties: @RSA Parties on Twitter

The best place to see people you probably don’t want to see: W Hotel Bar (after midnight)

Best place to get a good beer even if there’s a party upstairs: Thirsty Bear

Best Indian: Amber

Best spicy noodle place: Henry’s Hunan

Mike’s personal recommendation: Mitchell Brothers O’Farrell Theater (shhh! You didn’t hear it from Mike.)

Click Here. Really.We even put together some nice maps. Click on the names of these establishments to pull up a map, description, and ratings in your web browser.

It’s even mobile friendly!

(Not that the rest of this document is).

Photo by Road Fun — http://flic.kr/p/4DX684





http://www.bing.com/local/details.aspx?lid=YN114x220559119&qt=yp&what=mo'z+cafe&where=San+Francisco%2c+California&s_cid=ansPhBkYp02&mkt=en-us&q=mo'z+cafe+san+francisco&FORM=LARE

http://www.bing.com/local/details.aspx?lid=YN114x220559119&qt=yp&what=mo'z+cafe&where=San+Francisco%2c+California&s_cid=ansPhBkYp02&mkt=en-us&q=mo'z+cafe+san+francisco&FORM=LARE

http://www.bing.com/local/details.aspx?lid=YN114x1754801&q=mels%20diner%20San%20Francisco%2c%20California&qt=yp&tid=dd73549e44a4455c8e5dc5620a85e764&FORM=LLSV

http://www.bing.com/local/details.aspx?lid=YN114x1754801&q=mels%20diner%20San%20Francisco%2c%20California&qt=yp&tid=dd73549e44a4455c8e5dc5620a85e764&FORM=LLSV

http://www.bing.com/local/details.aspx?lid=YN114x230600535&q=the%20grove%20San%20Francisco%2c%20California&qt=yp&tid=58398d6ac28c46b7b227c0b5c63bd6b3&FORM=LLSV

http://www.bing.com/local/details.aspx?lid=YN114x230600535&q=the%20grove%20San%20Francisco%2c%20California&qt=yp&tid=58398d6ac28c46b7b227c0b5c63bd6b3&FORM=LLSV

http://www.bing.com/travel/hotel/details?q=w+hotel+san+francisco&lid=YN114x401255111&qpvt=w+hotel+san+francisco&cid=IA_HotelMultiple_San_Francisco%2c_California&FORM=ATRHNM#top




http://www.bing.com/local/details.aspx?lid=YN114x33201655&q=westfield%20center%20San%20Francisco%2c%20California&qt=yp&tid=493d2e390393435098ce36f636508c4d&mkt=en-us&FORM=LLSV

http://www.bing.com/local/details.aspx?lid=YN114x33201655&q=westfield%20center%20San%20Francisco%2c%20California&qt=yp&tid=493d2e390393435098ce36f636508c4d&mkt=en-us&FORM=LLSV

http://www.bing.com/local/details.aspx?lid=YN114x151440638&q=metreon%20San%20Francisco%2c%20California&qt=yp&tid=e764ad418e474f9283e3067fde1a7d12&FORM=LLSV

http://www.bing.com/local/details.aspx?lid=YN114x151440638&q=metreon%20San%20Francisco%2c%20California&qt=yp&tid=e764ad418e474f9283e3067fde1a7d12&FORM=LLSV

http://www.bing.com/local/details.aspx?lid=YN114x180235223&q=burbon%20and%20branch%20san%20fracisco&qt=yp&tid=ff99fee44aa242f797eb7aa94b7ac397&FORM=LLSV

http://www.bing.com/local/details.aspx?lid=YN114x180235223&q=burbon%20and%20branch%20san%20fracisco&qt=yp&tid=ff99fee44aa242f797eb7aa94b7ac397&FORM=LLSV

https://twitter.com/rsaparties

https://twitter.com/rsaparties

http://livepage.apple.com/

http://livepage.apple.com/

http://www.bing.com/local/details.aspx?lid=YN114x2012034&q=thirsty%20bear%20san%20francisco&qt=yp&tid=068dd8182f7c46e28622f3af39c7090a&FORM=LLSV

http://www.bing.com/local/details.aspx?lid=YN114x2012034&q=thirsty%20bear%20san%20francisco&qt=yp&tid=068dd8182f7c46e28622f3af39c7090a&FORM=LLSV

http://www.bing.com/local/details.aspx?lid=YN114x172369824&qt=yp&what=amber+restaurant&where=San+Francisco%2c+California&s_cid=ansPhBkYp02&mkt=en-us&q=amber+restaurant+san+francisco&FORM=LARE

http://www.bing.com/local/details.aspx?lid=YN114x172369824&qt=yp&what=amber+restaurant&where=San+Francisco%2c+California&s_cid=ansPhBkYp02&mkt=en-us&q=amber+restaurant+san+francisco&FORM=LARE

http://www.bing.com/local/details.aspx?lid=YN114x2012000&q=henry's%20hunan%20San%20Francisco%2c%20California&qt=yp&tid=09cbf144e29e46ef96e625ced2ab5764&FORM=LLSV

http://www.bing.com/local/details.aspx?lid=YN114x2012000&q=henry's%20hunan%20San%20Francisco%2c%20California&qt=yp&tid=09cbf144e29e46ef96e625ced2ab5764&FORM=LLSV

http://www.bing.com/local/details.aspx?lid=YN114x401503269&q=Mitchell%20Brothers%20San%20Francisco%2c%20California&qt=yp&tid=8642d80e40854372a6b7277867e360d6&FORM=LLSV




http://flic.kr/p/4DX684

http://flic.kr/p/4DX684


It’s All GoodWe know we’re damn lucky to do what we do. We aren’t a billion-dollar company with thousands of employees; we’re just three partners with a few friends helping out when they can, all trying to bring a little value to the security world. We get to

write the research we want, give most of it away for free, and participate in the security community without worrying about corporate overlords watching over our shoulders. For that we thank you.

Adrian, Mike, and Rich

RSA Conference Guide 2015

Securosis LLC515 E. Carefree Highway

Suite 766Phoenix, AZ 85085

Securosis, LLC is an independent research and analysis firm dedicated to thought leadership, objectivity, and transparency. Our analysts have all held executive level positions and are dedicated to providing high-value, pragmatic advisory services.

• Primary research: We currently release the vast majority of our research for free through our blog, and archive it in our Research Library. Most of these research documents can be licensed for distribution on an annual basis. All published materials and presentations meet our strict objectivity requirements and follow our Totally Transparent Research policy.

• Strategic advisory services for end users: Securosis provides advisory for end user organizations, including product select ion assistance, technology and architecture strategy, education, security management evaluation, and risk assessment.

• Retainer services for vendors: Although we will accept briefings from anyone, some vendors opt for a tighter, ongoing relationship. Example services include market and product analysis and strategy, technology guidance, product evaluations, and merger and acquisition assessment. Even with retainer clients we maintain our strict objectivity and confidentiality requirements. More information on our retainer services (PDF) is available.

• External speaking and editorial: Securosis analysts frequently speak at industry events, give online presentations, and write and speak for a variety of publications and media.

• Other expert services: Securosis analysts are available for other services as well, including Strategic Advisory Days, Strategy Consulting engagements, and Investor Services. These services tend to be customized to meet a client’s specific requirements. More information on our expert services (PDF) is available.

About Us





http://securosis.com/about/totally-transparent-research

http://securosis.com/about/totally-transparent-research

http://securosis.com/assets/library/uploads/Securosis_Retainer_Packages_2010-01.pdf

http://securosis.com/assets/library/uploads/Securosis_Retainer_Packages_2010-01.pdf

https://securosis.com/assets/library/main/Securosis_Expert_Services_2010-01.pdf

https://securosis.com/assets/library/main/Securosis_Expert_Services_2010-01.pdf

securosis guide to rsac 2015

Documents