RSA Conference 2017: A mixed bag of frustration and promise
With over 43,000 attendees, 700 speakers at 500 sessions and more than 550 vendors at RSA, this year's conference was forced to spill out of Moscone North and South into Moscone West, the Marriott Marquis down the street and just about every room available for rent as a meeting venue in the surrounding area. While some vendors appeared to be enjoying the high life afforded by innovating in the security industry, as evidenced by the crowds scrambling around their booths, a disconcerting vibe was also present – the frustrations of enterprises over the continued proliferation of security tools while attacks continue to succeed, a more vocal demand for simplifying security's complexity, and concerns about the sustainability of enterprise security spending in the face of continued successful attacks.
The 451 Take
It seems like the security industry has reached an inflection point, where the market realizes it's been bloated for some time and the weight loss pills aren't working. Vendor pitches now openly decry the complicated nature of security that has long been treated as an aftermarket accessory. It was therefore not surprising that innovations on display this year addressed the complexity and effectiveness of security directly. New approaches to endpoint security that address the gaps of the past were among the most prominent, often featuring integration with machine-learning techniques. So, too, were innovations in authentication and access management that make security more transparent to users and less complicated for network architects. Some of these approaches promise to collapse what have been stacks of technologies needed to connect endpoints securely to trusted networks and applications and protect sensitive data. Although often discussed and much desired, vendor consolidation may never become a reality in security, where the 'arms race' nature of the market seems to promise fertile ground for new entrants. Indeed, 451 Research data presented at our annual RSA breakfast shows information security sustaining its dominance as the top priority for technology M&A. Still, enterprise frustration with a proliferation of security tools and vendors seemed more palpable at RSA this year than in years past, signaling a warning to vendors that contribute to complexity, and opening a door for those that offer tangible improvement.
An undertone of frustration and concern
RSA is nothing if not a parade of hype and excitement about everything positive in the always dynamic world of information security. This year was no exception, but through it all, there was also a palpable sense of frustration on the part of the enterprise, and an equivalent level of concern on the part of investors and vendors.
As we noted at our annual RSA breakfast, information security retained its position as the top priority for M&A in 2016 for the second year in a row. Total deal value in infosec reached a new high of $15bn in 2016 after three consecutive years of growth. But subtract Symantec's $4.65bn Blue Coat buy, and the 2016 total becomes nearly the same as 2015's. Even with Symantec-Blue Coat in the mix, total deal volume in 2016 declined to 2014 numbers.
Heading into 2017, a number of factors have taken their toll on capital availability. In a 451 Research Voice of the Enterprise study of more than 900 respondents surveyed quarterly, our Q4 2016 analysis indicated that half (50.5%) of all respondents expected no change in their infosec spending for the coming 90 days. Nearly all of the other half indicated that they expected spending to increase to greater or lesser degrees – but these proportions have remained effectively constant since late 2015, when those who indicated they would increase spending last saw a significant uptick (approximately 10%).
Compare these factors with growth rates among some of infosec's most visible companies that have declined in the past year, and it's hardly a surprise that a number of vendors are cutting their burn. Many seem to feel that accelerating growth is cost prohibitive, and that the rewards are becoming limited. Those who go back to their investors must often do so at a lower valuation. Taken together, these factors are having a downward impact on valuations and exit prices compared with the recent past.
Among enterprises, frustration with IT security is hardly anything new. Organizations have long puzzled over the peculiar mathematics of security, where spending continues to increase and new techniques for addressing the latest threat continue to multiply the number of vendors – and yet attacks continue to succeed. The profusion of vendors has grown to the point where many enterprises, which can often count their primary suppliers of enterprise database platforms on one hand, number their security vendors into the dozens. The complexity that results has created problems of its own, increasing the potential of attackers to find gaps in defenses and compounding the demand for the hard-to-find expertise required to manage it all.
Key conference themes
It's hardly a surprise that among the most visible manifestations of response to this frustration at RSA this year were techniques that seek to simplify security and deliver needed functionality with a minimum of impact. This trend was evident at Innovation Sandbox, where UnifyID took top honors with an approach that delivers authentication that is largely transparent to users. The company's implicit user authentication technique passively identifies individuals based on their unique characteristics without any action by the user. The product combines the proliferation of sensor devices that people carry with them every day with patented machine-learning techniques to aggregate and analyze data from personal devices, including GPS, accelerometer and gyroscope data. The result is a robust authentication offering that does not require the use of a password or a thumbprint to know an individual is who they claim to be. UnifyID says that its gait analysis alone can achieve 98% accuracy with only a few minutes of data to train the algorithm, and can reach a 99.999% level of accuracy by analyzing over 100 unique user attributes without any action on the part of the user. The appeal of this approach to simplifying one of the most fundamental security capabilities – access control – was evident in the Innovation Sandbox judges' response to UnifyID's presentation: The panel's award of the top decision was unanimous.
This is not the first time, however, that behavioral analysis has been applied to the user authentication problem to eliminate the chronic toothache of passwords. Keyboard usage analysis was introduced over a decade ago, but ran into issues when factors such as hand injuries and their impact on typing style and rhythm inhibited its usefulness. Today's techniques can capitalize on advances in machine learning and cloud scale to combine multiple attributes and deliver rapid response.
Simplifying access to corporate resources was also in view in Google's presentation of its BeyondCorp initiative, in which Googlers Heather Adkins and Rory Ward described Google's years-long initiative to shift the concept of 'trusted' access away from complex network architectures predicated on VPNs and segmentation, to an approach that combines recognition of the user, device attributes and policy in enabling access to specific corporate resources from any network. Initiatives such as these on the part of major players can have a positive impact on the information security industry as a whole. Startups such as Duo Security have responded to Google's initiative with a commercial implementation of the BeyondCorp framework. With successful implementations, others may follow.
Overturning legacy was central to another key theme evident at RSA – an abundance of modern approaches to endpoint security. 451 Research counts over 80 such plays, many of which are characterized by one of the more prevalent overall security trends of recent years, namely the many ways in which machine-learning concepts have been used (and sometimes abused) to improve security. Analysis and recognition of malware and malicious behavior targeting endpoints plays a leading role in today's technologies for detecting and preventing endpoint threats, while the visibility into endpoint compromise offered by many helps enable more effective response.
The space is not without its controversy. Third-party product testing – always a touchy subject – became a particularly heated topic at RSA. Regardless, the changing nature of endpoint security continues to be a dominant focus in infosec. 451 Research mapped this market in late 2015, identifying a number of segments and vendors throughout this dynamic and evolving space. As vendors both new and well-established continue to make their stake in endpoint security transformation, we expect this frothy market to remain active in 2017.
IoT remains a presence
IoT's impact on security continues to be a dominant topic of discussion at RSA. It was a theme in all of the keynotes, and there were sessions entirely devoted to the challenge of tackling IoT risks, and separate tracks dedicated to medical and industrial IoT security. While it is true that IoT security dominated the conversation at RSA, there were surprisingly fewer IoT-specific vendors on the show floor than expected, given the hype surrounding the topic. This could be a reflection of the still-early nature of the IoT security market – many of the startups in this space may still be too young to afford a booth at RSA. (Contrast this, however, with the many seen at more startup-friendly venues such as Cybertech 2017 in Tel Aviv, where new plays targeting IoT security were well represented, and where one, APERIO Systems, took top honors in that conference's startup competition.)
Other factors may be weighing on IoT startups. More traditional security ventures often target an exit through acquisition by one of the major strategic IT vendors. In IoT security, who are the acquirers likely to be? Compatibility with industries where a handful of OEMs may dominate may force startups to provide solutions compatible with a specific vendor's technology, and these dominant manufacturers have not exactly been aggressive acquirers of security plays. In 2016 security made up only 3% of the total volume of IoT mergers and acquisitions, according to the 451 Research M&A Knowledge Base. In spaces where security for operational technologies has been present – sometimes for many years, as in SCADA security – activity has sometimes been downright sleepy. These are some of the hurdles new entrants to IoT security must overcome – a scenario that may change as 'smart' endpoints and their supporting technologies become more prevalent, and potentially more inviting targets.
Pessimism may have been unavoidable at this year's RSA, but that's not to say the enterprise necessarily knows how and where it would want to see change. While 'Simplify!' may have become a rallying cry for security practitioners, they often don't seem to have a clear idea how and where they could or would simplify, especially when IT itself remains complex. Moreover, security is notorious for its inability to throw anything away, regardless of open skepticism or downright scoffing at the effectiveness of legacy tools.
It was therefore encouraging to see some tangible examples of how and where some longstanding headaches, such as passwords and networks complicated for the sake of security, could be streamlined. Five years after big data first made a splash at the conference, investment in areas such as machine learning is finally beginning to spread into more than augmenting SIEM. Looking further ahead, we can see trends such as the momentum of cloud computing toward 'serverless' architectures further subsuming the complexity of enterprise datacenter security.
At the other end of the spectrum, however, IoT promises a profusion and variety of 'smart' endpoints unlike anything that has complicated enterprise IT before. As technology marches on and innovation becomes evident among attackers as well as technology providers, there will be no shortage of opportunities in security – and probably no shortage of vendors at RSA Conferences of the future to service them. Now if we can just get people to stop clicking on something shiny, or using 'password1' and writing it on a sticky note.