RSA Conference 2020 took place in San Francisco at the end of February. This is the first event that analysts have attended as Omdia, the newly launched research brand of Informa Tech, combining market-leading analyst houses Ovum, IHS Markit TMT research, Tractica, and Heavy Reading.
For those unfamiliar with the RSA Conference (frequently referred to as RSAC), it is an event focused specifically on cybersecurity that brings together more than 40,000 people from across the industry, including practitioners, leaders, vendors, and service providers. The five Omdia analysts in attendance have provided analysis of the event's key trends for consideration.
RSA Conference 2020 trends
Omdia has identified seven distinct trends:
- Improved understanding of the human element
- Easing the burden on SecOps
- Driving continuous authentication
- Cloud security becomes well recognized
- Plenty of options for managed detection and response
- Broadening recognition of the value of cybersecurity
- The mobile threat finally arrives.
Trend 1: Improved understanding of the human element
Enterprise cybersecurity practitioners, technologies, and processes have long attempted to convince the so-called “average user” to conform (to keep themselves and their organizations secure, users must be the ones to change). However, no matter how many times users are trained not to click on links or write passwords on sticky notes, these same behaviors, driven in large part by convenience and desire to do their jobs quickly and efficiently, continue to threaten their own information security and the companies for which they work.
It is no coincidence that “The Human Element” was the theme of RSA Conference 2020. Vendors have begun to understand that successful enterprise cybersecurity requires creating solutions that better conform to the way users work and live. As Cisco’s Wendy Nather said in her RSA Conference 2020 keynote, this also means embracing cybersecurity collaboration with end users, and accepting the reality that user-driven security will ultimately be more effective.
Trend 2: Easing the burden on SecOps
Because of the investments that enterprises and security providers make in security operations, it should be no surprise that easing the burden on this function was the subject of a range of trends at the conference.
Even a brief look at the average enterprise security operations center clearly illustrates why a strong cybersecurity posture is so elusive. An understaffed team is usually tasked with a plethora of siloed security tools, all of which provide more alerts than the team can ever review. In addition, finding the ones that represent legitimate indicators of compromise is like finding a needle in a haystack. As RSA Security president Rohit Ghai said in his RSA Conference 2020 opening keynote, sitting a cybersecurity pro at a desk with half a dozen monitors and dozens of tools is not the answer.
Products that are intended to orchestrate and automate security processes often overlook the lack of training and security architecture integration organizations need, and “platform plays” offering integrated single-vendor best-of-breed architectures often fall far short of expectations. Fortunately, at RSA Conference 2020, vendors have begun to take a new approach that emphasizes ease of integration, ease of use, and ultimately an easier path to successful enterprise security operations, identified in the sub-trends: security tool/vendor aggregation and integration, and automation, prioritization, and contextualization
Security tool/vendor aggregation and integration
Omdia has mentioned it before but it is now on the agenda for all major security vendors and managed security services providers (MSSPs) to reduce the number of vendors and make sure that the remaining tools are integrated, enabling customers and partners to use different security services with fewer platforms and interfaces. Cloud security providers, cloud providers, and all the major security vendors have made progress with the reduction of services, prioritizing services and integration to enable customers to work with fewer interfaces. Some are further along than others, but they are all heading in this general direction.
Automation, prioritization, and contextualization
A discussion point for years, the crescendo around automation will soon become a scream, as customers struggle with too much alert noise, too many attacks, too much data, and too few people to address it all. The answer is to automate at least the most obvious and mundane of security tasks, freeing up scarce human resources to concentrate on the most complex threats and, with the help of technology, enabling low-level security analysts to punch above their weight.
Linked to automation, prioritization is not new, but now the requirement for it is gaining momentum because threats continue to mushroom, alerts burgeon, and overworked and shorthanded security teams complain of alert fatigue setting in. Vendors are coming up with ways to prioritize the alerts, telling customers what needs urgent attention and, in many cases, suggesting remedial action. The next step will be automated remediation.
Contextualization of alerts is essential to aid prioritization. In recent years, there has been a slow evolution away from the need to ensure all cybersecurity incident related data is effectively captured and logged, and instead toward the establishment of greater contextual intelligence behind the security events themselves. As a result, there is a growing trend for the effective provision of comprehensive threat prioritization needed to assure that attention is focused on true security issues and not countless false positives.
Trend 3: Driving continuous authentication
Many of the largest breaches in recent years have taken place as a result of poor authentication practices, including the continued reliance on (or refusal to change) default credentials, as well as the repeated use of previously compromised credentials across multiple services. Poor privilege management has also resulted in compromised low-level accounts being used by individuals to access information well beyond the scope of their required duties. This is an abandonment of the “principle of least privilege” in preference of convenience. Organizations are recognizing the value in establishing proper privilege management, as well as the need to transition from single-checkpoint authentication to continuous authentication of a user’s session in order to further mitigate the mobility of any potentially hijacked account.
Trend 4: Cloud security becomes well recognized
As more workloads are moved to public and hybrid cloud environments, cloud security is becoming increasingly well recognized. CISOs have long recognized the need for appropriate security in the cloud, because most businesses have begun to use a mix of cloud and SaaS-based systems and deploy these capabilities across the enterprise. Correspondingly, after years of focus on network and endpoint security, customers now see the urgency of having security for their heavy use of cloud services.
Public cloud providers including Google, Microsoft, and AWS have made major investments and created security applications to help customers retain data, analyze it, and respond to security threats. Major security players such as McAfee, Trend Micro, Cisco, and Palo Alto Networks have invested significantly in cloud security. Their booths at the conference were covered with messaging about cloud security, and they are all starting to see real security revenue. Startups are focusing on new cloud security problems, such as securing code in the DevSecOps process or providing security for serverless environments.
Interestingly, Omdia sees more customers and MSSPs beginning to use cloud providers to enable their managed security services. Cloud providers are becoming part of the security ecosystem in many ways and with many different customers and providers. At the conference Omdia met with many providers now considering use of cloud services as part of their infrastructure.
Trend 5: Plenty of options for managed detection and response
Managed detection and response (MDR) has become a mainstream service, particularly in North America, with many standalone providers as well as MSSPs (every major security vendor and MSSP now has some version of an MDR service). However, the definitions still vary greatly and Omdia sees many endpoint detection and response (EDR) and network detection and response (NDR) providers “pretending” to be MDR providers. Customers need to ask direct questions to flush out the MDR service, what the service includes, and if it covers network, cloud, and endpoint resources. The market needs clarity about what “managed” and “response” really mean in the context of MDR, because there is a vast difference in the actual capabilities of many MDR solutions.
Trend 6: Broadening recognition of the value of cybersecurity
Historically, a comprehensive cybersecurity posture has been viewed as a luxury that only a select few have had the privilege of enjoying. This often coincided with a naive belief that only organizations large enough to afford the technology to support cybersecurity posture were frequent targets. This misconception has slowly been realized for what it is, with small and midsize businesses also frequent victims of malicious actors. The consequences of being compromised can be financially crippling for entities of all sizes. This has resulted in organizations recognizing that cybersecurity posture is no longer a luxury, but an essential investment in long-term business resilience.
Trend 7: The mobile threat finally arrives
Last, but by no means least, comes the mobile threat. Mobile devices for work have been around for many years, and rising attacks against mobile devices have been predicted for probably as many years, but the increases largely have not materialized. However, as enterprises become more sophisticated in safeguarding the enterprise perimeter, adversaries are turning to mobile device attacks as a new avenue of entry. Be it SMS phishing (“smishing”) attacks that seek to gain credentials, or malicious mobile apps that exploit connected enterprise systems to enable lateral movement, enterprises must finally turn their attention to mobile threats. In turn, enterprise cybersecurity vendors that can offer holistic endpoint security across both traditional and mobile endpoints (UEM solutions) are likely to see a growing opportunity in the marketplace. Having mobile security is now part of the comprehensive security estate and is no longer separate.
Where should enterprises focus?
All seven trends are relevant for enterprises. However, organizational attitude to cybersecurity (the extent to which cybersecurity is a board-level issue) will dictate priorities. For smaller organizations that have traditionally relied on a range of disparate technology products to cover the bases as best as they can, improved understanding of the human element (Trend 1) and broadening recognition of the value of cybersecurity (Trend 6) are probably the most pressing priorities. However, for larger organizations with reasonably well-established information security functions, easing the burden on SecOps (Trend 2), addressing cloud security (Trend 4), and dealing with the mobile threat (Trend 7) are likely to be the areas of biggest focus.
Where should vendors and service providers focus?
The Expo floor at RSA was crowded and noisy, a sign of a healthy market featuring many innovative products and a multitude of interested buyers. However, cybersecurity technology is a complex market with thousands of vendors, hundreds of product and service types, and infinite solutions options, so how can vendors and service providers rise above the noise?
- Provide a solution that takes buyers from today’s world of siloed appliance-based deployments to tomorrow’s highly interconnected, flexible virtual deployments with a focus on integrating visibility, control, and automation across hosts, networks, and the cloud.
- Demonstrate massive improvements in detecting and mitigating even the most advanced threats. This remains an area where many popular products underperform customer expectations.
- Shorten the window to discovery/resolution once a customer has been breached, in part by delivering orchestration and automation solutions and making the remediation process much simpler. Use the same solutions to alleviate buyer worries about the lack of skilled IT security professionals they have access to.
- Deliver security solutions that don’t hamper performance or connectivity (security solutions that are visible roadblocks will be circumvented). This was true in private wired networks, and it will be true in a 5G and cloud-enabled world. This is the human element.
- Don’t attempt to dictate IT or network architecture. Deliver solutions that have common visibility, policy, enforcement, and analysis, regardless of the form-factor or deployment location. Buyers need to move flexibly from on-premises to private and public clouds and back, and while it might often be ill-advised, they might want to drag any and all security technologies they currently use along for the ride.