The Corvil team and I really enjoyed this year’s RSA conference, where we had the pleasure of spending three jam-packed days meeting clients, partners, analysts. We also made sure to attend a select set of breakout sessions, especially those focused on the sharing of real world experiences and best practices from practitioners in the field, and those focused on emerging macro trends and challenges, that we can do our part in helping our clients get out ahead of.
As you’d expect, the likes of Cloud, IoT, Ransomware, AI and Machine Learning all got prominent coverage but as the dust settles on the 2017 conference, here are my key insights and takeaways on what is driving and shaping the agenda of CISOs and their Security Operations teams in the coming months (not surprisingly, you may notice these takeaways are quite interrelated):
The more of a security analyst's end to end workflow that can be automated, the better. It's not a new goal but at the conference this year, it was clear this is now seen as a mandatory and high priority industry wide goal, since it frees up invaluable staff cycles to focus on critical, more complex tasks such as design, planning and forensic analysis. For any solution to be an asset for a Security Operations team these days, it needs to integrate seamlessly with their technology architecture, workflows and ultimately has to make a significantly improvement to how effective their staff are in terms of their mean time to detect and mean time to respond.
Attackers are innovating and collaborating more than ever before. To stay ahead of them and be in the most resilient position possible for when attackers do manage to gain a foothold within a target’s network, faster and more effective collaboration and intelligence sharing within our community is increasingly critical. At the conference we heard from the leaders of the world’s biggest banks on their recent promising proof points of progress on this front in relation to intel sharing and FSARC, which I’ve covered in previously.
Regulations such as New York’s DFS cyber security regulation and the EU’s GDPR are looming closer. They are on the whole, a positive thing and will ensure more a consistent approach to how controls are implemented and operationalized, how customer data is diligently managed and how breaches are reported in a timely manner. They are also going to have a very real impact on security budgets and planning over the coming 12-24 months. I encourage everyone to take a few minutes at least to get familiar with these as you may be surprised by how many organisations they will impact, and the extent to which they will have an impact.
It was very clear to anyone who attended the conference that there have never been so many vendors in the security space! In fact, at a breakfast briefing with an analyst firm, we heard there are now over 1500 security vendors and an average of 9 new startups appearing each month! This is alarming considering that sure, organisations need to be enabled with innovative new approaches to tackling attackers, no question there, but more than this, they need to get organised and structured on how they conduct their operations. For this reason, there is increased focus on empowering level 1 and level 2 analysts with entity centric analytics and simplified visualisations, workflows and automation, so they can step up their level of contribution. Also, more aggressively standarding on platforms (vs point products) and rationalising down the number of distinct vendors and technologies organisations work with, is not surprisingly more common.
Inevitably, As our increasingly connected world was debated at the conference, which is powered by machine to machine transactions and communication, of an exploding volume and rate, there is an emerging viewpoint that the industry's definition of ‘real-time’ will have to change. Finding and triaging a breach weeks, days, hours or even minutes after the horse has bolted will be too late. Attackers increasingly leverage machines to conduct their automated attack tasks, so as a community we need to start thinking about how our networks can be optimally safeguarded in this new machine-time era.
The good news is that each of these resonates strongly with us here at Corvil and in fact, we’ve been working hard for some time on building a solution to help solve them. We’re committed to playing our role in helping our clients and the community as they tackle each of them, through 2017 and beyond.
Our Security Analytics solution is all about empowering Security Operations teams to raise the bar when it comes to their effectiveness in detection and responding to security incidents in the modern era, by integrating Corvil’s machine-time wire data analytics with their broader security ecosystem, workflows (see our endpoint integration as an example) and intel sharing communities such as FS-ISAC (of which Corvil is an affiliate), while also enabling their organisation to rationalise and standardise on a single source of network derived visibility and intelligence (the same one that just received a top score in Gartner’s NPMD critical capabilities report).