RSAC 2015.
N2K logoApr 20, 2015

RSAC 2015.

April 20, 2015: RSA opens.

RSA begins today. The exhibit halls are set up and the first presentations will get underway in a few hours.

Themes expected to dominate the conference include the growing role of threat intelligence (and predictive attack modeling) in cyber defense, the as-yet unresolved (and possibly irresoluble) security issues that accompany the Internet-of-things, the continuing professionalization of cyber crime (and the commodification of the hacking black market), and the enduring pinch both industry and government feel in the cyber labor market.

RSA marks an annual inflection point for the industry, especially for start-ups. In the last few weeks, reports say, more than $200M has flowed into start-ups. Another report sees $1B moving into the sector over the last quarter.

We'll be live-tweeting from the conference throughout the week.

April 21: Innovation Sandbox 2015.

RSA opened yesterday, with the first big event being the Innovation Sandbox. This year's theme is "Security at the Edge of Innovation." The program chair, Dr. Hugh Thompson, reviewed the Innovation Sandbox's ten-year history, and then introduced this year's contestants.

SecurityDo described "Fluency." CEO Chris Jordan observed that breaches result from failed prevention, and that prevention can, paradoxically, induce a false sense of security. He advocated focus on the response process. Fluency does this, flexibly merging events into flows for usable breach information event management.

NexDefense was introduced by its executive chair, Derek Harp. The company offers cyber security for the industrial world. Their goal is to address the shortage of both trained personnel and security solutions for industrial control systems. Their NexDefense's solution monitors control networks in real time, displaying results in a customizable three-dimensional interface. (We'll run an account of our interview with Derek Harp in tomorrow's issue.)

CEO Lior Div introduced Cybereason, whose solution aims to reveal cyber attacks in real time through "frictionless data collection" and "automatic hunting of the adversary." He drew particular attention to their ability to identify questionable lateral movement within networks.

Bugcrowd CEO Casey Ellis began by affirming the reality of the "defender's dilemma": cyber attacks are, effectively, crowd-sourced in an increasingly efficient criminal market. Bugcrowd seeks to crowd-source security on its Crowdcontrol platform. They've enjoyed success with a mix of vetting and a good incentive model that succeeds in motivating full-timers, part-timers, and enthusiasts. (He noted that many of the best of the crowd are from the UK, with its large population of hobbyists.)

Tomer Weingarten described SentinelOne's next-generation endpoint protection. Attacks continue to succeed despite very large investments in security. He pointed out that malicious code eventually has to run on an endpoint. SentinelOne therefore concentrates on the endpoint, to which it applies real-time dynamic behavioral analysis — they build a completely automated live execution context for every process.

Ticto's Managing Director Johan Vinckier presented his firm's approach to overcoming the limitations of smart cards as they're implemented for control of physical access to multi-level, compartmented environments (like chemical plants, medical centers, and so on). Ticto passes enable you to identify, at a glance, authorized personnel for permanent social control during an event's day.

TrustInSoft builds and deploys "bulletproof" software (work, one imagines, that would surely be of interest to DARPA). CEO Fabrice Derepas explained that the company has built the first-ever SSL stack guaranteed against buffer overflow. They supply advanced software security audits; their early adopters are in the aeronautical and nuclear power generation sectors.

Oliver Tavakoli, CTO of Vectra Networks, described Vectra's automation of cyber attack detection in real-time. He described the typical path an attack takes, as an initial exploit moves either to direct criminal monetization or to more sophisticated attempts on an enterprises networks or data. Between initial protection and SIEM or forensics is a gap, and Vectra seeks to fill that gap by "automating epiphanies about the behavior of machines.

Fortscale's Idan Tendler pointed out that more than 80% of successful attacks exploit user credentials. Whether those credentials are stolen and used by an outside attacker or whether a malicious insider abuses them, we should draw the same lesson: profiling user behavior is an effective way of flagging some of the most dangerous attacks. (We'll run our interview with Idan Tendler in tomorrow's issue.)

Waratek's Anand Chavan (Vice President and Co-CTO) outlined an approach to application security that would make applications self-protecting, self-diagnosing, and self-testing. Enterprise applications, he argued, are the blind spot in security. Waratek's RASP protects applications in a container. It uses "taint detection," not signatures or heuristics.

After some deliberation, the judges took the (for RSA) unprecedented step of naming a runner-up: they congratulated Ticto on its innovative access control solution.

The overall winner of the 2015 Innovation Sandbox, however, was Waratek, and they were congratulated on-stage by an impressive array of past winners.

See links to articles discussing RSA below — many new products and services are being launched here. We hope to share interviews with some of the more interesting companies in tomorrow's issue.

April 22: The anti-crypto side in the Crypto Wars.

RSA continues, with many well-attended (and well-covered) addresses and panels by industry leaders (and a few US Government leaders as well).

US Secretary of Homeland Security Jeh Johnson addressed RSA with a plea for "understanding"—specifically, understanding why he thinks cryptography constitutes a threat to public safety. While he did offer the customary encomia to privacy and freedom, his main concern was to convince the IT industry generally and the cyber sector specifically that the Government needs, and should have, ways to subvert cryptography when crypto tools are used by criminals and terrorists. There seems little prospect that his plea would be met with the understanding indulgence he asked for; in any case, as TechCrunch quoted Contrast Security's CTO Jeff Williams, "the cat is out of the bag on secure encryption."

April 22: Trends on the exhibit floor.

Out on the exhibit hall floors and in suites in the neighborhood around the Moscone Center, however, some trends are emerging.

There's widespread agreement that enterprise spending on security continues to increase dramatically. There's also widespread recognition that this spending hasn't prevented increasingly damaging attacks. This in itself is unsurprising—no serious person expects general immunity from cyber attack—but many are wondering whether security investments may be misapplied. To take one obvious question, traditional perimeter defenses (which have their uses) absorb a considerable investment. But defending a perimeter would seem to imply knowledge of where that perimeter is, and many (most?) enterprises are too poorly informed of their own network topologies to know this. Is there a corresponding investment in network self-awareness? Such self-awareness would surely, many say, extend to the challenges presented by cloud adoption, BYOD, and shadow IT.

Many of the vendors exhibiting and presenting at RSA are offering automated and machine-learning solutions aimed at relieving the burden human watchstanders face. Human watchstanders, analysts, and reverse engineers are expensive, and vendors offering automated products and services are also quick to point out their contribution to easing the effects of a tight cyber labor market.

Threat intelligence—yes, everybody wants it and many are offering it, but the sector is still groping toward a common understanding of what would constitute actionable intelligence. In conversation most threat intelligence experts have been downplaying the general usefulness of attribution. Sure it's interesting, but what, actually, would you do with it? (Unless, of course, you're the FBI.)

A number of conference participants are looking toward the maturation of the cyber insurance market. They see this market as having a potentially very positive forcing function for cyber security as a whole.

The agility and adaptability of cyber criminals are being much discussed. There's little talk of criminal geniuses—if there's a Lex Luthor out there, he doesn't seem to be writing attack code—and there's widespread recognition that old, well-known commodity exploits and techniques remain in use simply because they're cheap, available, and effective. But there does seem to be an increasingly efficient criminal black market. It's not so much that crooks conspire or collaborate (although of course sometimes they do, but that's not the norm). Rather, the market's working for them.

Fortscale: user profiles enable a paradoxically permissive approach to enterprise security. On Monday we sat down with Fortscale CEO Idan Tendler to talk about his company's behavioral analytics solution. With the goal of mitigating insider threats—and threats posed by outsiders using compromised credentials, acting effectively as insiders—Fortscale analyzes access to data in an enterprise. The very size and complexity of enterprises makes if difficult to recognize illegitimate access, Tendler says, and Fortscale's Hadoop-based machine-learning helps bring clarity to that complexity.

Fortscale uses historical data from Splunk and similar sources to compare a user's access to a profile built from the user's history. The profiles are rich in context, including information about legitimate roles. The system isn't an alarm, but a tool that flags relevant information for further investigation. Flexible in its application to enterprise needs and proprietary systems, given any authentication logs, Fortscale is confident it will find anomalous, abnormal behavior.

Fortscale has offices in both Israel and California. Many of its people are alumni of the Israeli Defense Forces' signal intelligence and cyber organization Unit 8200. The company was one of the RSA Innovation Sandbox finalists.

Tendler is struck by the new uses customers find for his company's solution. He sees an emerging push to reimagine security around the user, and he thinks that doing so will foster a more agile and even more permissive approach to security: give everyone access to everything, and key an eye out for the bad actors.

NexDefense: cyber security for the industrial world. We were also able to speak with another Innovation Sandbox finalist, NexDefense's Derek Harp. NexDefense monitors industrial control networks in real-time.

Harp emphasizes a point familiar to those who work with industrial control system networks—they're different from traditional IT networks. Perhaps the most basic difference is the way in which, for ICS networks, reliability tends to trump security. ICS networks tend to be deterministic, they tend not to be noisy like their IT counterparts, and their equipment tends to have a long shelf-life.

People tend not, Harp says, to realize how pervasive ICS networks are becoming, encompassing building control systems, utilities, and so on. They're also converging with the burgeoning Internet-of-things. As control systems are modernized and networked, their attack surfaces are increasing exponentially. It's this challenge that NexDefense is addressing.

Harp notes that the company's customers tend to be plant operators, not CISOs or IT operators. He's also gratified by their response to NexDefense's adaptation of the Idaho National Laboratory developed Sophia tool, and by the operator's reception of his company's three-dimensional displays.

April 23: Threat intelligence and more perspective from the exhibit floor.

RSA discussions of threat intelligence get more interesting as legislation designed to advance sharing in the private sector moves through the US Congress. Former Government officials (now in the private sector) recall the obstacles agency equities became to effective intra-governmental sharing. Some of this is culturally inevitable, but that doesn't mean the agencies themselves shouldn't struggle against this tendency. Companies are also concerned to ensure that threat intelligence sharing among Government and private entities doesn't become (or, in a stronger view, remain) a one-way affair: companies want access to intelligence that can help them, too.

Other presentations emphasized what are now familiar trends in the cyber security sector: the increased role compromised login credentials play in attacks, the connection between denial-of-service attacks and the growth of the Internet-of-things, and, of course, the shortage of trained labor.

We were able to speak with several companies attending RSA. Here's a quick précis of what they told us.

Lookingglass: Concepts without intuitions are empty; intuitions without concepts are blind. Lookingglass doesn't actually quote Kant's Critique of Pure Reason when they describe their offerings, but they might well. As their CEO Chris Coleman explained, in threat intelligence, context is everything. Mere collection is of limited value.

Lookingglass collects Internet topology from the outside, and it's awareness of that topology that provides the context for the data and behavior collected and observed.

They take what Coleman calls "a combined arms approach" to security. They integrate with enterprise SOCs, and they provide a critical third-party monitoring capability.

Lookingglass has been recognized as a very fast-growing company. Their recent acquisition of CloudShield, Coleman notes, has been important in fueling that growth and enabling the company to offer a scalable platform that combines policy enforcement with threat intelligence to enable customers to address threats in real time.

Votiro: Spearphishing defense designed to fend off unknown exploits. Itay Glick, Votiro's CEO, described his company's anti-spearphishing solution. Rather than attempting to detect a zero-day, Votiro runs a process on the file itself, creating a copy that's known to be clean.

The system operates in the enterprise gateway. The copied file goes into a whitelisted format, thereby avoiding the possibility of infection.

Glick notes that Votiro's system connects to other aspects of enterprise security (SIEM, Splunk, antivirus, anti-malware, etc.). Their anti-exploit technology is delivered as a managed security service.

Tel Aviv-based Votiro has approximately forty employees and around a hundred customers, with the financial, healthcare, and physical infrastructure sectors most strongly represented.

NSS Labs: Testing tools turned to security uses. NSS Labs' founder and CTO, Bob Walder, described the company's BaitNet, and demonstrated its elegantly comprehensible user interface.

BaitNet emerged from a security product test harness NSS built a few years ago. Blackbox testing evaluated products for security effectiveness, performance, resiliency, and total cost-of-ownership. Old-school manual testing simply cannot scale. So NSS Labs began automatic collection and automatic replay of various forms of badness. Doing this, they realized that they had more than just a test harness.

In testing endpoint protection, Walder observes that exploit records are of limited value. You really need a dynamic response, and BaitNet effectively delivers live test results. It's best thought of, Walder says, as a "huge, instrumented, cloud-based, sandboxed environment." It sends out virtual machines to suspect urls, and then looks for infections. "We're not interested in the malware, but the exploit, that is, the delivery mechanism," Walder explains. (This concentration on exploits enables them to escape attackers' efforts to evade VMs.)

Replaying what BaitNet finds gives an enterprise pass-or-fail, block-or-no-block result for the security products they've deployed. A signal advantage of this approach is its dramatic reduction of false (or irrelevant) alerts, and its ability to enable an enterprise to focus quickly on real threats.

Onapsis: Security for business-critical applications. Founded in 2009, Onapsis concentrates on securing the application layer. Mariono Nunez, CEO and co-founder, and Ron Trackey, Vice President, Product Development, explained the Onapsis Security Platform as something that gives application-layer visibility to widely used SAP platforms.

Onapsis sees three principal kinds of attack on this layer: pivoting, portal, and data warehousing. They hope to raise awareness of the threat such attacks pose to an enterprise, and their platform is designed to prompt and serve quick, effective incident response. Those who need to act on these attacks need information—actually intelligence, that is, information analyzed, organized, and usefully delivered—to do so. Onapsis provides insight into topology, policy gaps, and policy violations in the vital application layer.

The company is working with large firms like IBM, Deloitte, EY, and KPMG. They have customers in several sectors, with a focus on manufacturing, oil and gas, and retail.

Neustar: Data analytics and denial-of-service. Contrary to what its name might suggest, 17-year-old Neustar is a relative veteran in the young cyber security sector. They specialize, executive Margaret Abrams told us, in DDoS mitigation and on developing intelligence on DDoS trends.

Denial-of-service is of particular concern, Abrams notes, to the financial, retail, and IT sectors, but of course it has much broader importance. Formerly denial-of-service attacks were the stock-in-trade of hacktivists (protesting some business, agency, or organization of which they disapprove) or extortionists (holding availability hostage). Today, however, DDoS attacks are increasingly part of much more sophisticated and complex attacks. They serve an important diversionary role, forcing the relatively small IT staffs of the typical enterprise to "take their eyes off the glass to deal with denial-of-service." This sort of diversion, Abrams says, is particularly useful to attackers attempting lateral movement through a network, and to those seeking to establish persistence.

There's a big uptick in interest in DDoS protection, Abrams says, particularly in the financial services sector. These business struggle with the rapid financial losses they sustain during successful denial-of-service. Redirection of attack traffic is an important mitigation technique.

April 24: Cybersecurity companies express their interests and concerns.

RSA is wrapping up. The exhibit halls closed yesterday afternoon, but discussions and meetings continue into today.

As we look back at this week, we're struck by several converging themes. Security companies are increasingly aware that you're more likely to be blinded by the glare than the fog of war in cyberspace. They get the traditional distinction between information (raw, not actionable) and intelligence (information analyzed, corroborated, and processed into something actionable).

The speed with which consequences are sustained in cyberspace combines with a traditional fact of North American economic history—capital is cheap, labor expensive—to push innovation in the direction of automation (with machine learning, wherever possible) and sharing across devices and platforms. The goals are both speed and a reduced labor burden.

But there's a general recognition that there's an irreducible human dimension to cyber defense—we heard no grand claims for strong AI, still less transhuman replacement. A common theme is to automate correlation to support human decision-making.

We're struck by the number of companies devoting attention to the endpoint. (As one interlocutor put it, badness can gurgle around in networks, but eventually it's got to run on an endpoint.)

Finally, there's a general consensus that we're after resilience—the ability to detect, respond, remediate, and continue operations.

That said, we continue our report of conversations with companies attending RSA. Here are some of the things on their mind.

ThreatSTOP: Cloud-based blocking of malicious command-and-control traffic. ThreatSTOP's Chief Executive Officer Tomás Byrnes discussed his company's approach to bringing cloud-based security—including blocking and actionable intelligence—to enterprises of all sizes.

Their work began as almost a sideline: helping charities that were digitizing their tax returns by enabling them to obfuscate personally identifiable information while rendering the files indexable. Working with DShield, they realized they could propagate dynamic ACLs (access control lists) for firewalls with DNS.

Using Small Business Innovation Research (SBIR) support from the US Department of Homeland Security, they built the capability of managing firewall policy and parsing log data. They also added an incentive for their customers to participate in DShield: a written, graphical report on log content.

ThreatSTOP's system combines manual curation of inbound feeds with automated correlation. They have, and continue to refine, anonymizers for customers reluctant to share too much threat information, but Byrnes thinks enterprises are overcoming much of their reticence about sharing within a properly secured environment. Customers who want to hold their information close can get an API that enables them to correlate internally.

They've since continued to develop their log parsing solution, now presented in a single pane of glass with a RESTful API. Byrnes says ThreatSTOP has enjoyed high renewal rates and satisfaction with their solution to the problem of blocking both intrusion and exfiltration. About his solution Byrnes says, "It works. It works with what you have, and it protects you everywhere."

Tripwire: Continuous monitoring for intelligence (not just information). David Meltzer, Tripwire's Chief Research Officer, described his company's areas of focus. (He was seconded by his colleagues Ken Westin and Shelley Booth.)

Meltzer began his discussion of the first focus area—advanced threat detection—by noting IBM's recent release of many years' threat logs. While approving of the gesture, he posed the question "What use are seventeen years of IP addresses?" Threat intelligence has to be "relevant, timely, and meaningfully usable." Enterprises want to know what threat actors are doing to organizations like theirs. Their interest lies in using this intelligence so they can set themselves up for more effective detection.

Tripwire has found great utility in standard formats like STIX and TAXII. Standardization is very important for effective sharing and correlation. So timely effective detection turns on giving enterprises the ability to share information and to automate relevant correlation, thereby automatically processing information into intelligence.

Meltzer thinks much useful information can be shared without raising too many fears about privacy. Most of the data Tripwire sees being shared are things like bad urls, file changes, and so on. "If they were sharing packet capture, they'd worry more."

Senior Security Analysts Westin added that the insider threat is more challenging to identify than the external attacker: continuous monitoring of user behavior is essential.

Tripwire's second focus area is industrial control security. The industrial Internet-of-things—comprising such elements as the smart grid, transportation systems, and industrial plants—is modernizing by assembling disconnected things into corporate networks. In this space, Meltzer notes, availability and safety are the two big concerns. The biggest challenges of the Industrial IoT include the very long lifecycles its devices tend to have, those devices' fragility, and the operational fact that, realistically, "any security solution that impacts latency is a non-starter." Tripwire's connection with leading ICS firm Belden gives them and opportunity to build in a layered defense for industrial control systems.

Meltzer concluded by reminding people that Tripwire offers a broad range of solutions—they're more than a policy and compliance shop. (And he's also like you to know that Tripwire is profitable.)

Damballa: Machine learning, with a side of realism about threats to mobile devices. "You have a greater chance of being struck by lightning than of being hit by malware on your mobile device," says Damballa's Chief Technology Officer Brian Foster. "There are risks in the mobile ecosystem, but malware isn't among them," at least not in a big way.

Damballa offers two principal products—an ISP and an Enterprise security solution. The ISP solution draws upon observation of some 50% of North American Internet and mobile traffic and trains machine-learning engines with this unfiltered network visibility. The Enterprise solution encompasses the ISP solution and expands its capabilities with scalable engines.

Their goal is to find compromises before they become breaches. Damballa detects infected devices "with certainty," and their detection technology is based on unfiltered big data (Foster apologizes for using the "big data" buzzword—he offers "large volumes of data" as less flashy alternative), machine analytics, and machine learning. Eight engines look at network behavior and corroborate that an observed process is malicious, thereby effectively eliminating false positives. They don't rely on signatures, but rather wait to see the malware actually run before declaring that an app is infected.

Because these detection technologies are based on Internet protocols, any connected devices can be secured. The automation the technologies bring to the detection process is designed to enable enterprises to get more out of the human security operators they have. Their products have incident response utility, offering rapid assessments that initiate incident response.

Secunia: Mapping attack surfaces, managing vulnerabilities. Secunia's Chief Technology Officer, Santeri Kangas, described his company's approach to vulnerability management. Their products are based on a vulnerability laboratory with more than ten years' experience, and they're designed to reduce the headcount customers need to devote to security operations. The information they develop enables customers to prioritize their mitigation of vulnerabilities.

Kangas says that Secunia has one of the largest vulnerability databases on the market. It matches a rich vulnerability landscape to an enterprise's assets, thereby giving the customer a perspicuous view of its attack surface.

The Vulnerability Manager product (which seems to have found a market sweet spot among mid-sized enterprises) maps the enterprise attack surface. It consolidates vulnerability information from a wide range of researchers and vendors (white hats only, Kangas points out—grey hats and black hats need not apply) and uses these in conjunction with its own research to guide patch management. Vulnerability Manager directly alerts those responsible for the affected asset family, which serves to focus the security response while economizing on labor.

Secunia deals with the actual endpoints, including Internet-of-things and industrial control system devices (mobile devices are in the process of being added). Some fifteen thousand devices are currently covered. Secunia integrates particularly closely with the Microsoft ecosystem, packaging, for example, Microsoft patches for efficient application.

Cyphort: Machine learning focused on the cyber kill chain. Cyphort's co-founder and Chief Strategy Officer Fengmin Gong says, "Today, solutions must look at every stage of the cyber kill chain." Cyphort offers a software-only distributed security solution. In their approach, sensing is distributed, analysis centralized. Any form of data sensed—traffic, files, etc.—are inspected and processed through a machine-learning engine for classification.

This approach, he says, produces very context-relevant information. That context includes such elements as subnet, operating system, installed software, and network topology. The incident alerts their solution produces include IP addresses and urls to be blocked, small signatures (if desired), and targeted indicators of compromise. Their goal is to automate as much as possible (including automatic blocking as an option) but to leave the human in the loop where an irreducibly human decision is called for.

Gong sees this approach as consistent with a shift in the security paradigm. "We used to talk about vulnerabilities, prevention, and exploitation. Now we focus on consequences." We seek to avoid and contain damage, thus the importance of continuous monitoring and sharing across devices.

Cyphort thinks the customer who buys the product, and not the vendor, ought to be the one making the integration decisions. Open APIs are the coming trend.

Gong concluded by saying Cyphort understands the security paradigm shift, and noting the considerable value of applying simple best practices. He sees their solution as "very practical, very context relevant," and above all as yielding actionable alerts.

Malwarebytes: A focus on relevance. "AV focuses on volume," says Malwarebytes' Pedro Bustamante. "We focus on relevance: recency, activity in the wild, and interesting families. Age and prevalence are basic criteria." Their flagship products are Antimalware and Antiexploit.

He describes anti-virus companies as having become, essentially, database managers. Malwarebytes, by way of contrast, does reverse engineering. Its Antimalware uses signatures, to be sure, but especially interested in advanced heuristics. Offering more than detection, it also disinfects, using disinfection heuristics based on linking.

Antiexploit's technology is behavioral. It looks into "tricking" (as seen in phishing and waterholing, for example) and vulnerability exploits (particularly dangerous because there's often no user interaction required). Exploits are now responsible, Bustamante says, for some 80% of infections. Antiexploit watches traffic and looks at software API calls for real-time behavior monitoring and blocking.

Bustamante closed our discussion with a description of Malwarebytes as focused on the modern threat. The company's products are complementary to anti-virus products, and they're designed to layer with one another for a comprehensive defense.

Guidance Software: Security inside out. Guidance Software moved from a core competency in digital forensics to a comprehensive set of security offerings. We spoke with Guidance's Mitchell Bezzina about what the company calls "inside-out security."

Guidance started in 1997 with e-discovery, moving from there to computer forensics. (Bezzina says they remain the market leader in court-validated digital investigation tools.) They've used that expertise to develop endpoint detection and response solutions, moving from the endpoint to the security of the enterprise in which they reside.

Their two principal products are EnCase Cybersecurity, which automates incident response, and EnCase Analytics, which combines automated correlation with manual querying. These are now being combined into EnCase Endpoint Security, a Windows-based application that sees across seven operating systems. The idea is to use endpoint information to find gaps in a security framework, and then remediate those gaps. "If you begin with the endpoint," Bezzina says, "you can see everything."

EnCase integrates with many other security products to automate incident response. As perimeter defenses generate alerts, they tell EnCase to investigate. EnCase ensures there's no data decay. Since it sees the endpoint, it's able to give analysts the context they need to take action. Once a tier-one analyst confirms an incident, a tier-2 analyst uses the product to investigate, and a tier-3 remediation follows. The product offers on-demand automation of remediation.

Bezzina concluded by drawing an analogy between policing and cyber security: the police rarely stop a crime in progress; they investigate it. Rapid investigation is a useful way of thinking about cyber security. Guidance offers internal threat intelligence based on seeing the endpoint. It supplements this with external feeds. The goal should be filling known gaps in security, and then concentrating on detection, response, and remediation.

Bay Dynamics: Predictive analytics for a post-malware age. Increasingly, malicious outsiders operate as if they're malicious insiders. We spoke with Bay Dynamics' Chief Executive Officer and founder Feris Rifai (ably seconded by his colleagues Anil Nandigam and Gautam Aggarwal). Rifai says that the trend in attacks is a move away from malware to the use of stolen credentials.

Bay Dynamics has an engine that delivers both predictive analytics and machine learning for user behavioral analytics. (Rifai is proud to point out that Gartner's study of security behavior analytics illustrates the sector's challenge with two case studies, and acknowledges both of them as deriving from Bay Dynamics' work.) The company offers four solutions. Two involve early threat detection:

  • Insider Threat finds evil in the noise, calling out anomalous behavior, but not with a rule-based approach. "Normal changes over time," Rifai explains. "We want the data to tell the story." Insider Threat produces a prioritized list of users worth investigating. It also moves beyond event-by-event remediation to bulk remediation. "We give the security professional a data-scientist-in-a-box." The product also gives the customer the opportunity to conduct just-in-time training for well-intentioned but errant users who violate policies. "If you give people the opportunity to do the right thing," Rifai quotes a customer, "they'll do it."
  • Outsider Threat correlates outside attacks with insider activity. They pull in external data feeds, automatically integrate them, and correlate them with user behavior.

The other two involve predictive analytics:

  • Attack Surface Threat Solution identifies high-value assets most likely to be exploited, correlating vulnerabilities with exploits. And it does this for CISOs, who increasingly are becoming risk managers. The technology is designed to "deliver the right information to the right person at the right time," Rifai says. This both facilitates patch management and gives the CISO the ability to assign stakeholders both power and accountability. ."
  • High-Privilege Access Threat Solution looks at observed behavior that indicates both high-privilege and risky behavior.

Bay Dynamics was founded in 2001 and has recently experienced rapid growth, more than doubling its revenue in 2014.

Rapid7: Community (not crowd) sourced security. We finished our talks yesterday by sitting down with Rapid7 as the exhibit halls were closing. Jen Ellis and Tod Beardsley were our guides to the company.

Ellis described Rapid7 as looking at security from end-to-end, and with a deep understanding of the threat landscape. The company offers security data analytics, including threat exposure management, incident detection and response (with both response services and behavioral analytics), and strategic security services. One innovative offering: the services of a "CISO-in-residence," currently the well-known Bob Lord.

Beardsley (whose genial mien belies the title on his business card, "Pirate Captain, Metasploit Framework"—we might suggest a friendly Privateer Captain) talked about Metasploit, of which Rapid7 is the custodian. "Metasploit's open source community underpins what we do," he says. The things they get from the community are the things people are actually seeing.

Ellis and Beardsley closed with some realistic and persuasive altruism. "Security transcends selling product," Ellis said. The security community does best when it acts like a community, and that, perhaps, is as good a way to close RSA as any.

Ave atque vale. Thanks to all the companies who made time to speak with us, regrets to those we didn't have time to visit, and to all, please stay in touch.

A look back at RSAC 2015.

We wrap up our coverage of last week's RSA conference today. See today's issue for pictures, retrospectives, reports on late-week sessions, and reviews of some keynotes.

We'd be remiss if we didn't congratulate two blogs honored at the show: Sophos's Naked Security continues its winning streak by taking best-corporate-blog honors, and Graham Cluley is adorned with most-entertaining-blog laurels.

We leave RSA quoting eWeek's Chris Preimesberger's apt take on the show: "There were so many aspects to the conference that it is patently impossible for any one person to soak up everything he or she might have wanted. But when you come to a show like this one, you plan a meeting-and-seminar strategy, try to stick to it as best you can, and still leave time windows for fun and networking." Thanks again to all who spoke with us, and see you next year.