The Falcon's View

Vendor Expo

A friend of mine described the Expo as "beige" this year, and I can't really argue with him. It was pretty depressing overall. Sure, the biggies were there, smiling brightly, hoping for a sniff or two. There were a few new-ish vendors, but nobody terribly exciting. If you wanted a self-encrypting USB device or a one-time password (OTP) solution, they were a dime a dozen. Everything else seemed relatively old hat and boring.

Conspicuously absent was Ounce Labs, as well as DLP maker Verdasys. Both vendors had a reasonably large presence in 2008, and I don't recall seeing either anywhere this year. It's possible that the cost v. benefit ratio just didn't work out in their favor. I spoke to one first-time vendor who thought that they were pulling in the leads by the bucketful. I gave the CEO my card with contact info and asked him to ping me in a few months to see how many of those leads were still valid. If he gets back to me, I'll be sure to get a nice write-up out there on the usefulness of attending RSA.

That being said, you have to look at RSA as the annual shindig that everybody attends. It's a shame the Expo is so expensive. I heard rumors about mandatory teamsters labor and ridiculous costs for electricity. *shrug* Kind of unfortunate, if you ask me.

There were a couple new-ish vendors out there who were kind of embarrassing. One was QwicKey, which was pushing magstripe cards for the desktop. As in, mount a magnetic stripe reader on every keyboard or monitor and use it for authentication (2nd factor). On the one hand, this sounds kind of interesting. On the other... it just feels so wrong...

On a slightly more positive note, there seems to be a trend toward "fixing" AV and DLP amongst a few younger companies. In terms of AV, a company called Prevx sounded interesting at face value, though under further evaluation maybe not so. They struck me as a SaaS version of Cisco CSA (or similar). They claimed to "support" AV, making it better, more than anything else.

I also noticed that Sunbelt Software now has an AV solution, built from the ground up. Not many people know about Sunbelt, such as that they have a top-notch malware research lab/team. I'd definitely suggest looking at VIPRE if you're evaluating AV solutions, because my guess is that it's pretty good.

Beyond these, I heard about another startup next-gen AV vendor in stealth mode. I'll be interested to see what comes from them in the future.

As for DLP, two things jumped out at me. First, GTB Technology claimed to be doing next-gen DLP, not relying on hash signatures and the like any more. Unfortunately, their booth was so busy that I was never able to get an interview with them. Nonetheless, I'd definitely recommend taking a look at them (http://www.gtbtechnologies.com/) as their solution could be very interesting.

Along with GTB, SafeNet also is starting to look at going into interesting new directions. I'll post more about them later on, based on the interview I did with their VP of Product Management, Derek Tumulak.

Lastly, there were three other vendors worth pointing out from the show:

* Alert Enterprise: Winners of the Innovation Sandbox award, they are able to correlate (but not aggregate) alerts generated by physical, IT, and control systems. My hope is that they'll some day be integrated into a larger system that not only correlates, but also aggregates, events.

* Splunk: This log management company takes a very different tact, serving more as a search engine than anything else. Very powerful and very flexible, and now available as part of a SIEM solution. Hands-down, Splunk was one of the busiest booths on the Expo floor. Also, in the grand scheme of things, I think they're easily one of the most innovate vendors in the log management space.

* Beyond Trust: While I've never had the fortune of deploying their product, the value proposition is far and away one of the best and most interesting in the security industry. And, even better, they now have sudo-like capabilities as part of the product. Who could ask for anything more? :)

* Third Brigade: This item is here mainly as a shout-out to my buddy Justin Foster (read his blog! http://www.developingsecurity.com/). These guys do host-based IPS, including VM support. Overall, it sounds pretty cool, though nothing for vserver (oh well). If you've not yet done so, please go back and add Justin's blog http://www.developingsecurity.com/ to your regular security reading! :)

Tracks

It seemed like the tracks were organized very poorly this year. Every day, there were only a few tracks I wanted to see, and almost all of them were booked at the same time. Kind of a bummer. As a result, I didn't get to see as many as possible. In particular, what was with scheduling so many good talks at 8am or 5:40pm?!? Whomever set the schedule clearly had never attended RSA like most of us security twits had. Because, if they had, they would have known that it's very hard to get up much before 10am when one has been at vendor receptions since 6pm. In all seriousness, though, 8am is really quite brutal if you go out at all the previous night, and 5:40pm is just too late in the day when most vendor receptions start at 5:45pm or 6pm.

Getting completely off-track for a minute, this begs a question... is there too much content at RSA? Speaking with track chairs, they feel stressed picking the "right" speakers because there are so few slots, and yet many times delegates wonder why there's so much cruft. It's an interesting dilemma. Is it better to offer too much or too little variety? I think you have to err toward offering too much, otherwise you make it too competitive to get a preso out there, and thus increase the risk of losing new high quality talent.

Anyway, back to the topic at hand. From all reports, the Legal track did very well again this year. It's interesting to me how much of the non-technical aspects of infosec seem to be converging in the Legal field. The mock trial apparently drew rave reviews, which is encouraging for my friends at the ABA ISC and EDDE committees.

Perhaps my favorite presentation was the final Hoff/Mogull preso on "The Future of Security" Friday mid-morning. I actually ditched out of part of the KMIP TC launch to attend it, then went back, then went to lunch, and so on. Anyway. :) I'll actually be posting my full notes from their preso later, but in the interim you can read my live-tweets under the #hoffmogull tag. :)

Other than that, I really found the tracks uninspiring this year. Sure, there were some flashy topics, such as about "cyberwar" and a few bits on "cloud computing" (I think that's misspelled and should say "clown computing", but I'm not sure;). In the end, though, there really wasn't much to get excited about. I did sit in on the "Avoiding a Security Groundhog Day" this year, and found it interesting, but didn't really take many notes. Check out my live tweets from the panel here using the tags #groundhogday and #rsac.

Keynotes

I intentionally skipped the opening keynotes, as well as the vendor keynotes, as experience taught me last year that they were mostly a waste. I did sit in on the Cryptographers Panel for a little bit, but quickly bailed out after Whit Diffie said "I don't see the big deal about cloud computing - I think it's just like radio - and that's a problem we've already solved." And then Marty Hellman pulled out his nuclear deterrence slides from last year. And I left. Not because they aren't smart people, but because it literally felt like a complete throwback to last year. I just couldn't bear to sit through the session, and literally felt embarrassed for them and RSA.

The only other keynotes I caught were The Hugh Thompson Show and the MythBusters (Adam and Jaime) on Friday afternoon. I thought Hugh was a bit low-key this year. He needed a couple more guests and shorter interviews. Or at least some sort of entertaining break every 5-7 minutes. :) As for the MythBusters, they were amusing with the "world's largest crypto wheel" (I'll post the picture later), but then the session moved to an interview format, WHICH WAS EXTREMELY LAME RSA. :) I was really expecting an actually keynote by Adam and Jaime. Thank goodness for the bloopers and hit reel at the end. The explosions were awesome. And, I agree with Adam, the water heaters are the best. :)

Other Events

Before RSA started I had the good fortune to attend the joint ABA InfoSec Committee and e-Discovery and Digital Evidence Committee meetings. Because they were concurrent in the same offices, I floated between the two. The ISC meetings were very good, with an interesting presentation and discussion on electronic voting, led by the good folks from the Open Source Digital Voting Foundation.

Both committees have good work underway. One of the topics at the ISC meeting was the need to better engage legislators to help them be well-informed on issues, including privacy and computer-related laws. We talked about how privacy legislation really ties back to a bill from 1974, and that the paradigm is shifting from incursions on privacy to control of data. Users put a lot of information out on sites like Facebook and LinkedIn, but they have an expectation that that data will only be used in certain ways. In the US in particular those mindsets don't align well with the current legal framework. As such, we need to evolve the law to better match with this new mentality.

Perhaps my best experience of the entire week was at MiniMetriCon 3.5 (see securitymetrics.org). Now, if anybody knows me, they can attest to the fact that metrics drive me nuts. This view is based in part on the truism that there are "lies, damn lies, and statistics." :) Stats drive me nuts because they're frequently open to interpretation. And, to be honest, the reports discussed are certainly open to interpretation, too. That being said, the presentations from Jeremiah Grossman at Whitehat Security and Wade Baker of Verizon. Jeremiah previewed a report that they'll be releasing in May on web app vulns, while Wade covered the 2009 Data Breach Investigations Report. In both cases, they concluded that the PCI DSS was having a positive impact, that it was not clear how significant that impact was.

In the end, here, I'm now a fan of security metrics and am eagerly anticipating the next meet-up (probably at BH?). I've even joined the discussion list at securitymetrics.org and see the value, if done properly. As a result, I'm also starting to slowly see some marginal value in the PCI DSS, though I still think it's a pain. :)

Conclusions

Would I attend RSA again? Absolutely. For one thing, it's the only time I get to see all my friends (well, the vast majority) in one place. For another, it's such excellent exposure to smart people and potentially interesting technologies.

Do I recommend RSA for everybody? Not at all. You need to come knowing a few things, and you need to have an idea of what you'd like to get out of it. If you're looking for advanced tech topics and training, then go to a specialized class. If you want to hear good, unscripted discussion of hot topics and prognostication about the future, then this is definitely a good place to be.

What's the best value of RSA? Hands-down, meeting people. For instance, I met Dan Farmer at a vendor reception this year. Dan was co-creator of COPS, a UNIX on-host auditing tool from the early 90s. COPS combined with the TAMU audit tool were the reasons I got into security. So, I blame Dan for being in this career. And that's a good thing. :)

Hopefully you've found this to be useful. You'll see a few more posts from me this week on RSA, but those will be more targeted. Cheers!