Special Editions 3.6.17
Ep 14 | 3.6.17

RSA 2017 Roundup – Perspectives, Pitches and Predictions - A CyberWire Special Edition


Dave Bittner: [00:00:05] In this CyberWire 2017 RSA Conference Special Edition, we wrap up our show coverage with insights from experts about the trends they're seeing, the products they're pitching and where they think we as an industry need to go. Stay with us.

Dave Bittner: [00:00:24] Time to take a moment to thank our sponsor, Cylance. Are you looking for something beyond legacy security approaches? Of course you are. So you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily, and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance - artificial intelligence, real threat prevention. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:26] For our regular daily editions of the CyberWire, we tell our guests that we like to talk with people who have something to say and not just something to sell. For this Special Edition, we relaxed that guideline just a bit. RSA is a trade show, after all. But along with the product pitches, our guests give us their observations from the show and their views on where they think things are going. We begin with Mark Dufresne from Endgame, who I caught up with in the days leading up to the conference.

Mark Dufresne: [00:01:52] We have a lot of people at Endgame who have a - have kind of a - some lineages in, you know, offensive cyber, working for the U.S. government and a lot of red teaming experience. So we know what it takes to be successful as the adversary and can apply that directly to building our preventions. And that goes a little further - kind of understanding the things that adversaries might try to do in - like, what do they look for in an end point as they're doing their operations? And how can we hide from them and kind of evade any attempts they might have to, like, signature Endgame and take evasive action, to undermine Endgame's ability to collect and provide visibility, to turn us off?

Mark Dufresne: [00:02:29] We're hardened in a variety of ways and stealthy in a variety of ways as we're doing our defensive operations to kind of frustrate any kind of adversary attempts to undermine the capability. The platform is designed - again, it's an EDR platform with incredibly powerful prevention capabilities built in. So, you know, we're really - we've been pushing this hard, addressing some serious gaps in the EDR market and kind of leapfrogging our prevention and detection capabilities beyond what's out there to detect - kind of with a layered behavioral approach to detection.

Mark Dufresne: [00:03:03] We are bringing out a capability that we call Artemis, an intelligent, AI-powered bot, to make this technology, like, accessible even to novice users. So somebody can sit down at our platform - never using an EDR platform and truly has the power to stop nation-state level attackers, you know, in less than an hour of using it. We've seen people doing that. It really - it solves the talent problem, the resource shortage people has, and also kind of brings down a security team's time to identify, investigate and respond to threats. And it takes some things from days all the way down to minutes with using Endgame - you know, kind of relying on some of these very powerful detection technologies that we have in order to detect malware, prevent against zero days, stop fileless attacks and, you know, kind of hit adversaries at every stage of their operations and make it very difficult for them to achieve their objectives.

Mark Dufresne: [00:03:58] You know, everyone in the industry is now saying that signatures aren't enough to detect threats. That's absolutely true. We think we have a unique approach to that signature problem. I think we're going to see a lot of talk at RSA about, you know, streaming rules engine approaches to the problem, whereby a tool provides full visibility - you know, a mountain of data - about what processes are doing and what users are doing. And there's some - you know, you can write rules on top of that - things like, hey, these - the following six things that happen exactly in sequence might be indicative of a process injection. That's great. You know, it's good technology. It's nice to do that. And I think it's good that a lot of - that people are thinking like that.

Mark Dufresne: [00:04:37] But there's some drawbacks with that type of approach in that they're brittle, they're difficult to set up, difficult to configure. And they - they're kind of watching the problems take place, still. So we have a - kind of a unique view at solving problems like that, which are attempts to deal with things like fileless attacks and that sort of thing. So we're going to see some rules engines and some other things that are more behavioral that, you know, people should take a look at and think about how some of those techniques might not be quite everything we need.

Mark Dufresne: [00:05:07] The other thing I think we're going to see a lot of talk about is in-memory-only attacks, fileless attacks. Kaspersky just did a good post last week about trends in fileless attacks that are happening out there, things that don't use traditional malware and just - and cause problems only in-memory. There are some emerging techniques to detect that, but all of those things have serious drawbacks and visibility gaps - a lot of what's out there.

Dave Bittner: [00:05:30] That's Mark Dufresne from Endgame.

Dave Bittner: [00:05:32] James Lyne is the global head of research at Sophos. We spoke on the show floor.

James Lyne: [00:05:38] We're all about simplicity - making things accessible and easy. And as a result, we appeal very strongly to small and medium-sized companies where, if they're lucky, they have a dedicated security person. But often, they have what we often joke about as the only information officer. It's also the same person who's responsible for changing the printer and keeping the Wi-Fi on and dealing with a deluge of different user problems.

James Lyne: [00:06:02] So we work well in those environments because we're not, you know, bombarding people with 50,000 alerts every minute to go chase down. We focus on the things that are really important - simple configuration and technology backed by our labs that works out of the box. Of course, some larger enterprises are pragmatic about their approach to security and may find that valuable, too. But certainly, in small and medium-sized companies, that's really a sweet spot for Sophos, based on that easy-to-use tech.

James Lyne: [00:06:31] I think a couple of the areas that I'm most proud of over the past 12 months and that tie into a lot of the research I've been doing and I'm presenting at the show here feature around ransomware and anti-exploitation. Exploiting systems using exploits - or bugs turned to nasty purposes - has been the driving force of most malware distribution, most cybercriminal activity for the past seven, eight, nine years. And we've taken some, I think, really quite unique steps in thwarting exploits higher up the chain of attack to make sure that nasty code really never gets running so you have to deal with the cleanup and so on and so on.

James Lyne: [00:07:12] Ransomware has been undoubtedly the most favorite campaign of cybercriminals over the past 18 months. It is prolific. There are so many different versions of it, so many different types of scam. And the quality of their implementation is improving all the time. I'm really proud of the technology we brought out in Insect X, where we generically thwart a huge number of ransomware campaigns. And in the event that they do get in and start the encryption process, we're able to identify it behaviorally, roll that stuff back. So really, it's continuing to do what we do best. It's finding the major pain points for small businesses, for medium-sized enterprises - the things that cybercriminals are focused on - and building easy-to-use, accessible technology that solves that problems for our customers.

Dave Bittner: [00:08:04] Here at the show, looking around, what are some of the things you're seeing in terms of trends for the industry as a whole?

James Lyne: [00:08:10] Well, there's a lot of focus here on the tactical but important issues. Like I just mentioned, ransomware - people have realized it's a big issue for companies. So of course, it's showcased here. There's a lot of focus, as well, on machine learning, adaptive learning and the use of data science in driving better security. That's been a really exciting area that we've embraced over the past couple of years and is undoubtedly one of the big hot topics here. And I think that probably will be one of the big hot topics over the next couple of years, as well, because it can be applied to so many different areas of security, so many different types of user policy or detection at each of the layers. I think we're really only at the beginning of the journey in application of that to security.

Dave Bittner: [00:08:58] That's James Lyne from Sophos.

Dave Bittner: [00:09:01] Emily Mossburg is a principal with Deloitte Cyber Risk Services. If you're a regular listener, you'll recognize Emily. She's been on a number of times.

Emily Mossburg: [00:09:09] There's a couple of new offerings that we're launching while we're here. One is our new managed threat services, and the other is our digital managed identity services - really focusing on the fact that a lot of our clients and a lot of enterprises are looking for more capabilities from a managed services perspective. So we've really been focused on developing those solutions and getting those out to market. One of the things around our digital identity service that we're really excited about is that it's not focused on a traditional enterprise identity solution, although it can be used for that. But it's really focused on an enterprise being able to offer that service for their end consumers and customers.

Emily Mossburg: [00:09:55] So it's sort of bridging the gap between enterprise identity and consumer identity. So it's really exciting for us to be putting something like that forward and being able to change the conversation and talk more about consumer identity, which is something that seems to be really amping up because of the fact that there's so many new digital transformations happening, so many new applications that are being developed - mobility, cloud. So we really want to be able to bring something to the market that allows the enterprise to manage the identities of their end consumers.

Dave Bittner: [00:10:38] Looking at the show as a whole - as you walk around, as you look at things - what are you seeing that's catching your eye in terms of innovation?

Emily Mossburg: [00:10:45] There continues to be a lot of focus on cloud transformation and CASB solutions. There continues to be a lot of focus on threat intelligence and actionable intelligence. One of the things, though, that I think is really the most important is the application security focus that we're seeing. And not that secure development life cycle is new, but I think we're seeing a shift in terms of how it's being applied. Broadly, we're seeing a shift away from enterprise-focused insular security to, how do we take our cyber risk requirements and our program and drive it into the products and services and innovations that we have as an enterprise? Especially with the advent of the internet of things and connected products, there's much more focus on, how do we develop and innovate new, connected products that don't open us up to new cyber risks?

Emily Mossburg: [00:11:47] So how do we bring forward the cyber risk requirements into the innovation life cycle and the product development life cycle? And how do we then code - design and code these products and services in a secure way from the get-go, as opposed to layering the security and the controls on after the product's already developed? So I think that's one of the things that we're seeing and hearing a lot about. And I think it's going to really take off in the next three to five years. You're going to see a transformation, if you will, around the security function.

Dave Bittner: [00:12:23] As you look forward towards 2017, you know, what's on the horizon? What are we - what kinds of things can we expect to see from Deloitte?

Emily Mossburg: [00:12:30] We're going to have a more of a focus on infrastructure security and application security for a number of the reasons that I previously said. But what we really want to do is focus on helping organizations innovate in a secure way. So we're going to spend a lot of time and energy on application security and infrastructure security in order to enable that. From an infrastructure security perspective, a lot of it is being driven by the cloud transformation that's evolving. You know, people have been talking about cloud for years. I think we're right now sort of in the capability curve where we're really starting to see more and more adoption. What that adoption means is that the traditional network design, the traditional network security and architecture is shifting. So we're seeing broad-scale network security evolution. So we're spending more emphasis and focus and innovation on new ways to do that.

Emily Mossburg: [00:13:35] We're also focusing, as I mentioned, on digital identity, and I expect that to continue through 2017. What we're launching here at the show is really our first release of our managed digital identity services. But we have a road map that's laid out over the course of the next year that's going to allow for version 2, version 3 and version, you know, 4. So we're really focused a lot on that, as well.

Dave Bittner: [00:14:01] That's Emily Mossburg from Deloitte.

Dave Bittner: [00:14:03] Mark Nunnikhoven is vice president of cloud research at Trend Micro. He shared some of the trends he's been tracking at the conference.

Mark Nunnikhoven: [00:14:11] There's a lot of really interesting niche players. And there's some real interesting work being done around malware hunting, which is, you know, sort of when teams are getting a little more aggressive and proactive within their enterprise. I think that's really good for mature enterprises, but there's a lot of basics that still need to be done. But there's some interesting work going on in that space. And then there's a big push around leveraging sort of more advanced machine learning and artificial intelligence techniques to - security defense. And that's sort of - there's people that are all flash, and there's a lot of people who are substance, as well. But I think there is a lot of value to be had for defenders to invest in those types of technologies.

Dave Bittner: [00:14:50] And where are you all in that play in terms of machine learning and AI?

Mark Nunnikhoven: [00:14:54] It's something we've actually been doing for a really long time. So Trend - traditionally, we're pretty quiet. We just kind of go about our business and try to deliver as much value to customers as we can. But we started a new marketing campaign. And normally, I shy away from the marketing stuff. I like to dive - you know, as a researcher, I like to dive into technology and organizational design. But this year, we're really kind of getting a little more assertive and talking about the fact that you don't need just one thing. So machine learning's great. And, you know, it's something I've been involved in for years. But it's not the end-all, be-all. No control - despite what you'll see from some of the claims in the market, no one control's going to do everything. You need a set of controls. So even stuff that was effective 10 years ago is still useful because it's really quick, it's really efficient and it'll get you an answer whether something was known good or not. But then, you know, it's not perfect. So you need a series of controls.

Mark Nunnikhoven: [00:15:42] And I think that's a really important and pragmatic way of approaching security. You get the machine learning to take advantage of the grunt work and the really deep comparisons that humans aren't good at. And then it presents something unique and novel to get some of the creativity that people are really good at. And so that blend is what's effective because, you know, computers are great. You look around image recognition and, you know - trying to parse the meaning of text. Computers can understand words and translate them, but they can't tell you what it actually meant. So a person can look at a sentence and tell you what it meant. A computer could translate that sentence into any language on the planet, but it still can't tell you what it meant. So that combo is really important.

Dave Bittner: [00:16:19] This gap we have with having enough people to fill all the positions in the industry...

Mark Nunnikhoven: [00:16:23] Yep.

Dave Bittner: [00:16:23] You know, where do you see it coming in that? Do things like automation, like machine learning - can they help close that gap?

Mark Nunnikhoven: [00:16:29] Absolutely. So one of the challenges we have, just on automation in general - not even looking at the skills gap - attackers have been automated for a while. And yet, we're defending manually. And, you know, anybody - and even if you're not in the security space, you understand that's not fair. Like, that is not an even match. And, you know, why not? Attackers saw an opportunity. So - you know, ransomware's a great example. People are like, oh, I'm never a - you know, I'm not a target because I don't have anything of importance. Well, yeah, you do. You have something of importance to you. And the attackers won't target you specifically. They've simply set up a script to attack every open endpoint they find - because why not, right? Everyone they - in fact, they're going to get money back from - or there's a good chance they'll get money back from.

Mark Nunnikhoven: [00:17:07] So defenders need to start automating. And we're seeing that in the cloud space a lot more where developers have automated. They're doing the whole DevOps trend where they're deploying new versions of the application 10, 20 times a day. Security needs to be just as automated. But specific to the skills gap - absolutely. If we can start getting better information to security defenders, we can make them more efficient. Right now, a big challenge for sort of traditional teams is when they're looking at a list of potential security events, there's 50 events on there. Maybe one or two of them actually deserve their time. We can use machine learning and automation tools to reduce that list down to only the one or two that need a person to respond.

Mark Nunnikhoven: [00:17:45] So what I'm seeing a lot, especially working on the cloud, is realizing - people are realizing, along with that shift away from hugging the server and realizing that you need to focus on their business, is that we need to change how we're applying security, in that we used to have a security team that sort of at the end of the project, said, hold on a second. You need to have this in place and this in place, and you need all these wonderful controls. And we know bolting it on at the end isn't effective. You know, you can close some gaps that way. But if you really want to be secure, everybody needs to understand that responsibility, which means as security people, we need to be working directly with those teams as they're building things and working directly with the business.

Mark Nunnikhoven: [00:18:19] So I know it's difficult for a lot of security folks because we're not necessarily the most outgoing, but we need to change our sort of perspective and get there and be talking more, be communicating more and be educating people because then we can get involved earlier and make sure that it's less of a headache for everybody. And that way, we'll all be more secure because you know the criminals are starting to collaborate. They're offering crime as a service. You know, you can get the latest botnet for about 7,500 U.S. an hour. And you can take down massive providers yourself. This is a business. We need to - you know, crime is a business. We need to make sure that we're collaborating internally, as well as with our peers to make sure that we're defending as a team because security is very much a team sport.

Dave Bittner: [00:18:58] That's Mark Nunnikhoven from Trend Micro.

Dave Bittner: [00:19:02] Levi Gundert is vice president of intelligence and strategy at Recorded Future. We spoke right after the RSA Conference about his take on the show, specifically in the area of threat intelligence.

Levi Gundert: [00:19:13] There seems to be a lot of focus this year on analytics and a fair amount in sort of the artificial intelligence space, or at least the buzzword. Those sort of seemed to be the themes that I caught just walking the trade floor. There's obviously been a real need to focus on intelligence that's useful to the enterprise and the business. And, you know, companies go about doing that a lot of different ways. But I think, in general, you know, that was the message that was really trying to be communicated by all of the vendors in the different ways that they provide intelligence context - was that these are the use cases.

Levi Gundert: [00:19:52] These are the scenarios that we provide value into that will actually be, you know, useful to the business and applicable to the business. I think we're seeing a much wider adoption of cyberthreat intelligence across a lot of different industry verticals. I think the days of, you know, speeds and feeds are largely over. You know, there's nothing wrong with feeds and - at the operational layer. But certainly, folks don't want to be paying enormous amounts of money to vendors for feeds of indicators of compromise. That's just - that's a thing of the past. And I think, you know, that was very evident in the show this year.

Levi Gundert: [00:20:27] Yeah, so the value of threat intelligence is really, you know, how do we buy the right controls, or how do we build the right controls? And that's really the strategic analysis of risk. You know, where in the organization is there potential for loss - real loss to the business? And then, you know, how do we address that with the right security controls? And so that's really the primary value proposition of threat intelligence. You know, the secondary sort of ancillary value is, how do we improve our controls? You know, how do we test the efficacy of current controls and improve those controls? And that's sort of the operational component of threat intelligence.

Levi Gundert: [00:21:00] But at the core, it's a tough thing to do. It's a tough thing to do cyberthreat intelligence well and to provide consistent value into both of those areas. There's a lot of different approaches. But, you know, obviously, having wide sources of information available to do analysis, to then produce intelligence into organizations of different industry verticals is really key. That's a key component. And I think, you know, being able to do that with machines instead of humans is the only way that an effort really scales to find the intelligence - that it is going to be applicable to the business.

Levi Gundert: [00:21:37] I think where we have seen a lot of success is really in that combination of machine learning and human analysts - human analytical capabilities. And, you know, for a long time, a lot of folks have been talking about the pure-play artificial intelligence and the promise there. But we haven't actually seen that come to fruition in the security space. And I think artificial intelligence is perhaps a bit of a stretch. I think machine learning is probably the right term to use here. My colleague Staffan Truve, who's one of the co-founders of Recorded Future - he likes to say, artificial intelligence is not this magic potion or sauce that you just pour over data and it sort of magically becomes useful intelligence. That's not how it works. You know, machine learning is a great capability. And if you have good algorithms, it can certainly help take the brunt of some of that big data pain, you know, away. But at the end of the day, you still need humans to combine, you know, that effort with machine learning. And that's really where we're seeing success in our product. But also as an industry, that's really where success is being driven.

Dave Bittner: [00:22:41] So I mean, looking towards the future, what do you see happening in the next few years? Where do you think things are going to go?

Levi Gundert: [00:22:48] It's always difficult to prognosticate on things like this. But I think you're going to see more of machine learning and more of that combination of machine learning and human analysts. But I think you're also going to see a broadening of sources as organizations look for deeper and broader technical information. Human intelligence, signals intelligence - there's good data there, but sometimes it's hard to acquire that data. So I think you're going to see businesses actually going after different types of data to fulfill some of their intelligence needs.

Dave Bittner: [00:23:23] That's Levi Gundert from Recorded Future.

Dave Bittner: [00:23:26] Carl Leonard is a principal security analyst at Forcepoint.

Carl Leonard: [00:23:31] Every year in the Forcepoint Security Labs, we predict their top 10 threats that might arise over the next 12 months. And in November of 2015, we anticipated that the elections - whether that be, you know, as it was then - the upcoming U.S. elections or those in other countries - there is opportunity for those with certain desires to manipulate the voting machines, to spread misinformation, to steal data from the parties of various candidates or the candidates themselves and leak that and influence the election process and that of the - you know, the electoral base. So it didn't really come as a surprise. What we'll be looking to for this year, 2017, is to highlight this and make sure that, you know, governments that have upcoming elections - certainly around Europe, we've got a lot of countries that - an election year this year - to make sure that they've really thought about some of the issues that might occur and also raise awareness for members of the public. Don't always trust that piece of news on a social media site.

Carl Leonard: [00:25:01] It's - sometimes it is hard. I - we kind of take it for granted, as researchers, to always understand the quality of the source and assign a reputation to it. It's - I know full well it's something that we researchers do without even thinking about it. It's what we're trained to do. But for members of public, it can sometimes be very difficult to trace back, well, where did that statistic come from? Where did that story come from? - and then realize that it's not true. So yeah, I think the spread of this, you know, fake news on social media will continue to be a challenge over the years. There's been various proposals by different governments on how to regulate it and ultimately who is responsible for it and who should manage it and who should retract that information - lots of things to be discussed. We do not know the - we don't have all the answers as a security community. I don't think other governments have the answers - that they're still trying to figure this out, as well, make sure that they have an informed electorate. Yeah, one of the big discussions of 2017 - that's for sure.

Carl Leonard: [00:26:18] I think the complexity of attacks has been increasing rapidly for over a decade. The type of attacks that we are seeing are very much as a result of malware authors building kits so that the - it's the kit that has the complexity and the intelligence behind it. And then other malware authors can reuse that and almost inherit the skill set of the original author of the kit. So the complexity will continue to increase. I think the industry is responding with, you know, next-generation approaches, however those may be defined. A lot of the attention that I'm seeing - certainly at the show, at RSA 2017 - and it's around advanced machine learning and really understanding and being predictive of a threat, looking at it early.

Carl Leonard: [00:27:12] So this is certainly what we're doing at Forcepoint to understand the behavior and the intent of actions so that you can put that into a risk score. We literally rank incidents in terms of risk and alert the businesses - our customers - as to which events to look at because we are in the realms that you cannot protect from all threats all of the time. It's the type of threats that - you know, as we see often in the press, that - you know, those are the ones that are launched at Saturday night when all the analysts are out and your SOC has closed down and you're updating your VM machines and your analysis machine. That's when the attackers hit you.

Carl Leonard: [00:27:58] So I think there's still lessons to be learned. We've still got to understand that - you know, the TTP - the tactics, techniques and procedures that the malware authors are using - and respond in a way where we can become more predictive of the threats, intercept them early. We have - at Forcepoint have been using machine learning for a decade now, trying to understand threats without ever seeing that threat before. The industry is responding back with a vengeance. I think another real good thing to look at is the increased collaboration around the security community and with governments around the world. We share threat intelligence with national search teams, with government agencies, with law enforcement. And we've had some successes with that. You know, some of the botnets we've reported on have then been shut down. So this is a good thing for all of us. We'd much rather, you know, those malware authors be brought to justice. We often forget that these are crimes. You know, ransomware - it's a crime. It's an act to defraud individuals and extort them. We mustn't forget that.

Carl Leonard: [00:29:15] So really, the - you know, the focus on machine learning, the increased collaboration with peer groups within certain industries - people often cite finance as a great example of that, how they collaborate - and then just - yeah, looking at the end user, educating them. They become more aware. They can help you. They're part of your extended eyes and ears looking out for these threats as they will continue to evolve.

Dave Bittner: [00:29:43] That was Carl Leonard from Forcepoint.

Dave Bittner: [00:29:46] Next up is Evan Blair, CEO of ZeroFOX. We spoke at their booth on the RSA show floor.

Evan Blair: [00:29:54] ZeroFOX is a social media and digital security company We help organizations safeguard their corporate assets in the social media world. We help organizations protect their business where they engage with customers and recruit new employees. And we help organizations protect their employees, their VIPs and executives, as well as all of their end users or employees across the globe beyond the network perimeter, beyond the device, into the social media land where we've obviously seen a new attack vector arise. That is causing major problems, from targeted phishing to data exfiltration to social engineering. That really is impacting the ability for an organization to secure and safeguard their operations.

Dave Bittner: [00:30:36] I think we hear an awful lot about email, you know, when it comes to phishing attacks, ransomware and so forth. But there doesn't seem to be so much attention paid to social media. Is - I guess from your point of view, that's a mistake.

Evan Blair: [00:30:48] Yeah, it's definitely a mistake. And look. It's not a criticism that people are paying less attention to it. It's a newer technology, right? We've seen this with all technologies over the years - is they become adopted by the business as kind of core operational platforms. Security then follows. We've been in business for a little over four years now, and we've been signing up customers ever since we opened our doors. So it's not that people aren't paying attention. It's just that I think the market dynamics are now shifting where people are spending more energy and focus on it because it has a much bigger impact on their revenue and their bottom line. And when anything impacts your bottom line, you're going to say, how do we protect it and safeguard that? And I think we've also seen some really high-profile incidents of hacks and breaches and targeted campaigns against organizations across social.

Evan Blair: [00:31:36] But there is an interesting challenge here in that social media exists beyond the network perimeter, meaning it exists beyond the ability - traditional ability of security teams to see and manage and govern that interaction and that data flow. So it's not that there's less attacks on social. In fact, there's more attacks on social than on email or web platforms that are successful. But we don't hear about them as much because, well, no one knew about them until they were already a problem. So the data was already exfiltrated. And forensics is very hard because social media is a real-time kind of data platform.

Evan Blair: [00:32:08] So going back in time is virtually impossible for most IR teams. So it's really presented an unprotected and unsafeguarded vector for the cybercriminals and the cyber adversaries to target our company through our weakest link, which is our employees and our customers. And so, yeah, it's not that it's less prevalent than anything else. It's just that it's less visible than everything else. And the goal of ZeroFOX is to obviously change that dynamic and give the power back to the security teams through visibility and control.

Dave Bittner: [00:32:39] So walk me through it. What does a typical attack via social media look like?

Evan Blair: [00:32:44] There's a lot of different types of attacks, and there's a lot of different motives and goals - end goals in the cyber adversary's playbook. But there's one central and key component to almost every social-media-based attack, and that's a fraudulent, spoofed or impersonated account. Now, this can be impersonating an executive of an organization. It can be spoofing an organization's official account, or it can be creating a fraudulent persona that doesn't necessarily impersonate somebody, but pretends to be somebody that it's not. And on social media, there's this interesting paradigm of trust that we have, which is one of the reasons that it's the best spear phishing platform in the world.

Evan Blair: [00:33:24] So you've got this launch platform, which is a profile, and that's the epicenter. Now, once I have a profile and once I have a connection with you, I'm in your circle of trust. And so now my ability to influence you to click a link, my ability to influence you - to illicit data and information is much, much higher. I can also target customers and steal customer data and business data. And so, again, it really depends on my focus as an adversary and what my goal is. Obviously, the end goal is usually data, money. Probably both of those two things is the No. 1 and No. 2. But if I target your customers now, I've introduced a whole new risk for the business because not only am I trying to steal their PII, their customer data, steal their identities and sell it online by spoofing your brand or your organization on social channels, but I'm also damaging your brand integrity. I'm damaging your customers' trust in your organization.

Dave Bittner: [00:34:19] You know, what are you seeing as we're looking forward to 2017? What are some of the larger directions and trends that you're noticing? And how do you feel that you fit into those?

Evan Blair: [00:34:30] That's a good question. So one of the things that I like to talk about - and I'm - I may be overstepping here - but the death of the CIO. The CIO, in his traditional capacity of technology availability and a support structure for all of the other department heads and business units, is quickly becoming old-school, is quickly becoming outdated. Now, that's not to say that the CIOs are going away. But what I really mean by that is the CMO can now be his own CIO. The CFO can be his own CIO with cloud applications. With the move to cloud services, SAS model services - the most famous one is Salesforce.com, of course - we no longer need internal IT teams to build out and manage bespoke platforms, to accomplish a CRM goal, to accomplish a finance - an accounting goal, to accomplish a marketing goal. We can quickly pay somebody on a credit card for a couple hundred to a couple thousand dollars a month and stand up a platform that accomplishes all of these goals.

Evan Blair: [00:35:35] And so that introduces a big gap because what the CIO provided was that oversight. And the CIO typically had the CISO - chief information security officer - report to him. What I'm seeing now is a rise in - to prominence of the CISO, taking over that kind of enablement role from the CIO. As the shared services are now cloud-based and don't require that IT oversight and plumbing, the CISO is now more important than ever. And he provides the enablement for the secure use of those cloud services, those shared platforms, those SAS applications. I see this at a lot of our customers. The CISO now has a board seat - or not a board seat, but he is invited to the board meetings. He advises the CEO directly and oftentimes reports directly to the CEO now, bypassing the CIO, if there is still one at that organization. So I think security is going to take a front seat in the boardroom and a front seat at the executive table, whereas in the past, it's been the back seat.

Evan Blair: [00:36:39] We've always looked at IT spend and said, well, a fraction of that is security. I think we're going to see that change. You're going to see budgets shift to cloud applications and cloud services. And you're going to see more budgets shifted and more resources shifted to security as data breaches continue to grow, as the attack vectors continue to grow, as business continues to migrate to social, mobile and digital platforms. It's inevitable that a new way of thinking about security and data protection and individual user protection is - it's inevitable that that's going to be the dominating topic.

Dave Bittner: [00:37:18] That's Evan Blair, CEO at ZeroFOX.

Dave Bittner: [00:37:22] Gabby Nizri is CEO at Ayehu. He shared news of some of their new offerings at the conference, along with the trends that he's seeing.

Gabby Nizri: [00:37:31] Here at RSA, we are launching our next generation automation as a service platform. So for the first time, we basically present something that will allow you to deliver services and automation and capabilities that are actually consumed by mainly enterprises on premise. Now it will be available as a service, and the ability for that platform to serve as a multipurpose solution for IT, security, cloud, IOT, is something that nobody else is doing today. So think about your organization and the ability to deliver automation to the entire organization that siloed one (ph). So no matter if you have application, practices, infrastructure, security, now they are all can consume or even work together to build automation solutions for the entire organization's core silos (ph).

Gabby Nizri: [00:38:34] So with this new platforming, we're going to target managed services mainly because they are now being attract by lots of the IT organizations who are outsourcing their infrastructure application and cloud practices. And these days they are also extending to the cloud - to the security. I believe that managed services for us is No. 1 target market, where they can really benefit from the value of the automation solution - A, because they have armies of people who can really build automation practices and all this kind of, you know, as I mentioned, IOT, cloud, infrastructure, application, security and so on, so they can build their own IP on a platform, so they can leverage that and reuse their automation pieces for customers across the globe.

Gabby Nizri: [00:39:26] The second is the IT organization, internally, who are not outsourcing, and this is where they can build their own automation practices, and they can build operation capabilities via automation for, again, for the infrastructure, for the application delivery and so on, so on. And the same for cybersecurity, which is less mature, but they are getting there. So we believe that, you know, since the IT is much more mature and progressed in how they leverage automation, I think the security is a little bit far from that, but it's getting there. And so organizations that will adopt automation for their IT, they will be able to extend that to security from the same platform.

Dave Bittner: [00:40:11] As you look around the show this year, what are some of the themes that you see? What are some of the things that strike you that the direction that cybersecurity is headed?

Gabby Nizri: [00:40:21] So I think automation and orchestration is now a big buzzword. I've been here a year ago, and it was noisy, but this year it's already crowded. There are tens of vendors who are coming with their promise of automation orchestration for cybersecurity. And so - and we see also how VCs are attracted by this market segment, and so we see lots of investments in this area and lots of buzz. And I think the noise is much greater than what the reality is really facing. You know, CISO (ph) offices are really crowded with tons of tools, and here's another one. And CISO are yet to figure out what they can do with that. So I think it's No. 1 theme that I see here.

Gabby Nizri: [00:41:25] And I think for us, it's great because it raises the awareness of, you know, automation and orchestration and how it is important for security operations to be able to scale their business. Many people talk about the lack of people that they can, you know, find and hire for their security operations. I believe it's true. So it's really hard to find these guys who can manage stock and, you know, 24 by 7 operations. But I think it's important to understand that you need people also to deploy these tools. And if they are too complex, coming with too much scripts inside, you probably could fail. If it's too closed, like a black box, it's also limiting you, so it's going to fail. So I think you need to find something more flexible, something that you can scale and something you can actually build your practices on top of.

Dave Bittner: [00:42:26] Gaby Nazari from Yahoo.

Dave Bittner: [00:42:29] We give the last word in our RSA Conference review to Jason Porter, vice president of security solutions at AT&T.

Jason Porter: [00:42:37] RSA was really interesting this year. I think it continues to evolve. You know, having been a part of this security industry for a number of years, you know, really, the evolution is one of the most interesting things to me. You know, you constantly see sort of new flashy technology, whether it's CASBs or next-generation firewalls or threat; you know, those have been some of the themes of previous years. I thought, obviously, those were still in - still present in this year's RSA. Heard a lot about IOT security, heard a lot about threat and new threat capabilities.

Jason Porter: [00:43:30] But I also think that the industry is maturing as a whole, and you could see, you know, a lot of customers asking much deeper questions - you know, how am I going to operate this? How am I going to do this efficiently? You know, the questions and discussions really evolved from just the flashiest, newest technology to real security operations and basics about how do you build that strategy given the multitude of opportunities from a technical perspective. So I was really encouraged by just the evolution of thinking around, you know, the practical nature of solving security challenges.

Dave Bittner: [00:44:30] And that's our CyberWire 2017 RSA Conference Special Edition. Thanks to everyone who took the time out of their busy RSA Conference schedules to meet with us, and thanks to you for listening. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.