Almost 20 years later I’m in San Francisco again, immersed in the artificial atmosphere of the Moscone Center at RSA Conference 2016.
For the first day I’ve chosen a set of introductory talks, the Security Basic track, to get the feeling of it and start from the beginning. The first speaker confirms it is the right choice.
I take a quick look at the audience before the speaker begins. The majority of participants are young people, as I expected, but there are also many grey heads. I’m not alone after all. A few women are scattered throughout the packed auditorium, one in seven, more or less. We still have a diversity problem in our profession, unfortunately.
The main takeaway from the first two days of the conference is that our sector is on the verge of a paradigm shift: from prevention to detection and neutralization. The security industry has finally realized that it is virtually impossible to stop a determined attacker. After all, the attacker is attacking a single point, the defenders are defending a multi-dimensional surface. At the same time, new technology, mainly A.I. and big data analytics, provide the opportunity to build intelligence into the system–so it can learn what the normal status should be and how to detect and react to new, previously unforeseen threats. Hadi Nahari calls it dynamic security.
For example, you can have networks that understand they are under a DDOS attack and automatically, or semi-automatically, deploy mitigation procedures at the appropriate machines to contain the threat. Or systems that, detecting suspicious behavior from another machine, remove the trust they previously had on that specific network resource.
From this perspective the cybersecurity subsystem in a network will appear a lot similar to the immune system of a living, biological being. It will also be a hybrid system, where fully automated procedures support the work of human beings making the most complex decisions. At least until the human work is understood well enough to be replaced by a machine learning algorithm.
The second strong impression is that the industry and the US government, while still mercilessly fighting each other, are looking for a concerted exit from the post-Snowden era.
Finally, the last impression is how easy it is to subvert even the most stable and apparently secure systems. Stephen Sims hacked Skype simply putting an aptly named dll in an appropriate directory. The vulnerability used has been fixed by Microsoft in the February update. David Dewey brute forced the CVV of a real credit card and registered the card on Apple Pay. And this closed the circle. Complete prevention is an impossible task. To prevail, the good guys have to deploy detection and mitigation systems.
The quest for cybersecurity is far from over. The good news is that innovative companies who dare to think differently, will undoubtedly break established paradigms and change the game forever.