Root Causes 389: 2024 RSA Conference Wrap Up

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

May 28, 2024

Jason and Tim do their annual RSA wrap-up. Trending segments include AI, Trust Centers, MFA, PQC, and more.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanIn fact, I was just in one of my other favorite cities in the world, which is San Francisco for the RSA conference. For RSAC. As always, we'd like to do an RSA wrap up. So I've got some notes here, Jay, and let's talk about some of what I observed this year at RSA.

Jason SorokoLet me think. I gotta prognosticate, Tim. I remember back in the day, Blockchain, Zero Trust. Buzzwords, buzzwords, buzzwords. I want to know eventually what the key buzzwords were at this conference.

Tim CallanYou know what the biggest buzzword was.

Jason SorokoOf course, I do.

Tim CallanBut before we get there, let's talk about buzz real quick. So, as we know, a few years ago, with COVID, RSA really took a kick in the teeth. It is as crowded and as huge and as vibrant and as energetic as it has ever been. RSA is 100% back. So that's the first thing to know. It was jam packed, and it was full of vendors and the halls were full and full of attendees and full sessions and just RSA is going full throttle.

So buzzwords - we know what the obvious buzzword was.

Jason SorokoLet me guess. It's gotta be AI.

Tim CallanOf course. So, here's what's funny. And you and I talked about this last year. Last year, AI was virtually absent. And it was because it had progressed so quickly as a story. This year, exactly as we predicted, when I did my floor walk, it was like you almost couldn't stand anywhere on the show and if you looked around, you would see the word AI. And a lot of these were like new vendors but a lot of them were existing vendors that were either touting their AI creds. Maybe they had really developed AI in the past 12 months, or maybe they just had found a way to represent what they're doing as AI in the last 12 months, but clearly, somewhere in the rules, it said if you don't have the word AI on your booth, you're not allowed to exhibit.

So, in fact, so here's my conference schedule. So how many of the official sessions, speeches, do you think were about AI? This is unfair.

Jason SorokoIt's unfair.

Tim CallanDo you want to know the number?

Jason SorokoYes.

Tim Callan63!

Jason SorokoI wasn't even going to guess that high. That's crazy.

Tim Callan63 sessions had something to do with AI. I mean, you just couldn't avoid the topic. And we're laughing about it but also, in all fairness, that really should be the case. If it is not the most important development in computing since the internet, that will only be because it's more important than the internet.

Jason SorokoIt very well might be. There’s so much to think about that. I'd love to know a lot more about the nature of what those talks were about, because what's captured people's attention, obviously, is the large language models and the various high profile GPTs that are out there right now that people are using. But doesn't always apply from a security standpoint. So therefore, are we talking more about neural network programming or are we talking about other forms of AI that aren’t as common.

Tim CallanI think it’s all over the map. I think there's definitely a big LLM focus. There is focus on attacks against LLM. There’s focus on using LLMs to assist attacks and what to do about it. And that's a real thing and that needs to be examined. Yes. But AI, of course, has many possible forms and applications and it's a big term that envelops a lot of very specific technologies and approaches. And you're seeing all of that stuff on display.

Jason SorokoI'm really curious from our standpoint, people who listen to this podcast, PKI specifically, I think where some of it really applies is in the general - - we use the term automation quite a lot. I think that this is where AI, for, us will end up probably playing a place other than the back office where it'll play all kinds of places just like everybody else. But I think in terms of being able to set up autonomous forms of automation, I think AI will play a role in solving some of the last mile problems that we have within our industry. I'm curious to know whether or not anybody addressed that at RSA being a security conference.

Tim CallanI think it's a little hard to answer that, because there was so much talk about it. If you want to characterize, if you want to say what was the main theme of the AI conversation, I'd say, the main theme was diversity. Just because everybody is looking at every AI angle they have, and literally, vendors that you wouldn't have thought of, and, is an AI thing in any way, you're walking past their booth, and it's, it's almost like they took their tagline and they shoehorned AI into it. And so everybody is finding every AI angle they can, and again, some of that is smart marketing, but a lot of that is smart technology development. And, and it's both, and that's it. I mean, it's never gonna go back. It's never going to be different.

Jason SorokoHere's the take. I think the AI push this year is a lot more interesting and 60 something talks, I'm not sure if all of them were the cat's meow, but I bet you there's at least some percentage in there that is legit. And that's a big change from a lot of previous buzz terms in previous years, which were shoehorned for really no good reason.

Tim CallanI think that's a very astute observation, Jay, and I'll agree with you, which is, there's generally more substance. There's more meat behind the AI talk. I'm predicting that next year, we're going to see at least as many talks, but we're going to see a more mature view of the technology space. Right now, it's just sort of what does this mean? There's a lot of what does this mean.

Jason SorokoI’ll tell you how early on it is from a security standpoint. In fact, it was last night researching for some of these Toronto podcast sessions that we're doing right now. And one of things I noticed was Mark Russinovich of Microsoft fame, wonderful person and security researcher, just put out a major presentation on security aspects of AI. So talking about a lot of things you and I have already covered early on in this area, such as prompt injections, jailbreaking AI, etc. And so, up until now, these things have been theoretical, or just been discussed on Reddit, or on our podcast. And what you're now starting to see is people who are formal thinkers about this actually publishing on it. And so we're still early in it but it's nice to see that there's legitimacy in the thinking. When you have people like Mark Russinovich publishing on it that it's it’s kind of a different stage.

Tim CallanSo you've just told me that I'm not a formal thinker and there’s no legitimacy in my thinking.

Jason SorokoNo. What it is Tim, is this. We are always going to be on the absolute front of these things.

Tim CallanWe're on the edge. And, you need that sort of established, built out support for that. Absolutely.

Jason SorokoThat's exactly right.

Tim CallanSo AI, everybody knew we were gonna say that. So enough said on that. Next on the list. You might be able to predict this one too, because it is one of my personal bugbears. That's a hint.

Trust centers. Trust centers, and regulatory platforms are all over. Like, this is a booming industry. Lots of new companies, lots of existing companies pivoting who are kind of in the space, who all of the sudden, maybe they didn't have a GRC offering, but they were close enough now they do. Or maybe they had a GRC, but they didn't have a Trust Center and now they do. Just everywhere. People I'd never heard of, and I actually follow this space because I care. Because I'm in charge of compliance. And it's just blowing up. And it makes sense, because two years ago, nobody in the world had a Trust Center. One year ago, it was real forward thinkers. And now it's like, if, if you're not getting one of these things, you're in for trouble. And so if you want to talk about a market that's just blossomed so fast with all of this focus on supply chain, auditing, and all of this focus on security questionnaires, and all of the stuff that I can't help getting on here and ranting about, then, it's not surprising to me to see a lot of industry action behind this particular category.

Jason SorokoI'm really happy to see that. One of the things we're gonna be talking about later on in the sessions is going to be about Cybersecurity Framework 2.0, and the push towards governance, and especially within the space that the audience of this podcast are interested in. And so I think that that's a piece of it. It's the people from up on high coming down to the trenches, and people who live in the trenches and actually get the work done elevating themselves up to compliance and governance.

And this is what CSF 2.0 is really calling for and this is a piece of it. So to me, it's interesting how nobody called for it. There was no formality but it's coming together. That’s a positive thing.

Tim CallanAnd I mean, we all know why it's coming together. Like this has turned out to be a very scary attack vector. So I know why institutions do what they do in terms of the security questionnaires. I just hate that they do it so badly and I think a Trust Center, or just more generally, a GRC Industry has the opportunity to help with that and give people a better sense and a better framework for how to do this well.

Jason SorokoThat's actual substance coming out of RSA, Tim. I'm happy to hear some of these things.

Tim CallanSo the third one, and this one surprised me a lot, Jay, is there are a bunch of new offerings and new players in the MFA space.

Jason SorokoWe need more MFA?

Tim CallanHow about that? Well, I think we need better MFA. So if you look at these things, the theme is, hey, current MFA isn't working. It's not working for your users. It's not working for your IT departments, and it doesn't really defeat the attacks and we've got a new approach that we contend is going to do these things. Now is it going to or not that will be proven out over time. But I was interested in the number of either vendors or product offerings and existing vendors that were focused on a new approach to MFA. And it was, again, that kind of theme. Like, hey, existing MFA solutions aren't very good. We got a better one.

Jason SorokoInteresting. So for people who haven't listened to our back catalogue - -

Tim CallanWe hate MFA.

Jason SorokoSo with a passion, actually. We've had at least I think my last count was 11 or 12 podcasts on here's 11 different ways we hate it. I think now, what you're saying is we've got to maybe do a 12th.

Tim CallanI think that's interesting. We should track if there's any there there. If there's any substance, if this is a real revolution of the space, if they're really solving some of the problems?

Jason SorokoThis is important, Tim, because as a pragmatist reality based person, passwords aren't going anywhere. So we need something. And so what is that something? I hope it's something better than what's out there right now.

Tim CallanWell, again, there's people who are betting their dollars and their sweat equity on the fact that it is, so it’ll be interesting to see how that plays out. I think what's keep an eye on that.

Another one that I saw a lot more of than I'm used to seeing is security training and awareness. Which it's not a new problem. We all understand that the big pile of cells that sits in front of the keyboard is always the weak link. We all know that. And it still is. But it feels to me like we're seeing more effort on commercializing security training than we have in the past.

Jason SorokoSo is there innovation?

Tim CallanI don't think so. I think it's just try to put together better quant content. It's one thing is security training. I mean, they're awful and it feels to me like there's a bit of a recognition in the industry that good content might actually have a consequence. I think what it is, I think it's a reflection of a slight change in attitude that matters on the part of the buyers, of the people who have to do this training, which is, this isn't a compliance requirement tick a box. This is a authentically prevent my people from being owned.

So now success is measured in a different way. Success isn't measured in terms of 100% of employees sat through 17 minutes and answered three questions correctly.

Jason SorokoThe real outcome.

Tim CallanSuddenly success is nobody used a phishing attack to get a back door. With that defining success a different way, now, you have a different approach to the problem. It's things like, make the quality good, make it engaging, make people actually sit and pay attention to it, make them actually learn, help them learn, as opposed to be able to prove that I put someone through a training so that if I get sued, I don't lose. I think that's a bit of a change in focus in the people who buy this stuff.

Jason SorokoYou know what, we haven't podcast enough on that topic. And let me give you the hot take. I'll share it with you now. If you put stronger locks on the doors that aren't as easily socially engineered, in other words, don't blame the human. Use better tech because better authentication technology exists. It does, folks. What I mean better, I mean better in that it is much less likely or impossible to be socially engineered. The credential and the privilege into someone else's hands.

Tim CallanThat's basically the take I was going to have, which is, by all means let's train. Like let's do that. And let's try to make our people as enabled as we can in this regard. But it's foolish to think that you're going to solve this problem with training.

Jason SorokoNet new applications should be using passwordless technology of some kind. I don't care which. Take passwords out of the story. I don't have a gripe with MFA. MFA is always a better idea when you're forced to use passwords. But if you're not forced to use passwords, but you do, and you gloss it over with training, you've made a mistake.

Tim CallanThat I'll buy. Number five. Again, this is my impression, but I feel like there was a level of focus, specifically bespoke focus, on API protection that was beyond what I'm used to seeing at RSA. Like again, a lot of vendors or products that are very specifically saying, we are going to protect your APIs.

Jason SorokoYou're telling me, Tim, that workloads are going to the cloud. And microservices architecture is real?

Tim CallanAnd therefore, you see an industry, a cottage industry coming up around that, that says, okay, this is a different, unique use case with different risks, with different needs, and we can make a product that is specifically focused on that.

Jason SorokoThis is very important.

Tim CallanThat makes sense, right?

Jason SorokoI'm glad to hear that. You know, what I'm hearing Tim, RSA is back and every single subject you've just covered has legitimacy. So this is a big change from some years.

Tim CallanI agree. I think it's all legitimate. You and I kind of laugh about the fluff, and a few years ago, we were laughing about how everything was Zero Trust. I think that's a good observation, Jay, is I felt like the buzzy stuff this year was deserved.

Number six. Another thing, again, I feel like there's more of is specific focus on visibility, dashboards, analytics, visibility products that were not a dashboard - - Like you get a lot of, I do something for you and I'm going to give you a dashboard and reporting. But these are almost like the security equivalent of Domo. Like, I'm going to give you a BI tool for security.

Jason SorokoI got it. So Tim, isn't that interesting? Like the pillars of CLM. The pillars of Certificate Lifecycle Management is when you and when we were first putting that out, visibility was literally like the crown on top. And we were calling that out an awfully long time ago. I think the rest of the security industry is now catching up to that. CLM had to be there first. I don't think you can do any form of security without knowing what you have.

Tim CallanKnowing is hard. I mean, and if you think about it, so much of what the bad guys are about is staying under the radar. Like I just talked to a journalist the other day who was asking me, why would intruders mess with logs? I said, so you don't know they're there. That's why. Because they don't want you to know they're there.

Jason SorokoYou see the footsteps? Well, that's called getting rid of the footsteps.

Tim CallanJust erase the footsteps. Exactly. So much of it is about knowledge. Like if you had pure absolute visibility on your network - and if we think about some of these really famous breaches, where people got in and sat there and lived off the land, and laterally moved around, and it took them 100 days to get their target but eventually they did, and, you have to imagine that a sufficiently capable visibility platform would badly impair or completely defeat that kind of attack.

Jason SorokoThere's so much to be said about that. I could go on for several podcasts on that topic. Every Verizon report, every Mandiant report says exactly the same thing. It's solved by visibility. Certificate Lifecycle Management is all about visibility. You cannot do governance without visibility. And unless you know what your crown jewels are, you're not doing security.

Tim CallanSo I think it's interesting to see these principles that are hard to debate, hard to argue with, manifesting themselves, again, and people putting their dollars and their sweat equity behind these bets.

Jason SorokoThere you go. There you go. Our sweat equity isn't Certificate Lifecycle Management. Visibility is literally, we define the crown of what we do. So thanks for catching up everybody.

Tim CallanThen last one on my list, and again, you can probably predict this one, based on the fact that it's something that you and I like to talk about a lot. Post-quantum cryptography. So last year, there were four speeches in the conference at all, that had the word quantum in them, one of which was given by me.

This year, I didn't talk about that. I talked about shortening certificate lifespans, so I wasn't on the list. but even without that, there were a total of nine speeches. On the topic of quantum. There are a lot of vendors on the floor. I think most of the vendors that are on the floor were there last year, but they all came back and there were one or two more that I was familiar with that were players in the space that are were booths now. Wherein previously they haven't been.

Jason SorokoSo you're telling me it's a little over 10% of the talks were PQC. I'm thinking next year, it might be a quarter. There you go. There's a prediction.

Tim CallanWe've talked about this. I still think that 2023 was the year that the technology industry woke up to PQC. And I think that 2024 we are watching the enterprise wake up to PQC and we're seeing it just in terms of conferences. I just got back from the ETSI PQC conference, and, 250-ish delegates there. Most of them from enterprises. I don't think you could have done that a year ago.

Jason SorokoNo. So we've done, Tim, I believe we're now at about 40 podcasts on the topic of PQC.

Tim CallanProbably ballpark.

Jason SorokoI don't know anybody else who's covered it as extensively as us. And that's not me tooting the horn as much as it is saying that I think that we've watched it grow up to the point which it’s at right now and if you followed us, you understand where we are at right now and it's getting to be at a critical point. Just a thought out of me. I don't know if it’s an interesting thought or not but it's almost like it's a bit of a boiling frog situation where the temperature was low for an awfully long time in the pot and now it's being ratcheted up and I'm not sure everybody's feeling it yet. But I think by next year, you're boiling that frog.

Tim CallanI think what you're saying is exactly right, which is that it's going to get to the point where if you're not dealing with this, you're going to look irresponsible. Where C-level people are going to start going to their staff and saying, I need to be briefed on this. Where CISOs and CIOs are going to need to go to their Boards, and they're CEOs and their e-staff teams and say, look, this is a threat and here's our plan. And if you don't do it, you're going to be a Luddite.

Jason SorokoWhat you just said might be the most important point and thank you for making it. CEOs, this is a top down risk problem. I would not wait for your people in the trenches to be demanding action on PQC. This needs to be top down driven. Therefore, I've asked our own CEO to be able to go off and start making those communications and we're going to start making noise at that level. CEO to CEO level. I think that that's important in this industry. So good on everybody who's talking about it at every level, but I think it's gotta be top down. I'm glad you mentioned that.

Tim CallanSo that's my big seven. And I will echo what you said, Jay, which is, I think, as opposed to in previous years, where some of this we kind of laugh a little - -

Jason SorokoThere’s nothing to laugh at here.

Tim CallanEverything here feels very substantial to me. And worthy and good.

Jason SorokoIt sounds like that's also a trend that's gonna go into next year. That's what I'm feeling right now. But yet to be seen.

Tim CallanWe’ll see. So, we'll have our wrap it up next year and we’ll see if it's different but that's certainly what I observed at RSA.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!