RSAC 2019 Roundup: NIST Gets Structural as the NSA Goes Open Source
Published on March 8, 2019 by Alexander Goodwin
The booths are gone, the lights are off and the conference halls are empty. It’s a wrap for RSAC 2019, but IT pros aren’t going home empty-handed: Here’s a roundup of this year’s key topics, critical outcomes and biggest surprises.
No “I” in Team
This year’s RSA Conference opted for a simple, one-word theme: Better.
While it’s certainly aspirational, what does it mean in practice? For RSA, it’s a recognition that security doesn’t happen in a vacuum, that infosec pros must work together to find better solutions, make better connections and make the world a better place. Given the often-fragmented nature of corporate IT security — RSA’s focus on empowering the “collective we” in cybersecurity makes sense: Evolving, adaptable threats won’t be defeated by companies operating in isolation.
So what’s on deck for infosec this year? Let’s dig in.
Biometrics Goes Big
When it comes to new technology, biometrics made significant inroads at RSAC 2019. As noted by Brian Madden, multiple vendors featured new biometric solutions designed to lower risk and — potentially — hasten the end of traditional password security.
From fingerprints to face recognition and even keystroke and mouse click recognition, leveraging inherent biological traits offers real opportunity for companies to improve application and network security. And by linking biometrics to mobile devices rather than traditional desktops, organizations can adopt new protection layers without the need for expensive hardware purchases.
NIST Teases New Framework
Risk management is critical for companies to effectively implement new IT services and evaluate the potential impact of malicious attacks. According to one RSAC 2019 main-track session, human beings are “awesome at risk management” — despite occasionally poor choices from individuals, as a species we’re excellent at avoiding obvious risks and doing what it takes to survive.
When it comes to infosec, however, this natural risk avoidance often seems lacking — apps are released without effective security controls or deployed with known, open-source vulnerabilities. Employees often ignore the risks associated with social media apps and document sharing tools, even as C-suite executives chafe at the suggestion of bigger budgets for infosec initiatives. The disconnect? Structure. Without clear connections between action and consequence, human beings make risky choices.
NIST is looking to improve corporate risk management with its new Privacy Framework, featured at RSAC 2019 and due for completion in October. The modular, volunteer tool is designed “to help companies protect consumer privacy while protecting business imperatives.” Unlike other privacy frameworks — such as GDPR — NIST’s new offering is outcome-based and non-prescriptive to help companies reduce risk through five key functions: Identify, protect, control, inform and respond. Feedback is welcome on the new project until its release later this year.
NSA Gifts Ghidra
A big announcement this year: the public release by NSA of the software reverse engineering (SRE) framework known as Ghidra. Developed by the agency’s Research Directorate to analyze malicious code and malware, it was first uncovered by Wikileaks in 2017. The tool is entirely open source, using the Apache 2.0 license and will be publicly available on GitHub. NSA cybersecurity adviser Rob Joyce says the Ghidra release is a “contribution to the nation’s cybersecurity community,” and promised on the record that the tool contains no NSA backdoors to collect corporate usage data.
The Java-based executable is 270MB in size and allows organizations to quickly decompile potential malware attacks for actionable information or check in-house code for vulnerabilities. As noted by Wired, the tool is often compared to proprietary software like IDA which performs the same basic function but comes with a substantial price tag. Ghidra also includes unique features such as an undo/redo mechanism that lets infosec pros test potential theories and reverse course if things don’t pan out.
The App Security Impact
NIST’s new framework should help streamline application defense, and while there’s a need to lock down biometric access for this security method to offer real value, there’s no question that 2019 will see a significant rise in bio-based 2FA.
The release of Ghidra, meanwhile, is more of a question mark. There’s a big benefit here: teams creating new open source iterations of the tool and posting them to GitHub will improve the ability of companies worldwide to analyze malicious code and improve network defense. The downside? Malicious actors using Ghidra to reverse-engineer business applications and discover potential avenues for tampering, compromise or IP theft. With access to app source code — even if it’s reasonably well-designed — hackers can take their time crafting targeted, agile attacks that evade detection.
Just like the advent of AI-driven security and automation tools that streamline application testing, Ghidra has a double edge: even as infosec pros ramp up defense, attackers find new ways under, around and through. Companies must take steps to ensure their applications are obfuscated outside the purview of new tools or frameworks. From obfuscation to application hardeningtechniques such tamper-proofing, debug, hooking, emulator root detection and response, organizations must stay one step ahead of both malicious actors and well-meaning tools.
Put simply? “Better” security isn’t a new technology, emerging framework or NSA tool — it’s a layered, methodical approach to application, network and source code protection.