The WhiteHat Security team has just returned from another successful RSA Conference in San Francisco. Focused on ‘the human element’ of cybersecurity, the intangible characteristics people possess that machines and artificial intelligence (AI) never could, the show provided plenty of insights into what technologies and trends we’ll see increase in popularity in the coming year.
Our booth in the South Hall of the famous Moscone Center was centered around ‘empowering the world to build secure applications.’ We were accompanied by our global parent company NTT Ltd. to help educate companies on building cybersecurity into the software development lifecycle without slowing down developers–aiding them in meeting deadlines quickly and securely. We offer both AI/machine learning-driven and human-centric application vulnerability verification, so the theme of the show was extremely relatable for our team and our customers.
In between my time at the booth, I wandered the floor talking to smaller vendors, to get a feel for what threats are most prevalent in 2020—and how newcomers on the scene are addressing them.
While a seemingly endless number of booths had extremely unclear branding, I did notice some consistent patterns among the security vendors that braved the show. Here are some of my key observations:
Companies, small and large, are weaving the term ‘threat intelligence,’ the analysis of cyberthreats targeting businesses, into their products and marketing. While I doubt every single offering is mature enough to be considered true threat intelligence, it’s positive to see that more cybersecurity offerings are diving more deeply into the cyberattacks and cybercriminal groups targeting their customers—rather than just detecting the issues.
Key and Identity Management
This is one of the major ‘buzz phrases’ I saw, with a focus on identifying and authenticating user access—although, I can’t understand why. I don’t see the new value offered by these up-and-coming companies over existing solutions. While credential-based attacks will always be a prominent issue, these new companies seem to be less about innovation and more about optimizing and tweaking existing technology.
WAF/Hardware Solutions Nonexistent in the Smaller Vendors
Two trends that used to be all over the show floor, web application firewalls (WAFs) and hardware solutions, have apparently been left to the big guys to handle. Smaller emerging vendors seem to be more focused on software and license-based solutions, as opposed to those tied to hardware, and the WAF market is still being dominated by big names like Imperva, Barracuda, Fortinet and Citrix. It seems as though the new kids on the scene are looking for less crowded, niche markets to enter and are just letting the more established WAF brands get on with it.
Cloud and Cloud Configuration Security
Following a year of cloud-related breaches at big names such as Capital One and Autoclerk, I observed more products focused on cloud security and cloud configuration security than ever before. It’s unclear if every approach will withstand the test of time. I predict that 2-3 will prevail in the next few years and become the de facto standards.
Increase in Compliance, Metrics and Third-/Fourth-party Security Software
The security industry has learned its lesson about third-party security risks in the past decade, following massive incidents at Target in 2013, Lifelock, Ticketmaster and TCM Bank in 2018, and many more. And it’s steadily answered this call with compliance, metrics and third-party-centric security software offerings. But a new term on the scene this year was ‘fourth-party’ security…meaning that you need to secure your third parties’ third parties. It will be interesting to see how vendors handle this complex challenge in their security software offerings going forward.
Training and e-Learning
More vendor booths were offering training and e-learning opportunities than in the past. While I don’t know how unique these programs are compared to those of yesteryear, this likely implies that demand for additional educational opportunities are in high demand, but the market is still trying to determine how best to deliver them. But if they’re low or no cost, why not try them? Security professionals should always be looking to stay up to date on threats and the newest techniques to combat them.
These observations barely scratch the surface of the show, but I’ll be watching these concepts closely. With RSA Conference 2021 already less than a year away, I look forward to seeing which of these truly take off and where we’ll be in just 11 months. In the meantime, we’ll continue fighting the application security fight across the globe and cheer our fellow security professionals on.