RSA Conference 2017 takeaways for managed security service providers
The 26th annual RSA Conference wrapped up earlier this month in San Francisco on the heels of an increasingly difficult year in cybersecurity. As evidenced by the record 43,000+ conference attendees, 550+ exhibitors, and 500+ sessions, security is the hot topic in almost every market sector and business segment.
As noted in the conference keynote, we are now living in a world with an increasing population that is never offline but rarely considers the security implications of their actions. Cybersecurity threats have reached a new level, with attacks becoming much more ruthless in the past year and the number of qualified people to address these threats is unfortunately quite limited.
The general outlook of most of the attendees, security vendors and speakers was that the cybersecurity sector is in the midst of extreme change and few are confident about what lies ahead. This air of uncertainty was especially true when it came to discussions about managed security services (MSS).
The 451 Take
The 2017 RSA Conference covered the newest developments in cybersecurity, ranging from the latest in cybercrime trends and data breaches to big data, automation and analytics. However, the messages were often overshadowed by a sense of uncertainty from many of the attendees. Cybersecurity continues to be a difficult endeavor, with most organizations struggling with ransomware, a significant skills shortage and a proliferation of Internet of Things (IoT) devices that must be secured. Many organizations are looking for help with their security efforts, providing a seemingly ideal scenario for managed security service providers (MSSPs). However, most providers are struggling to offer managed services that can scale and adapt to an ever-changing threat landscape.
Although not specific to MSSPs, there were several themes that were common throughout the conference that are worth noting for vendors and providers in the space – particularly the implications of IoT, the rise of ransomware, the security skills shortage, and security intelligence and analytics capabilities.
The Internet of Things
It is clear that there is no single 'magic' solution to securing the growing number of internet-enabled devices. The security of these devices can often be less than comprehensive, leading to an ever-increasing attack surface that needs to be defended. While many conference vendors (such as Sensify, Symantec, Hewlett Packard Enterprise and Arbor Networks) offered potential solutions to this problem, the non-technical discussions around IoT were often far more creative. Many of the conference attendees believed there should be government involvement in the way of new regulations regarding IoT security and/or requiring the creators of such systems to be licensed or certified. The firmly held belief for many is that the manufacturers and vendors of IoT systems have little incentive to incorporate higher levels of security into their products, while an industry-standard security baseline and testing approach should be required before releasing such systems to the general market.
While government regulation may lead vendors to be compliant rather than secure, the idea of licensing vendors or requiring testing of IoT system is provocative. This concept is similar to having a licensed contractor construct a building and having an inspector review the work to ensure it meets local building code requirements. To date, while vendors have been very quick to enable and release to market a large volume of internet-enabled devices, they have been slow to address most of the security concerns inherent with these devices. And while we are still in the emerging stage of IoT, creating and deploying such devices with no constraints, regulations or code of conduct is only going to make the problem worse later. It will be interesting to see how this unfolds, and expect reports on any progress we see.
Ransomware – the criminal method of locking or encrypting files and demanding ransom – is big business, and the threat appears to be getting worse as the stakes get higher. One conference speaker reported that there are over 150 families of crypto-ransomware in the wild and this number is continuing to grow. SonicWALL reported that the number of ransomware instances it monitored grew from 3.8 million in 2015 to 638 million in 2016.
The growth of ransomware as a service (RaaS) is facilitating all levels of attackers, from established hacker experts to hacker novices and non-technical criminals, in plying their trade. In addition, there are signs that ransomware is evolving from primarily targeting data to targeting physical devices and systems – such as industrial control systems, payment systems, and smart home devices. If successful, it could potentially result in something as inconvenient as being locked in your self-driving car and not being able get out until you pay a ransom, to utility companies for entire towns being locked down and held hostage.
Firms such as Webroot, Sophos, Carbon Black, Symantec, Kaspersky, BitDefender, Cisco and Zscaler were just a few of the many exhibitors and vendors at the conference that offered tools and services to combat ransomware with a variety of different approaches. With businesses of all types struggling with ransomware protection and recovery, MSSPs have a tremendous opportunity to provide valuable services to address this ongoing problem.
The security expertise shortage
Security and privacy professionals are in increasingly high demand, but the security expertise skills shortage is creating a serious challenge for most organizations. Several conference speakers spoke about their experiences with enterprises taking more than six months to fill security vacancies, with less than a quarter of applicants qualified for the job openings. Cybersecurity is evolving so quickly that the skills needed cannot be taught and acquired fast enough to keep pace with demand. Tripwire, a security software company, stated at the conference that only 10% of organizations have the technology and people skills in place to properly address and prevent the most prevalent types of security attacks. While the skills shortage is also affecting MSSPs, it is also resulting in increased opportunities as enterprises look to MSSPs for help to fill the gaps left by the talent shortage.
Security intelligence and analytics
Intelligence and analytics were some of the key buzzwords at the RSA conference this year, with most every exhibitor touting some type of intelligence or analytics capability in their products and services. Behavior analytics, threat intelligence, security intelligence, response intelligence, intent analytics, predictive analytics, defense intelligence, fraud intelligence and risk intelligence were some of the most common. Marketing terms aside, breakthroughs in machine learning and artificial intelligence – both using big data – are occurring in this space, but we will have to wait to see their full applicability and usability potential. MSSPs that can leverage security intelligence and analytics while contextualizing the outputs will provide a valuable service for their customers.
Managed security services
The term 'managed' and the phrase 'managed security services' were curiously absent from the show floor. Some vendors were unclear about their understanding of the terms, while one believed the phrase to be outdated. However, it appears several vendors at the conference offer some type of managed service for their products, although in many cases the managed service offered is basic, providing only a limited scope of coverage and support.
There are a few potential reasons for the downplay of MSS. It was evident that few vendors have fully established their managed services organizations and were not yet at a point to be able to grow and scale their offerings quickly. As a result, many may be reluctant to push their managed security offerings. The ability to provide adequate staffing in the midst of the current skills shortage may also be a contributing factor in minimizing marketing efforts around MSS. At the same time, several vendors – including NTT Security, CenturyLink, IBM and TrustWave – demonstrated robust and mature managed security service offerings, compared with most, and planned to grow aggressively in this space.
A number of the vendors we talked with at the conference are still largely focused on products and have not approached managed services (yet). A portion of these vendors state they do not have any plans to offer managed services, but are developing their products to be used by MSSPs – with features such as multi-tenancy, metered/monthly billing and APIs. Other product-focused vendors are still fairly immature and have managed services on their future roadmap but no offerings in their portfolio at this time. And a few have not considered MSS in any form to date.
The RSA Conference confirmed that the MSS space is still in its early stages with rapid growth potential for those that enter the sector. For most organizations, security remains a top priority and budgets are growing, but companies across the board remain overwhelmed and not capable of keeping on top of the rapid changes in threats to their organizations. As a result, cybersecurity is an ideal discipline to use the managed services model and many MSSPs are rushing to find the right formula for success in this space.