The booths are gone, the lights are off, and the conference halls are empty. It’s a wrap for RSAC 2019, but IT pros aren’t going home empty-handed: Here’s a roundup of this year’s key topics, critical outcomes, and biggest surprises.
This year’s RSA Conference opted for a simple, one-word theme: Better.
While it’s certainly aspirational, what does it mean in practice? For RSA, it’s a recognition that security doesn’t happen in a vacuum and that infosec pros must work together to find better solutions, make better connections, and make the world a better place. Given the often fragmented nature of corporate IT security, RSA’s focus on empowering the “collective we” in cybersecurity makes sense: Evolving, adaptable threats won’t be defeated by companies operating in isolation.
So, what’s on deck for infosec this year? Let’s dig in.
Regarding new technology, biometrics made significant inroads at RSAC 2019. As noted by Brian Madden, multiple vendors featured new biometric solutions designed to lower risk and — potentially — hasten the end of traditional password security.
From fingerprints to face recognition and even keystroke and mouse click recognition, leveraging inherent biological traits offers companies a real opportunity to improve application and network security. Organizations can adopt new protection layers without needing expensive hardware purchases by linking biometrics to mobile devices rather than traditional desktops.
Risk management is critical for companies to implement new IT services effectively and evaluate the potential impact of malicious attacks. According to one RSAC 2019 main-track session, humans are “awesome at risk management.” Despite occasionally poor choices from individuals, as a species, we’re excellent at avoiding obvious risks and doing what it takes to survive.
Regarding infosec, however, this natural risk avoidance often seems lacking — apps are released without effective security controls or deployed with known, open-source vulnerabilities. Employees often ignore the risks associated with social media apps and document-sharing tools, even as C-suite executives chafe at the suggestion of bigger budgets for infosec initiatives. The disconnect? Structure. Without clear connections between action and consequence, human beings make risky choices.
NIST is looking to improve corporate risk management with its new Privacy Framework, which was featured at RSAC 2019 and is due for completion in October. The modular volunteer tool is designed “to help companies protect consumer privacy while protecting business imperatives.” Unlike other privacy frameworks—such as GDPR—NIST’s new offering is outcome-based and non-prescriptive, helping companies reduce risk through five key functions: identify, protect, control, inform, and respond. Feedback on the new project will be welcome until later this year’s release.
This year’s big announcement: the NSA’s public release of the software reverse engineering (SRE) framework known as Ghidra. Developed by the agency’s Research Directorate to analyze malicious code and malware, Wikileaks first uncovered it in 2017. The open-source tool uses the Apache 2.0 license and will be publicly available on GitHub. NSA cybersecurity adviser Rob Joyce says the Ghidra release is a “contribution to the nation’s cybersecurity community” and promised on the record that the tool contains no NSA backdoors to collect corporate usage data.
The Java-based executable is 270MB, allowing organizations to quickly decompile potential malware attacks for actionable information or check in-house code for vulnerabilities. As noted by Wired, the tool is often compared to proprietary software like IDA, which performs the same basic function but comes with a substantial price tag. Ghidra also includes unique features such as an undo/redo mechanism that lets infosec pros test potential theories and reverse course if things don’t pan out.
NIST’s new framework should help streamline application defense. While biometric access must be locked down for this security method to offer real value, there’s no question that 2019 will see a significant rise in bio-based 2FA.
The release of Ghidra, meanwhile, is more of a question mark. There’s a big benefit here: teams creating new open-source iterations of the tool and posting them to GitHub will improve the ability of companies worldwide to analyze malicious code and improve network defense. The downside? Malicious actors use Ghidra to reverse-engineer business applications and discover potential avenues for tampering, compromise, or IP theft. With access to app source code — even if reasonably well-designed — hackers can take their time crafting targeted, agile attacks that evade detection.
Like the advent of AI-driven security and automation tools that streamline application testing, Ghidra has a double edge: even as infosec pros ramp up the defense, attackers find new ways under, around, and through. Companies must ensure their applications are obfuscated outside the purview of new tools or frameworks. From obfuscation to application hardening techniques such as tamper-proofing, debugging, hooking, emulator root detection, and response, organizations must stay one step ahead of malicious actors and well-meaning tools.
Put simply? “Better” security isn’t a new technology, emerging framework, or NSA tool — it’s a layered, methodical approach to application, network, and source code protection.