RSA Conference 2019: Trust (not Quantum), Blockchain, AI – and the advent of DevSecOps

A Trust Enabled World – that is the vision that guided the opening keynote speech of the RSA Conference 2019, held by Rohit Ghai (CEO of RSA) and Niloo Howe (tech investor and entrepreneur). In their narrative, which started with security nirvana, planned to be reached in 2049, they “looked back” to the trust crisis of the 2020s and 2030s – and how the world managed to overcome it. Three major changes needed to take place in order to create this so-called trust landscape:

  1. Understanding that risk and trust coexist, and that risk needs to be embraced and managed instead of feared. Without taking calculated risks, there is no progress and no innovation.
  2. Realizing that man and machine need to work hand in hand to create “trustworthy twins”, as both have their advantages over the other in certain areas: Machines are better at answering questions, while it is human nature to stay curious – therefore asking better questions.
  3. Making trust measurable using reputation mechanism. By creating a “bank account of trust”, we stop considering only the negatives but also deposit positive achievements, providing a balance to leverage when calculating risk.

No one knows what the future looks like, but creating more trust does not seem to be a bad idea in any case.

The topic also provided the background for some political statements – which the RSA speakers are never shy about expressing: “Building trust instead of walls” was a statement that was probably not only aimed at tech companies. Other keynote speeches provided even more explicit commentary on recent political developments: This included the condemnation of state-enforced backdoors and Trojans, the handling of vulnerabilities and exploits in the intelligence community, and the return to closed-border policies in the western world. The latter was highlighted by a video sequence showing Adi Shamir (one of the cryptographers and founders of RSA), who was denied entry to the United States for the first time in more than 20 years.

“Artificial Intelligence creates as many problems as it solves”

The most philosophical keynote speech was held by two veterans from McAfee, Dr. Celeste Fralick and Steve Grobman. Focusing on the advent of artificial intelligence, they discussed whether AI is good, bad, or none of the above. In a simple use case, they highlighted how AI can be used to improve policing efficiency by calculating probabilities of crime and respective local hot spots. However, almost the same forecast could be applied by criminals to dramatically reduce their risk of getting caught. Likening artificial intelligence to the invention of the airplane (which brought major benefits to all of us, but also caused severe damage during World War II), it is merely a medium that is utilized by humans – for better or for worse. AI creates as many problems as it solves, as it lacks a moral compass. Luckily, humans do have one (most of them, hopefully). They also talked about how AI can be tricked in order to see a frying pan instead of a penguin but that is probably something you want to see for yourself on Youtube.

Down on the expo floors, vendors tried again to beat each other in games like “who has the loudest presentation”, “which LED color hurts your eyes the most” and “which freebies are the most attractive : shirts, drones, Amazon gift cards or bouncing balls?”. Content-wise, only few things have changed over the last years: endpoint security is still omnipresent, although identity and access management as well as (Next-Generation) SIEM solutions were similarly promoted. The latter space was also heavily affected by two major announcements: Chronicle (the security division of Google/Alphabet) officially launched its first homegrown product “Backstory” – a cloud-based telemetry analytics platform for search, event enrichment and threat hunting. Surprisingly, Chronicle’s staff was rather modest about the solution. Statements such as “We do not replace SIEM solutions” and “We only focus on a few use cases as of now” were continuously repeated at the booth. It’s possible that they just did not want to offend half of the security vendors on day 1. The other major launch was Microsoft Sentinel, an Azure-based SIEM platform natively integrating all your Microsoft cloud data such as Office 365. It remains to be seen how the “SIEM in the cloud” approach is received by the customers – especially in Europe – but it seems to be a natural evolution at least in the case of Microsoft and their “Move everything to Azure” strategy. Further indicating the shake-up potential of these announcements, the stock value of Splunk plunged more than 13% over the last couple of days.

More than “adding some code analysis to your CI/CD pipeline”

One almost forgotten area of IT security that seems to be picking up steam again is the market for application security, including DevSecOps. Based on the developments around DevOps, container technologies and stateless applications in the cloud, new threat models emerge, providing opportunity for incumbent vendors and startups alike. While web application firewalls (WAF) and application security testing (AST) have been around for quite some time, new approaches show up as well: AI-based fuzzing technology, policy enforcement for Kubernetes, multi-cloud governance and orchestration, identity-driven security for APIs or in-line patching and runtime self-protection, among others. The list of technologies is long and it will be interesting to see how this market regulates itself over the next couple of month. However, it is safe to say that 1. DevOps is trending towards DevSecOps and 2. The security component in DevSecOps is more than “adding some code analysis to your CI/CD pipeline”.

Apart from the main halls and major security trends, the Early Stage Expo again gave smaller companies the chance to promote themselves – and gave visitors an idea of what potential disruptions to expect over the next couple of years. Including most of the participants of the Innovation Sandbox Contest, about 50 companies provided insights into their solutions, and finally also some technically adept people – a stark contrast to the marketing-heavy main expo floors. Ranging from “sounds really promising” and “that could work” to “I am sure those guys won’t be around next year”, everything was represented.

And since you can’t say “Early stage security startup” without talking about “blockchain” nowadays, here’s our hot take. At least three of the startups tried to find a useful application with entirely different focus areas:

  • NuID: Addressing the issue of central password storage, NuID created a distributed authentication ecosystem using “zero knowledge cryptography”. As the solution focuses on how your password is stored, you still need to remember it, though. NuID was also one of the Launch Pad participants at this year’s RSAC, but could not convince the VCs to spend money on them.
  • Polyswarm: A decentralized threat detection marketplace trying to solve the partially poor detection quality of VirusTotal. The idea behind it: Antivirus vendors are rewarded with tokens based on the quality of the result – improving overall detection rates. As of now, the ecosystem of partners is not exactly best-in class but more relevant vendors are “soon to be announced”.
  • Woleet: Leveraging the Bitcoin blockchain (which has become particularly known for its speed and efficiency), multiple use cases for trust and verification are supported. This includes tamper-proof timestamping, electronic signatures and document authenticity. The performance issues of the Bitcoin blockchain are mitigated by “batch commits” every six hours – without access to the data in the meantime.

No one can say whether these solutions are here to stay, but they highlight that blockchain can be applied for entirely different – sometimes surprisingly creative – scenarios. Plus, none of the companies is funded by an ICO, but rather with hard currency.

Who we are
The “Technology Scouting & Evaluation” (TSE) service identifies and evaluates promising IT security solutions. With this service, DCSO supports companies in staying ahead of a dynamic and ever-changing market. The centralized and unbiased evaluation process is supplemented with the experience of all community members.