Last updated at Mon, 28 Oct 2019 17:15:21 GMT

The memory is a fickle beast. Perhaps this past RSA Conference was my 14th, or my 8th, or 7th…hmmm, they often run together. In truth this Conference has become such an ingrained part of my life that my wife often jokes about becoming a “RSA Widow” the week of the conference, and then dealing with my “RSAFLU” the next week. Well this year was different team, this year SHE got sick upon my return, along with two of the kids. Oh karma, that was just deserved. And while the fridge is now full of Tamiflu, the thoughts of RSA have been locked up in a very full brain.

Much like a house filled with feverish deep coughs, the RSA Conference was also brimming with deafening noise. It was if the Moscone decided to pipe in a sound machine, if a sound machine shouted intermittently at you:

“User Behavior Analytics”

“machine data analytics”

“Turbocharge your SOC”

“The perimeter is dead”

“The perimeter is alive”

“SIEM is dead”

“SIEM is alive”

“SIEM integration IDR powered by analytics and machine learning”

Listen, after nearly two decades doing security marketing my empathy engine is high for what we are all facing right now, it's hard to break through the noise. Although the security marketing community often rests on their laurels (more in a future post) they are working very hard to provide the folks walking that floor with knowledge, not simply about the latest product, but research that can fuel their program, use cases to tailor their teams, and of course MatchBox cars to take home to their children (won my vote for best give-away).

That was certainly true with the Rapid7 presence, but first a bit of industry perspective.

Where Security Is Going in 2016

The amount of opinions circulating the floor of RSA on the direction of security is as abundant and colorful as the buses that routinely just missed running me over each morning during my walk from Fisherman's Wharf to the Moscone. Talking to the analyst community however you do sense some prevailing themes. Some of which seemed to percolate after leaving the show floor.

Meeting with folks from Gartner, Forrester, IDC, Frost & Sullivan and even the team at the Center for Internet Security (CIS) a few common themes rose to the top:

Behavioral analytics will drive iterative intelligence

This is not a new theme per say, certainly not for us having been a leader in user behavior analytics for a few years, but there is more emphasis. You have all this data now at your fingertips, the real challenge is figuring out what one of my old colleagues would call ‘the right data right' methodology, and doing it in a way where your security team doesn't need to actually be doing that data munging to get results.

Not much on IOT

Going into RSA, if you could bet on such things, I would have guessed this to be the biggest buzzword. Fortunately it wasn't, mainly because teams are still trying to digest things like IDR and EDR…they don't need another acronym just yet. Sure this is a sexy story and we have some awesome research in this realm, but businesses are still focused on implementing a true IR program.

Identity is the new perimeter

A constant theme through many demos and sessions was the fact that identity is now the new perimeter. Hmmmm, sounds familiar. Oh right, it is familiar, just coming up time and again because of the bifurcation of entry points.

Policy drives business

One of the great aspects of RSA growing is the number of folks coming in from overseas. When you speak to the companies doing business mainly in the EU, one topic came up time and time again: The upcoming GDPR (EU) privacy policy that will dramatically impact all of our businesses. Heads up, there is a two-year grace period upon enactment, but it's time to focus on how you will comply.

Does this sh*t work…for me?

After the event Anton Chuvakin had a great post with his musings around the conference, and I'll just use his exact words from the beginning of his post:

A lot of the tools firmly target the “security 1%-ers”, NOT the mainstream. They can only be utilized by people with large, experienced teams that already operate a lot of security products, even if the vendor is subtly inclined to make the opposite impression. This is fine, of course, but where does it leave the rest of the organiztions? In “firewalls SSL [ AV]” world?

Very, very few of the vendors seem to be bothered to think of “Does this shit work and is it cost effective?!!”, especially compared to all the other stuff you can buy.

In my mind this hits on a lot of the SIEM talk over the recent months. It's NOT about whether SIEM is dead or not, and if that is the way you are messaging you aren't listening to your customers. What it is about is providing companies for what they are asking for, and that's not only the traditional log search and compliance capabilities of a SIEM, but also the incident detection & response the should come from the ability to analyze that data (and more). My colleague Matt hit on this eloquently last year in his post "Whether or not SIEM Died, The Problems Remain".

More folks have been sharing their thoughts as they emerge from the RSAFLU, so list yours or your favorite in the comments.


Finally, what were we up to at RSA?

This was my inaugural journey with the Rapid7 team at RSA, and it was a doozy. Not only where we showing off our InsightIDR solution for incident detection and response, but we of course had demos of Nexpose, Metasploit, and AppSpider. Our journey as a business is at an exciting moment as we see our products and our Insight Platform providing companies with solutions that come together to bring them confidence and control that they not only can see the vulns and detect the incidents, but take complete action to move the needle of risk and exposure.

Our team was not only slinging research, demos, and even a customer use case in the booth, we were also speaking on stage throughout the event:


  • Magen Wu, Hackers Hiring Hackers—How to Do Things Better
  • Tod Beardsley, Makers vs. Breaker: On Exploit Development and Software Engineering
  • Rebekah Brown, What Has Your Threat Intelligence Done For You Lately?*
  • Jen Ellis, Security Thunderdome Debate! Tough Topics Edition

BSides San Francisco

  • Matthew Hathaway, Reverse Engineering the Wetware: Understanding Human Behavior to Improve Information

Security CERT Vendor Conference

  • Jen Ellis, Security Researcher Perspectives

And some of those same people found the time to get themselves on television, sly @TodB.

And no Rapid7@RSA recap could be complete without mention our annual RSA party. For years I've attended as a guest, and it was once again a fantastic gathering of our friends in this community, not to mention a surprise appearance from old school rap greats ‘The Sugar Hill Gang”. Leaving you with a photo from that great night and let us know your thoughts on RSA overall.