Was the Sense of Defeatism at RSA 2015 a Good Thing?
As the RSA 2015 conference (#RSAC2015) was winding down last week, someone commented on what he perceived as a “sense of defeatism.” In sessions and on the show floor “Every vendor is saying “you’re already penetrated.” There ensued a vigorous discussion on the Linked In Security Architecture group.
It’s Not Defeatism, but a Sign of Maturity
To paraphrase some of the comments that appeared on the list:
- “The common belief to date that a given solution will provide [a magic bullet] has been a continuous proof of the immaturity of the market. Since we now have a few decades of none of that turning out to be true we are approaching a post-adolescent realization that life may be more complicated than our simplistic worldviews might have suggested.”
- “A product will not save you. There is no silver bullet. That is the defeatism you are seeing amongst the vendor diaspora at RSA. Security is a process, not a product. Products figure prominently in compensating controls, but are not the solution. It is about reducing risk of compromise. You will be hacked someday. What controls do you have in place to mitigate the risk of critical data exfiltration?”
In this view, customers are becoming more mature and the market is responding.
- “Marketing the concept ‘you’re already breached’ is simply taking advantage of the historically disproportionate budget spent on perimeter defense rather than abilities to detect and then launch, or call a pre-engaged ‘Emergency Response Service.’”
- “I’d say this is a good thing, since I see it as vendors listening to their customers. The customers are saying that their focus is shifting – balancing prevention with rapid response and recovery.”
- “The next step should be to reconsider defense-in-depth. It isn’t just technologies. It is not an afterthought in a project, and it is not the ever-elusive perimeter. Security should be part of the enterprise architecture with identified critical assets and a plan to protect them. People should be trained to detect problems, and processes established to protect the enterprise and its assets.”
Should Maturity Imply a New Optimism?
- “If you assume the worst, you will not be disappointed. The theory that there are two kinds of companies – those who have been breached, and those who do not know that they have been breached. This message was loud and clear. The solutions are getting more secure, the community response is becoming better organized, and we are maturing our strategies to deal with the changing threat landscape. The business imperative to address security concerns is now top of mind, at all levels of management, including Board of Directors.”
The Contrarian View
- “I view protection as a process – something you do, not something you buy. The vendors, having realized this, need to find ways to make money from it. So they say you have already been penetrated and need to buy ongoing eternal services from them to continue the eternal fight of vigilance.”
And at this point the discussion got a bit colorful 🙂
- “I am somewhat displeased with [the subtext of] this terminology: ‘You have been penetrated (you’re screwed), so you need to have the day-after pill (their services) and possible something far worse (surgery on your infrastructure to remove the unwanted spawn).”
Wrapping Up, For Now
Since our so-called defeatism is heavily concentrated among network security vendors, it could be seen as just another swing of the pendulum. Remember, years ago: ‘IDS is dead!” That simplistic declaration ushered in more than a decade of vendors hyping prevention solutions. Starting about 5 years ago analysts (including myself) began urging clients to: “Assume you’re already compromised.” We’ve finally succeeded in swinging that pendulum the other way.
Welcome to the decade of detection, aka security analytics. We can’t curb market over-reaction – if that’s what it is – any more than we can stop the sun from rising. But when it comes to detection in the modern era, please understand that’s not the Power of One (vendor) that matters, but the Power of Many (sharing data). And this sentiment – it takes a network to fight networks – was also on display at #RSAC2015 and that is a good thing.
By the end of the RSA Conference, I remained guardedly optimistic. Prevention is not dead, its just not sufficient. As ever, we need to take a systematic, comprehensive approach to security. Let’s close with this comment:
“Having attended RSA myself, I don’t believe it was a sense of defeatism as much as a rude awakening to reality. This is far better than living in fear of the situation.
“’Being defeated is often a temporary condition. Giving up is what makes it permanent.’- Marilyn vos Savant.”