The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Initial Thoughts on the RSA 2015 Conference

Share:

One again I have submitted myself to a week of talks, exhibits, walking, meetings, drinking, meetings, and more with 40,000 close associates (with one more day of it tomorrow). It’s the annual RSA conference in San Francisco. I’ve been to about 8, including the last 5.

Prior to starting this entry, I reread my blog post from after the 2014 RSA Conference. Not a lot has changed, at least as far as talks and exhibits. Pretty much everything I wrote last year is still accurate, so you can read that first. There were a few differences, and I’ll describe the prominent ones below.

Once again, I got pulled into meetings and conversations, so I didn’t attend as many of the talks as I really wanted. I caught portions of several, and I was impressed with more this year than last — I sensed less marketing. Thus, kudos to the program committee (and speakers). I am sorry I didn’t get to hear more of the talks. I hope they were recorded for us to view later.

Foremost differences from last year occurred outside the Moscone Center and on the exhibit floor — there was no boycott against RSA about alleged NSA collaboration, and the conference organizers adopted a policy against “booth babes” — yay! I don’t think I need to write about things that weren’t there this year, but I will say a big “thank you” to the RSA Conference team for the latter — it was a very welcome change.

  1. Last year’s big buzz phrase was “threat intelligence” with “big data” coming in second. This year, it was “IoT” with maybe “cloud” as second. i didn’t see much mention of “big data” in the materials or on the booths. There was some use of the term in presentations, however.
  2. Out of 400 booths I really only saw 2 or 3 totally new concepts. All the other products and services on display were either holdovers from prior years, of variations on older ideas.
  3. Many of the booth personnel were more cynical than last year about the conference, the field, their products, etc. This marks an interesting change: in prior years I barely detected cynicism.
  4. There seemed to be a little more international representation than last year — companies originating in other countries (Germany, Japan, China, Sweden, Korea, Taiwan, and Israel are ones I can recall).

I still did not speak in a session (even as a fill-in), it still costs quite a bit to attend, I still didn’t see many academics I knew,  

I saw only 3 products that were devoted to building secure systems — everything else was patching, monitoring, remediation, and training. That continues to be depressing.

Still the case there was limited emphasis on or solutions for privacy.

Andy Ellis provided me shielding for my badge so I could avoid being scanned onto mailing lists. I told people at most booths, but they tried anyhow. Some would try repeatedly, then tell me they couldn’t scan my badge. Duh! I just told you that! However, in every case, they still gave me a T-shirt or other swag.

Speaking of swag, this year, the top 3 raffle items were drones, Go-Pro cameras, and iWatches.

A few booths were very aggressive in trying to scan people. It almost felt like desperation. I had to duck and weave (not easy with a cracked rib) to avoid a few of those people and get past their booths. It felt like being in a video game.

This year, more vendors seemed willing to talk about donating their products to our (CERIAS) teaching and research labs. That is really promising, and helps our students a lot. (And, hint — it provides great visibility for the products, so you vendors can still do it!)

So, if I find the conference a little depressing, why do I still go? As I noted last year, besides hearing about trends and getting a stock of T-shirts, it is a great opportunity to see friends and acquaintances I don’t get to see that often otherwise because I have limited time and funds for travel. (And yes, Indiana is at the center of the known universe, but few flights stop here.) I have had some great conversations with these people — thought leaders and deep thinkers across the spectrum of infosec/cyber/etc.

Actually, it occurred to me over drinks that if I wanted to cause maximum disruption, I could have infected these highly-connected people with some awful disease, and within 72 hours they would have infected almost everyone in the field who have some level of clue. Luckily for the world, they only had to put up with my presence for a few minutes or so, each, and that isn’t contagious.

Here’s a partial list of the people I was happy to see (there were more, but this is who I can remember right now — my apologies for anyone I missed; plus, I may see more in the closing session tomorrow): Candy Alexander, Becky Bace, Robert Bigman, Bob Blakely, Josh Corman, Sam Curry, Jack Daniel, Michelle Dennedy, Matt Devost, Whit Diffie, Andy Ellis, Karen Evans, Dickie George, Greg Hogland, Brian Honan, Alex Hutton, Andrew Jacquith, Toney Jennings, John Johsnson, Gene Kim, Brian Krebs, Penny Leavy, Martin Libicki, Rich Marshall, Gary McGraw, Martin McKeay, Carey Nachenberg, Wendy Nather, Davi Ottenheimer, Andy Ozment, Kevin Poulsin, Paul Rosenzweig, Scott Rotondo, Marc Sachs, Howard Schmidt, Bruce Schneier, Corey Schou, Winn Schwartau, Chenxi Wang, Mark Weatherford, Bob West, Ira Winkler, and Amit Yoran.

Yes, I do know a rather eclectic set of people. Their karma must be bad, because they also know me.

Speaking of karma, I’m already planning to go to RSA 2016.


Comments

Posted by Adrian Sanabria
on Thursday, April 23, 2015 at 11:32 PM

Sorry I didn’t get a chance to introduce myself or chat - I saw you several times, but was also caught in a whirlwind of catching up with friends, meetings and vendors.

Could you expand a bit on what you mean by “products devoted to building secure systems”? I’m also looking for some trends from the conference and am interested in how the conference was seen from other eyes.

=========
Spaf sez:

Tools to capture specifications and requirements, model them, test for conflicts and errors.  Tools for program construction and testing.  Etc.  Basically, things to support the whole front end of the software development lifecycle.

Posted by ziggy
on Friday, April 24, 2015 at 11:50 AM

Here at White Cloud Security, we’re equally astonished that so many vendors have seemed to have thrown in the towel on prevention and have relegated themselves to “detection and remediation”.  No one stops locking their car just because they have OnStar to find it after it’s been stolen.

We’d be more than happy to donate licenses for our Trust Lockdown product for use in your CERIAS labs.  Just let me know who to talk to.

thanks…zig

P.S. I really enjoyed my trip to the “center of the universe” for the ‘99 RAID Conference.

Posted by Alex
on Friday, April 24, 2015 at 12:40 PM

“So, if I find the conference a little depressing, why do I still go? As I noted last year, besides hearing about trends and getting a stock of T-shirts, it is a great opportunity to see friends and acquaintances I don’t get to see that often otherwise because I have limited time and funds for travel. “

^
This.

Posted by Ravi Ithal
on Friday, April 24, 2015 at 04:21 PM

Dear Spaf,
I am one of your former students and co-founder at Netskope. I completely agree that it is disappointing that many security companies have given up prevention and focussing and detection and mitigation. This is especially true in the relatively new CASB (Cloud Access Security Broker) space where Netskope serves. However, we realized this early on and built our solution to be able to block threats inline and not just provide an after-the-fact detection.
You probably missed our booth at the conference but you should check us out.

========

Spaf sez:

Great to hear from you, and that you are doing well.

Blocking threats still isn’t building systems that are hardened to begin with.  That is what I was commenting about.

Posted by Angel Lisa
on Sunday, May 17, 2015 at 07:34 AM

Nicely written"Foremost differences from last year occurred outside the Moscone Center and on the exhibit floor — there was no boycott against RSA about alleged NSA collaboration, and the conference organizers adopted a policy against “booth babes” — yay! I don’t think I need to write about things that weren’t there this year, but I will say a big “thank you” to the RSA Conference team for the latter — it was a very welcome change.“Very informative one.

Leave a comment

Commenting is not available in this section entry.