RSA 2013 is in the memory banks. The bar at the W is quiet again (until those degenerates from VMWorld infect the place). 2013 went down as a year of data, data, data. How did RSA 2013′s final hours play out?
Well, it was better than a massage in the Tenderloin but worse than a shopping spree in the Castro.
Mobile Security Battle Royale
Last year, the mobile security session with Charlie Miller and Dino Dai Zovi was one of the most popular sessions. The room was packed, the content was compelling, and the insights were extremely valuable. I actually switched to a iPhone based on their advice. My, what difference a year makes. This time, they tried to expand the whole effort with a moderator. They also added two other members, a consultant who recently came from Research-in-Motion (BlackBerry) and a researcher from Northeastern University who clearly has a strong affinity for Android devices.
These additions did nothing to improve this session. Quite frankly, they made it worse. The two new people on the panel contributed very little and the moderator seemed way in over his head. Frankly, this session should be stripped down to just Dino Dai Zovi speaking. He is the bright star in this session and not only has the intelligence to explain security challenges, but also has an real personality.
Mostly, there was no new insights from this session. Android is still the malware platform of choice because people do not patch it. There was no discussion of Windows Mobile or the new Blackberry platforms.
Thursday Keynote: Jane McGonigal, Game Designer / Author
When I read about this keynote in the conference planner, I was intrigued. A game designer who is also a futurist at a security conference? That sounds interesting.
Jane began with a statistic-filled blather about how there are a lot of gamers, who eat up a ton of time playing games. They call this the engagement economy. This transitioned to this idea that if we can engage all these people into something bigger, it could change the world. My skeptical self was beginning to wear thin on her arguments.
Then she went a direction I did not expect and talked about emotions. Specifically, the positive emotions that gamers seek when they play games. That was interesting, although I am not sure “surprise” qualifies as an emotion. Then she steered off into this idea of how games allow people to fail, many times, before they succeed. A level of failure that people would never accept in real life. Okay, you have my attention Jane.
Jane went on to talk about the positive effects games have on sick people. How they can help people solve tough problems and even seed the intelligence for military weapons. Her data was extensive, her points logical, her appeal emotional. It was a sound argument. RSA clearly has got some good rhetoricians behind the scenes.
But what is the point? I left this keynote, like many other RSA presentations, wondering what I was supposed to do with all this data. Yeah, its super cool that gamers can do all these amazing tasks. So what is this all going to do for us? The problem with this presentation is it was all facts and ideas, and no point. In a strange way, the whole presentation was like a game itself. I enjoyed it while it was happening, but once it was over, I quickly forgot about it.
Which is the core problem with games, they are not realty. The problem with gamers is not that they are dumb or unmotivated (although some are), rather, they think the real world is a game. Which it is not. You cannot redo some levels. When you die, your dead forever. There is no respawn. Also, we are not all fantastically attractive elves and warriors. We must take care of ourselves, and, I know it is hard to accept, go to work and be productive.
I do not disagree with Jane that games play an important role in development, learning and recreation. Games can contribute to our intellectual development, but they are not a replacement for reality. The last thing the security community needs is to deny reality. Information security is not a game. It is very real. Criminals hack systems, malware steals data, denial of service harms the economy: these are all very real problems. When the hacker steals all your sensitive data and discloses it to the world, there is no respawn. To quote Private Hudson from Aliens, “It’s game over, man.”
Moreover, this keynote was thematically like a lot of RSA presentations, all data and no conclusion. Again, it is great RSA has steered this direction. However, somebody needs to make a point out of all this data.
Friday Keynote: Hugh Thompson Show and Dr. Condoleezza Rice
I am not going to devote much commentary to the Friday keynotes because they were so unremarkable. There was a boring award to two congressmen, who blathered on about how much they care. Hugh Thompson was up next with his “show” where he interviews people. Hugh is a fixture at RSA and he can be funny and interesting, but his interviews this year were a bit dull. The Oakland Athletics General Manager, Billy Beane was interesting for the sole reason it was not about security and he is a pretty likable guy. Also, Moneyball was a good movie.
Last up was Dr. Condoleezza Rice, the former National Security Advisor for the Bush Administration. Dr. Rice is intelligent and a competent speaker, but lacks passion and timeliness. She has a fascinating back story, is widely considered a genius on international and military issues, and was present during some of the more tumultuous years of this nation’s history. Yet, she seems to be playing defense on her record and has little insight into the current state of affairs of information security, other than the Chinese are bad. I do not feel like I was getting much out of this presentation, so I ducked out about five minutes before it ended to avoid the crowds.
I spent more time on the expo floor this year, but tried to observe more than talk. You can learn a lot just watching a booth from a distance and seeing how they interact with people. In some cases, I felt like I learned nothing. A quick (snarky) summary:
- Apparently everybody uses Splunk. Who knew?
- Symantec is having a renaissance which is great! But they still treat everybody like sheep, which is not so great. Trapping people in a theater to assault them with Symantec Ueber Alles was not the best way to show your new sensitivity to the market. Next year, be a little friendlier, and less cultish.
- The UTM/NGFW rivalry of Palo Alto, Fortinet and CheckPoint was quiet this year. PAN did not have much splashy news, other than they have a partnership with Splunk (which is cool). The PAN booth was on high alert for any negativity. I have to keep my distance from PAN, as they can get defensive around me, and I do not want to be that jerk who tries to make them look bad at the show. They paid for the space, they deserve their place to shine. Fortinet got some great reviews from NSS, but also seemed a little subdued. And I never even heard a peep out of CheckPoint.
- Juniper released something, that does something, and nobody seemed to care. They had two boths on the floor. I have no idea why.
- Huawei had a booth which seemed to only attract scowls from people. I feel a little sorry for them, as they are taking the brunt of the anti-China sentiment.
- Cisco did not screw anything up, for once. I was looking at their various security platforms thinking, this GUI is awesome, if it was 1997! Somebody go find the one guy at Cisco who knows design and HTML 5 and give him a promotion.
- McAfee all reminded us how obsessed they are with security. Great, we have a stalker now. Let’s hope we do not need to get a restraining order for McAfee. They were such a nice boy.
- FireEye is making waves with its budget-busting series of anti-APT technologies. Cool stuff, but only the wealthy can afford it. I still want one.
- Secunia is out in front with a cool booth, a great technology, and a confusing plan for the future.
- Somebody tweeted that they got a message from the future and nCircle had gone out of business (it was a Rapid7 rep, naturally). I laughed when I read that because he summed up what I think may be on a lot of people’s minds. nCircle needs to clean up their product, fast or they are going to wind up in the bargain bin down at the $0.99 store. Maybe Dell will buy they, they will buy anything.
- Sophos is making a serious run for greatness, they just need to make Astaro more competitive.
- Veracode gave us the Soup Nazi, which used SOUP as an acronym for Software of Unknown Pedigree. The analogy was a little strained, but it was fun.
- I still do not know what Ahn Labs does. I watched their booth for a good three minutes and listened to conversations, and left more baffled than when I showed up. I heard APT a lot, saw some appliance, but then it looked like an antivirus product. Maybe AhnLab and ESET should get together and corner the market on slick “robot themed” marketing for commodity tech than nobody will pay for.
- Rapid7 is remaking themselves and growing up in a big way. They have a new logo, they got HD Moore out in front, and apparently fired all their pushy salespeople. Now, perhaps, the greatness of Rapid7’s technology will match the that of their company.
- Of course, let us not forget the namesake of the show, big data obsessed RSA. RSA reps were vomiting big data everywhere, leaving steaming piles of it all throughout the expo floor. RSA has the right idea here. Security Analytics is cool, but RSA as a company is really smug and self-absorbed. On one hand, I like their new product and think it could really stir up the SIEM market. On the other hand, I kind of want them to fail so they learn a little humility. I’ll stick to the positive, and say they have something really great with Security Analytics, please do not screw it up with arrogant sales and ridiculous pricing.
- Where the heck was Good, MobileIron, or any of the other MDM products? They all seemed relegated to small booths off in the fringes. Mobile security did not seem to be grabbing attention like it did last year.
- Zscalar is intriguing. Cloud + application control + user compliance is an interesting combination. The rep in the booth boiled their product down to like a 10 second pitch. I was impressed.
- GRC tools are everywhere and I wanted to look at them all.
- I am ashamed to admit that I liked the Microsoft booth. They had a bunch of partners there and it felt genuine and friendly. Poor Microsoft. They have so many smart people all going in so many different directions.
- Wait, is Websense competitive again? No way? Lower your prices and prepared to be boarded.
- BlueCoat is still in business, wonders never cease.
- I forget the booth, but some company had a very attractive woman giving a presentation (imagine that!) It was so clearly a scripted sales pitch, that it was painful to hear. Honestly, I would rather see a fat guy with a neckbeard talk who knows his stuff, than some rent-a model who knows nothing.
Were I to assess the state of the information security community based on RSA 2013, I would say it is in the throes of puberty. The community’s voice is changing and its growing hair in places it did not have it before. The community is finally figured out that nonstop fear-mongering is not working. As such it has shifted to facts and data. This is part of maturing. Rather than go off what incites emotion, the community is presenting its data. Even the color scheme of this year’s show emphasized this transition. While last year the color scheme was yellows and red, which can safely be called emotional colors, this year we had blues and blacks, which are cool, rational colors.
This adolescence is going to be difficult, however. There are plenty of immature people (and companies) in the community who have a seriously inflated sense of self-worth (like most teenagers.) They are losing ground to the sensible, rational people and they do not like it. Expect lots of tantrums from those people and companies as they lose the limelight.
My final message to RSA, and to the community at large is something my business coach said to me recently: yes, you are right, but did you have to leave so much blood on the wall? The community is on the right track, but it needs to drop the attitude. You are not a special snowflake. You are not the second coming of Jobs. We are all in this together. It is time to stop talking, and start doing. We have the data, we have the tools, now, it is time to make sense out of it all and put it into action.