Protiviti Technology Consulting manager Raheel Malik shares his observations from RSA Conference 2018, held in April in San Francisco.
The many sessions at RSA Conference 2018 (RSAC 2018) had something for everyone, ranging from those concerned with legal implications, to the human element, to some very technical topics focusing on training machine learning models and newer encryption solutions. The proportion of sessions seemed to correlate very closely with their popularity, with blockchains and process automation among the more popular topics.
Leaving Encrypted Data Protected
Since the RSA Conference owes its success to the RSA encryption algorithm, it made sense the event would pay homage to the latest in encryption technologies, the most exciting of which is Fully Homomorphic Encryption (FHE). Though originally theorized by Ron Rivest in 1978, FHE was popularized by Dr. Craig Gentry at IBM, a 2014 MacArthur Fellow, by providing a means to process encrypted data without decrypting it. Its practical implications include allowing us to assure privacy well beyond the trusted computing platforms, to untrusted systems, while also allowing resistance against speculative execution attacks like Spectre and Meltdown within the trusted environments. While there was only one apparent presentation on the subject at RSAC 2018, it was quite thorough.
Automating Security Operations
Security analysts and engineers have gotten very good at scripting and automating menial tasks, spawning the Security Orchestration and Automated Response (SOAR) industry. Bruce Schneier mentioned in his session that since people are the weakest link, we should consider automating everything to eliminate the human dependency. If a task cannot be automated, then orchestrate it so there is little room for error when the human involved is following a prescribed procedure.
The big takeaway from the SOAR sessions I attended was the common reference to OODA, the shorthand term for Observe, Orient, Decide and Act, which simply means to sequentially and iteratively collect data, analyze and filter it, run some decision logic and finally perform corresponding action/s.
Some presenters went as far as creating the Easy Button™ for security analysts, using an AWS IoT Button, whose single-click would send a SMS text with an immediate audit of his AWS environment while a double-click would perform remediation and confirm via a separate SMS text message. The entire OODA logic was programmed within an AWS Lambda function.
Without much more effort, these IoT buttons could be weaponized as per the risks to serverless functions identified by my colleague, Piotr Zbiegiel, in his earlier blog post. In the case of a microservice capable of automatically and administratively remediating findings, it would have to run with significant privileges.
Blockchain on the Hype Cycle™: The Cryptographers’ Perspective
A keynote session, “Cryptographers’ Panel,” initially agreed unanimously that the blockchains are overhyped with their currently unsound engineered principles. However, presenter Ron Rivest found some of their properties like latency rendering them impractical but some other properties interesting, specifically with them being decentralized, immutable, and publicly accessible. Fellow presenter Adi Shamir, who is also currently involved with the panel for standardizing post-quantum cryptography algorithm/s, supported their immutability for purposes of resisting threats from quantum computers. In the case of contracts and wills, they could be memorialized on the public ledger so that even if their encryption is cracked in the future, their credibility and authenticity could still be verified. The major takeaway here is that we may be able to guarantee integrity of historical facts, but perhaps not their confidentiality because adversaries can collect encrypted traffic today and break it in the future.
Other sessions focused on blockchains including a use case in health insurance for identity management, highlighting their risks, implementing private ledgers, and financial gains from mining cryptocurrency on compromised systems hosting PII while completely ignoring the PII itself.
Continuing the Discussion
Interested in learning more about what’s emerging with Blockchains, Encryption, Security Orchestration and Automated Response, or other offerings from our Technology Consulting practice? Visit www.protiviti.com or contact me for more information. This is an exciting space to be a part of as we move forward to showcase our current accomplishments and build out new solutions.