Cybersecurity

Report from RSA Conference 2018: A Fresh Perspective

Raheel Malik
May 10, 2018
4 min read

Protiviti Technology Consulting manager Raheel Malik shares his observations from RSA Conference 2018, held in April in San Francisco.

The many sessions at RSA Conference 2018 (RSAC 2018) had something for everyone, ranging from those concerned with legal implications, to the human element, to some very technical topics focusing on training machine learning models and newer encryption solutions. The proportion of sessions seemed to correlate very closely with their popularity, with blockchains and process automation among the more popular topics.

Leaving Encrypted Data Protected

Since the RSA Conference owes its success to the RSA encryption algorithm, it made sense the event would pay homage to the latest in encryption technologies, the most exciting of which is Fully Homomorphic Encryption (FHE). Though originally theorized by Ron Rivest in 1978, FHE was popularized by Dr. Craig Gentry at IBM, a 2014 MacArthur Fellow, by providing a means to process encrypted data without decrypting it. Its practical implications include allowing us to assure privacy well beyond the trusted computing platforms, to untrusted systems, while also allowing resistance against speculative execution attacks like Spectre and Meltdown within the trusted environments. While there was only one apparent presentation on the subject at RSAC 2018, it was quite thorough.

Automating Security Operations

Security analysts and engineers have gotten very good at scripting and automating menial tasks, spawning the Security Orchestration and Automated Response (SOAR) industry. Bruce Schneier mentioned in his session that since people are the weakest link, we should consider automating everything to eliminate the human dependency. If a task cannot be automated, then orchestrate it so there is little room for error when the human involved is following a prescribed procedure.

The big takeaway from the SOAR sessions I attended was the common reference to OODA, the shorthand term for Observe, Orient, Decide and Act, which simply means to sequentially and iteratively collect data, analyze and filter it, run some decision logic and finally perform corresponding action/s.

Some presenters went as far as creating the Easy Button™ for security analysts, using an AWS IoT Button, whose single-click would send a SMS text with an immediate audit of his AWS environment while a double-click would perform remediation and confirm via a separate SMS text message. The entire OODA logic was programmed within an AWS Lambda function.

Without much more effort, these IoT buttons could be weaponized as per the risks to serverless functions identified by my colleague, Piotr Zbiegiel, in his earlier blog post. In the case of a microservice capable of automatically and administratively remediating findings, it would have to run with significant privileges.

Blockchain on the Hype Cycle™: The Cryptographers’ Perspective

A keynote session, “Cryptographers’ Panel,” initially agreed unanimously that the blockchains are overhyped with their currently unsound engineered principles. However, presenter Ron Rivest found some of their properties like latency rendering them impractical but some other properties interesting, specifically with them being decentralized, immutable, and publicly accessible. Fellow presenter Adi Shamir, who is also currently involved with the panel for standardizing post-quantum cryptography algorithm/s, supported their immutability for purposes of resisting threats from quantum computers. In the case of contracts and wills, they could be memorialized on the public ledger so that even if their encryption is cracked in the future, their credibility and authenticity could still be verified. The major takeaway here is that we may be able to guarantee integrity of historical facts, but perhaps not their confidentiality because adversaries can collect encrypted traffic today and break it in the future.

Other sessions focused on blockchains including a use case in health insurance for identity management, highlighting their risks, implementing private ledgers, and financial gains from mining cryptocurrency on compromised systems hosting PII while completely ignoring the PII itself.

Continuing the Discussion

Interested in learning more about what’s emerging with Blockchains, Encryption, Security Orchestration and Automated Response, or other offerings from our Technology Consulting practice? Visit www.protiviti.com or contact me for more information. This is an exciting space to be a part of as we move forward to showcase our current accomplishments and build out new solutions.

Raheel Malik

Manager
Technology Consulting – Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
8 Apr

Join our experts on April 25 as they delve deep into the strategies and practices essential for safeguarding customer trust, ensuring a stellar user experience, and adhering to privacy and data security standards. Register today! https://ow.ly/fumH50R4fbw #DataPrivacy

Reply on Twitter 1777336025301254502 Retweet on Twitter 1777336025301254502 Like on Twitter 1777336025301254502 Twitter 1777336025301254502
protivititech Protiviti Technology @protivititech ·
5 Apr

Find out how businesses can use #AI technologies for real use cases in #Quantum sensing, simulations and migration to post-quantum cryptography during the latest podcast episode with guest @paul_kassebaum. https://ow.ly/Wy7u50R9t8M

Reply on Twitter 1776309432592330940 Retweet on Twitter 1776309432592330940 1 Like on Twitter 1776309432592330940 4 Twitter 1776309432592330940
protivititech Protiviti Technology @protivititech ·
5 Apr

Protiviti’s Kim Bozzella explains how technology and #Automation in the #Manufacturing industry has—and will continue to—improve productivity and quality enhancement. Read more from the Forbes Technology Council. https://ow.ly/nTPy50R7WYC

Reply on Twitter 1776249003769803111 Retweet on Twitter 1776249003769803111 Like on Twitter 1776249003769803111 Twitter 1776249003769803111
protivititech Protiviti Technology @protivititech ·
1 Apr

Organizations who are part of the Department of Defense supply chain must understand, identify and protect controlled unclassified information, often called #CUI in their environments. Here’s what you need to know: https://ow.ly/bjbW50R59Ke #ProtivitiTech

Reply on Twitter 1774769203540566390 Retweet on Twitter 1774769203540566390 Like on Twitter 1774769203540566390 Twitter 1774769203540566390
protivititech Protiviti Technology @protivititech ·
29 Mar

A global hospitality company is well positioned to leverage the latest AI technologies after hiring Protiviti to establish and implement a comprehensive AI governance standard. Read our latest client story: https://ow.ly/Ir7R50R4nrh #ProtivitiTech #ClientStory

Reply on Twitter 1773772540306919718 Retweet on Twitter 1773772540306919718 Like on Twitter 1773772540306919718 1 Twitter 1773772540306919718
Load More