What my trip to RSA taught me

After 4 days of following many different tracks, attending keynotes and talking with peers all over the world. I only have one conclusion: Security will never get boring.

I’ll give you some insights about my trip to San Francisco. The attack surface is expanding and with that vulnerabilities are increasing almost exponentially. Of course we will need new technologies to deal with that, but also a different mindset.

Let me break this up in 3 parts:

  • Reducing attack surface
  • Why identity is king and why there is no way around it
  • How AI will impact all of us, in a good and a bad way

Reducing attack surface

Reducing attack surface starts with security by design, but more on that later. Today we are still very focused on perimeter security, which is important since broken control access is one of the most used attack vector. But we need to expand our focus, we did it the last decade with the move from traditional AV to NG EDR. The biggest attack surface was not behind the perimeter anymore (clients, servers and workloads), our data has also moved away from the perimeter. We have massively adapted Office 365 and many other data and collaboration tools, yet we don’t adopt SaaS security as we did EDR.

Everyone knows that Log4j had a huge impact on many organizations, it was a widespread exploit that was easy to use for attackers to launch malicious code.  But the real eye opener was that a lot of companies couldn’t answer the question: ‘Where are you running the vulnerable software?’  The average applications use more than 90 open source dependencies, so it is critical to know what your applications are depend on.  This is why SBOM or software bill of material is coming in hot, a total overview of all used applications, dependencies etc.  In an ideal world you would be able to launch a single query to see your exposure for the next Log4j. Since Supply chain attacks are also on the rise, it is a good idea you have that ability to react fast.

Developers need to do security by design from the start. And they are doing it, CNAPP vendors are on the rise and growing exponentially. Security in development phase, check code and dependencies, security in deployment phase, cloud security posture management. These are just parts of an integrated set that Cloud-native application protection platforms should offer. In our region we are still in an early phase, but it is coming and faster than you would expect.

Identity is king

It was during the keynote from Crowdstrike when they said that there is no malware involved in 70% of the Incident response cases they handled. Attackers focus on social engineering and credential theft, they even bypass traditional MFA. Another mind blowing statistic is that in almost half of all data breaches are from a SaaS environment hack (Cost of a Data Breach 2022 Report by IBM). These trends show that we also need to step up our game.  And not only in the IT space, the OT space is also getting more vulnerable with large scale attacks.

ITDR is something we already discussed in our Xplained Identity security session, but it is quite clear that an Identity Security Platform isn’t a nice to have, but a need to have. The identity life cycle needs to be monitored, this starts from the moment an account is created. Stolen credentials (14% initial attack vector , Mandiant report 2023) or reused credentials, identity attacks are on the rise. Attackers try to avoid using malware, they are able to bypass traditional MFA. Imagine the impact on your organization if an attacker has full access on a users Okta account.

“Safeguarding the Future: AI Unleashed in Cybersecurity’s Frontline”

The title was written with ChatGPT, Generative AI is great for brainstorming or very narrowed tasks. AI will not take over the world (yet), but will have a large impact in Cybersecurity.  First the ugly part, AI will be used to spear phish targets in more than 90 languages and with great knowledge. (See example below where they bypass ChatGPT to write a phishing mail). At this point this is the biggest danger from a security standpoint. The AI malware code is not that disruptive, there will be more re-using of code with obfuscation though.

Now the good part, more and more security vendors are implementing AI to do the ground work. I’ve seen a demo of SentinelOne Purple AI who will help you threat hunt by writing queries based on your question. E.g. we have evidence of emotet malware. AI will write those advanced queries for you and you’ll get results what your next steps should be. This will help the security team’s workload. I see L1 analyst disappearing very soon , even L2 will be enhanced and maybe replaced at a certain point in time.

So to wrap up

  • Breaches are evolving to cloud environments
  • Identity protection is key to stop and detect today’s attacks
  • Visibility in software and dependencies will become more important (Also from compliance standpoint)
  • AI will have an impact, but don’t fear, the end is not near.

I’ll end with this quote I’ve heard: “You can outsource security , but not the responsibility”

Ps. If you have 20 minutes to spare, listen to my favorite keynote from Kevin Mandia of Mandiant (Google Cloud Security)