Author's Note: Due to limitations and issues with Hashnode, I encourage you to go read this in the correct format and with all the links working correctly at https://blog.gitguardian.com/rsa-conference-2023-devsecops-and-the-future-of-security/
To say that the RSA Conference is one of the largest cybersecurity conventions in the world would be an understatement. This year the event attracted 40,000 participants. Tens of thousands of individuals showed up to learn about the latest updates in cybersecurity and hundreds of presenters came to impart their knowledge. The expo floor alone held over 600 vendors, from giants like Cisco and VMWare, long-established platform companies like Google Cloud and Trellix, to growing players like GitGuardian and Wiz.
The security community spirit really shone through as we navigated the more than 350 possible sessions, summits, and villages that make up the event. We also had a lot of fun, getting to attend more after-parties than we can remember and seeing celebrity guest appearances from folks like Eric Idle of Monty Python, Superman Dean Cain, and Doc Brown himself, Christopher Lloyd.
It would be impossible to try and cover everything in one post, so here are just a few highlights from RSAC 2023.
DevOps Connect - DevSecOps
The RSA Conference overlaps and co-exists with a number of smaller events. This includes Sandbox Villages, the eFraud Global Forum, the International Cybersecurity Forum, and DevOps Connect, a security-focused DevOps conference on Monday, kicking off the whole event week. The theme for the day was "DevOps is now DevSecOps." Mark Miller, the host for the event, explained the reason was "DevOps is DevSecOps because it needs to be." Throughout the day, we learned about future looking trends, ways to change our mindset, and how to better communicate with our teams.
For those who missed DevOps Connect live at RSA, you are in luck, as these sessions will be available on June 1, 2023, at DevOps Connect Virtual.
The future of DevSecOps
The person who coined the term "DevSecOps," Shannon Lietz, former VP of Adobe Security, delivered the day's keynote. In her session: "DevSecOps... The Train has Left the Station!" she laid out her vision for how we can get to a better, more secure future in DevOps by staying focused on three overarching topics:
- Improving Accessibility
- Improving Transparency
- Improving Accountability
Any conversations that steer our code and DevOps practices towards those goals are the "right conversations" that we should be having. She said the reality is:
"Developers don't talk about security tools unless it makes the security people go away."
We must strive to make an 'easy button' for security for developers and the rest of the organization. We can not expect everyone outside of security to spend nearly as much time researching threats as the security team does, so it is up to us to use concrete and actionable language when communicating what is at risk and how to work safely. Avoid bringing developers more toil; bring them solutions.
DevOps relies on operational definitions
There are only a handful of books I would say are 'mandatory reading' about DevOps. Accelerate, The DevOps Handbook, and the duology The Pheonix Project and The Unicorn Project. I was delighted to hear that the co-writer of many of those, John Willis, was speaking at DevOps Connect. His session "In DevSecOps Operationalization" took us through the parallels and pre-DevOps methodology of Edward Deming, an American researcher of productivity, who said
“Just because you can measure everything doesn’t mean that you should.”
According to John, one of the issues facing DevSecOps today is the lack of clear, consistent operational definitions. "Without that, you are lost." he continued. Much of the time, we just start counting or measuring things without asking why we are measuring. Just counting arbitrary statistics, which are easy to report on, does not bring any true value. We need to have a conversation about DORA metrics in terms of challenging what terms like "mean lead time" actually mean, perhaps even what we mean by "time."
Unfortunately, the certainty of anything we are trying to measure is not guaranteed. He suggested reading "In Search of Certainty" by Mark Burgess, which dives into the subject much more deeply.
Change your mindset
In one of the most interesting sessions I have ever attended about altering your perception, Caroline Wong, Chief Strategy Officer at Cobalt, walked us through the tarot and how she uses them to help recenter her focus throughout her session "Changing Mindset: What Cybersecurity Practitioners Can Learn from Tarot Cards."
She was quick to point out this was not anything supernatural or about telling the future, just about the history and art of each card. Every card has some generally understood symbolism, and just reflecting on the visuals of a card and how it might relate to a current problem can help get you out of your usual way of thinking. It might be worth a shot next time you get stuck when working on an issue.
A simple, clear response plan for non-security folks
In her session "Incident Response for Developers," the one and only Tanya Janca, author and founder of We Hack Purple, shared with us a training course we can use with our own teams. Along the way, she told a lot of amusing anecdotes gained from her years of security leadership.
She said one of our most important jobs is helping the rest of the team understand their role during any security incident. What we tell them can boil down to a fairly short list:
- "Tell the security team if you see something." It is important to let them know you will never be mad at a false alarm. It is always better to tell security than to act on their own.
- "Don't leave the premises without telling security." Developers are used to going home when the day is done, and they arrive at a logical stopping point. You must explain it is critical for them to stay around until the security team clears everyone to depart.
- "This incident is top priority. Treat it like an emergency" This is not just a high priority; this is a fire. Do not hide things in order to just keep working on that Jira ticket.
- "Follow 'need to know' rules about security information." Do not spread what you 'think' is correct. When in doubt, just remember the first item on this list.
- "Don't try to manage it yourself and try to be a hero" Unfortunately, acting independently and without the right training in some security situations can mean contaminating evidence or chain of custody, which helps bad actors go free even if caught.
She wrapped up her talk by reminding us we should be building relationships with the whole organization, not be a separate, scary department. If we can lead devs and non-technical people to trust the processes and report early and often, then we can make our organizations that much more secure.
Stronger Together,
The theme of RSA Conference 2023 was "Stronger Together." This theme was carried throughout the many sessions of RSAC. This simple phrase really did reflect the spirit of the attendees and the mindset of the thought leaders sharing their visions for how we can shape a more secure future.
What drives change
In his mainstage keynote, "When Worlds Converge and Consolidate: Blueprint for IT and Security Leaders," John Maddison CMO and EVP of Products at Fortinet laid out the three drivers of IT change:
Infrastructure changes - As tech gets faster and more things shift to cloud and edge computing, we need to evolve our networks and operational setups. Threat landscape - It is ever-evolving, requiring new tools and new approaches. Regulatory changes - There are a lot of things driving these changes globally, but keeping up is not optional.
According to his research, current projections have companies spending more on security for our networks by 2030 than for the networking tools themselves. This is due, in part, to the "operational nightmare' of distributed applications combined with work-from-anywhere hybrid workforces. The reality is that with SaaS solutions, sometimes it is faster to go off the network for some services, and other times, security needs demand you stay on the company's network. Handling that handoff between networks is one of the next significant challenges we need to face.
As more and more customer-driven changes have us chasing shiny objects, we must always remember we are on a security journey. If we are smart, that journey will lead us to Zero Trust architecture. Zero Trust comes with the expense of processing power, especially as we scale. Ultimately, the journey will be worth it as we keep attackers at bay and our organizations safe.
He ended his talk by encouraging everyone to take their top ten most popular apps and push them towards a Zero Trust architecture. It is a direct, actionable way to impact your overall security posture in a major way.
Tomorrow's SOC
Bryan Palma, CEO of Trellix foresees a future where we respond to the growing threats more aggressively and with a different approach than we have been taking, which looks a lot like throwing more security personnel at every security issue. In his talk "SIEM There, Done That: Rising Up in the SecOps Revolution," Bryan said he went to 6 different Security Operation Centers, SOCs, and was shocked to find the state of things. The rapid expansion of threats and variety of attacks has meant longer hours and teams struggling to stay motivated.
He then laid out a simple 3-point plan to address the state of things. He said tomorrow's SOC:
Fights back - You can not win the game by only playing defense. We must be able to respond so rapidly that the attacker is taken off their feet. Each round they have to rethink their approach is a round they are not attacking, making it a round you win.
Games the system - There are currently more than 3.4 million more openings for security professionals than there are qualified people to fill them. Meanwhile, estimates are over 3 billion gamers exist worldwide. If we could even harness even 1% of that, we could easily fill this skill gap. It is up to us to rethink how training and what day-to-day operations look like.
Runs on robots - Nearly 1/3 of CISOs surveyed want more automation in their security operations. Bryan believes we need to find ways to move humans away from the front lines of response and into the supervisor roles overseeing the robots who are engaging in ever more common machine-on-machine warfare.
An optimistic future
Optimism about the security space is not a common sentiment. It is especially rare to hear leaders in cybersecurity talk about brighter futures. This might be one of the reasons so many people turned up to hear Lee Klarich, Chief Product Officer at Palo Alto Networks, give his talk "Why I’m Optimistic (And You Should Be, Too)."
He did start out on a not-too-positive note, though; if you added up all the ransomware payments in the world, it would be the 3rd largest economy on Earth. Ransomware continues to evolve, and gangs have gotten extremely sophisticated, even offering up customer service. Basically, if you have money, and they think they can extract it, you automatically become a target.
Echoing Bryan's earlier point, Lee said we need to have a mindset change in which we respond so fast to any intrusion that we effectively prevent the attack. It costs attackers real time and money to come up with new strategies and tactics. This hurts their bottom line and makes you a much less attractive target.
He warned that a lot of security has fallen into the mental trap of prioritizing compliance over security. While regulations are important to follow, we must always remember compliance in and of itself does not equal security.
His main takeaway was that we have to start believing cybersecurity to be a solvable problem. This mental model change will take a serious, concerted effort from each of us.
We have never been able to throw more machine resources or automation at the issue like we can today. We can scale at a level that should make the attacker's heads spin. He said he really does think real change is possible, but we need to take a more prescriptive approach rather than just react, as we have been doing.
Understanding the Changing Landscape
One of the reasons many people attend RSAC is to stay updated with the latest changes to standards and emerging threats. RSAC saw a new draft of the NIST Cybersecurity Framework, CSF 2.0, as well as new updates from ENISA around the Standardisation of Cybersecurity for Artificial Intelligence. While it might seem that cybersecurity is growing ever more complex, there is some good news as well.
The state of CVEs
In their highly informative talk "The Evolution of CVEs, Vulnerability Management, and Hybrid Architectures," Dr. Benjamin Edwards of the Cyentia Institute, and Sander Vinberg, Threat Research Evangelist at F5 Networks, laid out the history of CVEs and the overall trends they are seeing from their research.
Back in 1999, there were just 321 vulnerabilities identified on the first-ever list of CVEs, Common Vulnerabilities and Exposures. Currently, there are between 500 and 1200 new CVEs each week, with over 1000 per week trending to be the new norm by the end of 2023. The high number of CVEs alone does not necessarily mean we are becoming less secure. Instead, the data points to more efficient reporting with better-defined and more tightly scoped vulnerabilities.
The rate of new CVEs has skyrocketed from a new one introduced 300 days after the launch of this classification system to 0 days between them now. They said their research revealed this is in part due to the explosion of vendors in the marketplace. 59% of all CVEs ever reported are related to a single vendor. By comparison, Microsoft has over 10,000 associated CVEs, Google accounts for over 9,100, and Fedora is tied to just over 4,200 CVEs. Roughly 74% of CVEs affect only one product, and 49% of them affect only one version of that product.
While the number of CVEs continues to grow overall, the severity of reported vulnerabilities remains fairly constant. They warned that getting too fixated on the volume of reports can be counterproductive. Tracking CVEs will continue to be an important part of everyone's overall security posture, even if it tends to be a bit messy. They stressed it is far better than the alternative of no common framework where it is every product and security team for themselves. Again, they hit on the underlying theme that we are stronger together.
New and evolving threats
RSAC brings together thought leaders to share their opinions on trends they are seeing in their research. The panel discussion "The Five Most Dangerous New Attack Techniques" brought together 5 such influential minds to share what they see on the horizon. The panel was lead by Ed Skoudis, President of SANS, and featured Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite, Katie Nickels, Director of Intelligence at Red Canary, and Fellows from the SANS Institute Stephen Sims and Johannes Ullrich.
Malvertizing and copycat sites
Starting things off, Katie's research showed that defenders are getting better at building fences, but adversaries are getting better at going over and around our barriers. She said the disturbing rise in SEO attacks, where attackers leverage Google ads to trick victims into directly downloading malware like Gootloader. Katie noted this type of attack, referred to as 'Malvertizing," has just been added to the MITRE ATT&CK framework during RSAC.
Related to malvertizing is the ever-growing number of copycat sites, sites that look almost exactly like the legitimate site for downloading software. She used the 3D modeling software Blender as an example. If you Google 'blender download' and do not have any ad blocking turned on, many of the results on the first page will indeed be fake download sites. While it might be tempting to just point our finger at Google for allowing this to go on, this is such a widespread issue there is no way they alone can fight it all. As it grows increasingly difficult to quickly tell the difference between legitimate sites and these malicious ones, we must rethink how we defend our networks and our teams.
Devs at risk
Johannes is most concerned with the threats developers face, specifically, malware loaded in from typosquatting attacks. To make things worse, many tools warning of dangers often get ignored or muted, thanks to the high false positive rates so many devs have experienced.
Blocking developers' tools like GitHub's Copilot or 7zip might seem like a secure approach, but these kinds of efforts normally backfire. If a developer wants a tool, they will find a way to get it. What we should be doing is educating teams about the potential risks, while at the same time giving them safe paths to get what they want.
AI written malware
Stephen Sims said his research had taken him down some interesting paths with ChatGPT. While the AI program will refuse to write malware if directly asked, if you ask enough times and in indirect ways, he found you can manipulate it into writing some pretty sophisticated malware. Combine this with a determined attacker who is always on the alert for new Zero Days, and he worries we are about to see a whole new class of AI-assisted ransomware and malware attacks. Beyond awareness of zero days and keeping patched as soon as possible, he is still trying to figure out what else can be done about this threat.
ChatGPT awareness
Heather rounded out the panel by sharing a story about how she tried to leverage ChatGPT to try to get her young son to reveal his address over chat. He was savvy enough to know something was wrong and refused to fall for any lure to disclose his location. While she is proud of her son, the exercise also showed he how sophisticated ChatGPT has become in writing convincing, compelling language. Her fear is not for those who are growing up with this tech but for the vast majority of adults who do not fully realize what ChatGPT, and AI in general, is capable of.
She said education is really our best defense. Explaining that there would never be a reason for you to give your Social Security number to a stranger who contacts you can help keep your grandparents safe. Giving your teams access to ChatGPT to experiment can help educate the workforce and prepare them for what is possible. Attackers are learning how to take advantage of it, and our best defense might lie in learning how to leverage it properly.
RSAC - Larger Than You Think
This recap only scratches the surface of all that went on at RSAC. With so many attendees, sessions, and conversations over 4 short days, it would be impossible to capture more than a small percentage of what happened in this post. For example, I did not even dig into the AppSec Sandbox exercise that GitGuardian ran for three days of the event…that is the story for another post.
GitGuardian was proud to be a part of this legendary event. If you did not get the chance to go to RSAC or did not manage to make it to our booth, we would be glad to connect with you to tell you about our secrets detection platform and our new Honeytoken module. Always feel free to reach out.