An IT Manager’s (Re)View of the RSA Conference
Complementing the higher-level discussions in the keynote and sessions, numerous vendors introduced IT security products and services at last week's RSA Conference.
It is no secret that modern applications and infrastructures are hard to secure. The wide-scale embracement of artificial intelligence (AI) offers both opportunities to make matters worse (due to the new infrastructure it requires) and the potential to improve the situation. That is an IT-centric takeaway from last week’s RSA Conference in San Francisco. Specifically, keynote speeches, multiple sessions, and numerous vendor product introductions at the conference address these issues.
So, what exactly is the problem? The move from monolithic, on-premises apps and networks to today’s distributed, microservices-based apps running in data centers and on multiple public and private clouds has increased the number and types of vulnerabilities and given malicious actors more conduits to attack enterprises.
Those points were raised in the “Securing Modern Applications” keynote address by Boaz Gelbord, Senior Vice President and Chief Security Officer at Akamai. He noted that the modern enterprise is complex and runs more than 1,061 apps on average.
“We rely on applications to run our world, but they have also introduced vulnerabilities that multiply as we become more connected,” said Gelbord. “Further, the rise of APIs, bots, and new DDoS tactics creates a difficult landscape.”
He used Akamai as an example to put the scope of change into perspective. “We see about 11 trillion DNS queries daily,” said Gelbord. He noted that the large number of daily queries makes sense when you consider there are billions of people around the world constantly connecting to applications and each other. From a security standpoint, “one of the interesting things when we analyze this traffic is that we can see that for many organizations, the amount of traffic going to illegitimate sites can exceed what goes to legitimate sites.” So, on a day-to-day basis, many users are clicking links that take them to malicious sites.
Additionally, he noted attackers are focusing on the web as an avenue into organizations. To that point, Akamai is seeing a 48% increase year-on-year in web attacks. Twenty-nine percent of those attacks are API attacks (representing a 109% year-on-year increase in API attacks). Defending against these attacks is challenging because many organizations do not even know what APIs they are using. It's also harder to secure APIs because the logic of an API is often much more complex than that of a web application.
With that being the case, he emphasized the need for organizations to adapt their security strategies to the new challenges. Increasingly, that means focusing on better managing vulnerabilities, making more use of risk analysis, and adopting Zero Trust methodologies to prevent and contain security problems.
Security issues with distributed apps and microservices
Most modern applications are based on microservices and containers. Traditional security solutions and strategies have not kept pace with evolving threats in these areas. That was the focus of “Kubernetes Security: Attacking and Defending Modern Infrastructure,” a session by Lenin Alevski Huerta Arias, a security engineer at Google, and Maximillian von Blankenburg, a security researcher at Semgrep.
They suggested that IT and security teams get to know the Open Worldwide Application Security Project (OWASP) Top Ten Kubernetes Risks list to become familiar with the main threats organizations must deal with. (OWASP is a nonprofit foundation that works to improve software security.) The most common attack techniques include obtaining access via compromised cloud credentials, application vulnerabilities, sidecar injections, and exposed sensitive interfaces. (There are those APIs again.)
The speakers then discussed some mitigation techniques and best practices for securing Kubernetes, including enforcing container restrictions, enhancing network policies, and using encryption, access control, and hardening control plane components.
How AI can hurt and help
As noted above, AI is a double-edged sword when it comes to cybersecurity. That point was expanded on in the session “The Time is Now: Redefining Security in the Age of AI.”
In the session, Jeetu Patel, Executive Vice President and General Manager, Security at Cisco, talked about how AI is fundamentally altering infrastructure and security threats. “The ability for us to augment human capacity [with AI] is going to be so profound and grow at such different scale proportions of what we've seen before,” said Patel. “Suppose you had 20 developers on your team, expanding that capacity to a hundred through digital workers is not going to be hard to do and is going to be very plausible. If you have 40 customer service reps, you can expand the capacity to 250.”
He continued noting that in the future when a person joins a company, they might be assigned eight or ten virtual assistants including a personal assistant, an HR assistant, a coach, some kind of healthcare assistant, the financial planner of some sort, and more. “What this is going to do is it's going to make this world of 8 billion people feel like it's got the capacity and throughput of 80 billion people.”
To support (and run) these AI assistants, data centers and the underlying infrastructure will need to fundamentally be reimagined to accommodate these additional AI workloads and digital workers.
That introduces new security issues. “With this application and infrastructure change, there's a couple of things that still remain very hard," he said. Namely, securing the applications and infrastructure is becoming harder than it already is.
He sees three technologies helping. They are AI, kernel level visibility, and hardware acceleration. AI needs to be used natively for defense in an organization’s core infrastructure. Cisco and others have started doing this already with AI-assisted offerings to address complexity and transform network management and monitoring.
The second area, kernel level visibility, is important because “you cannot protect what you don't have visibility against,” he said. He believes this is an area where eBPF technology is going to be a critical technology. (eBPF is a technology that can run programs in a privileged context such as the operating system kernel.) It allows organizations to look into the server and the operating system and see what's happening.
With respect to hardware acceleration, he sees things like DPUs (data processing units) delivering massive acceleration for security operations and IO operations. With DPUs, connection management, and encryption can be done a thousand times faster than what could have been done before.
A final word on RSA from an IT point of view
Complementing the higher-level discussions in the keynote and sessions, numerous vendors introduced IT security products and services with an AI aspect to them. Here is a list of some of the announcements relevant to IT managers (NOTE: This is not intended to be a complete list of all announcements from the conference):
ArmorCode announced the general availability of AI Correlation in its ArmorCode Application Security Posture Management (ASPM) Platform.
Cisco announced a new virtual appliance for its AppDynamics On-Premises application observability offering, enabling users to take advantage of AI-powered intelligence for anomaly detection and root cause analysis, and application security.
Dynatrace announced new Kubernetes Security Posture Management (KSPM) capabilities for its security, configuration, and compliance monitoring platform.
Elastic announced Search AI will replace the traditional SIEM with an AI-driven security analytics solution.
Lumu debuted Lumu Autopilot, a patent-pending technology to help organizations manage security incidents detected by Lumu. The tool monitors, mutes, closes, or escalates security attacks autonomously and in real time.
Mezmo announced new capabilities that help companies understand, optimize, and respond more quickly to their telemetry data.
Riverbed introduced an AI-powered observability platform.
Splunk announced Splunk Asset and Risk Intelligence, a solution designed to help organizations take a more proactive approach to security and risk mitigation.
StarTree announced new observability and anomaly detection capabilities in StarTree Cloud.
Sumo Logic announced new AI and security analytics capabilities in its offering.
Vectra AI announced the integration of Vectra AI Attack Signal Intelligence with CrowdStrike Falcon Next Gen SIEM.
Many of these announcements included the use of AI to improve threat analysis and help traditional SIEM (Security information and event management) systems to better understand the flood of alerts, logs, and more that they rely on to safeguard networks and alert security teams of problems in the making.
About the Author
You May Also Like