Cybersecurity

Report from RSA Conference 2018: A Fresh Perspective

Raheel Malik
May 10, 2018
4 min read

Protiviti Technology Consulting manager Raheel Malik shares his observations from RSA Conference 2018, held in April in San Francisco.

The many sessions at RSA Conference 2018 (RSAC 2018) had something for everyone, ranging from those concerned with legal implications, to the human element, to some very technical topics focusing on training machine learning models and newer encryption solutions. The proportion of sessions seemed to correlate very closely with their popularity, with blockchains and process automation among the more popular topics.

Leaving Encrypted Data Protected

Since the RSA Conference owes its success to the RSA encryption algorithm, it made sense the event would pay homage to the latest in encryption technologies, the most exciting of which is Fully Homomorphic Encryption (FHE). Though originally theorized by Ron Rivest in 1978, FHE was popularized by Dr. Craig Gentry at IBM, a 2014 MacArthur Fellow, by providing a means to process encrypted data without decrypting it. Its practical implications include allowing us to assure privacy well beyond the trusted computing platforms, to untrusted systems, while also allowing resistance against speculative execution attacks like Spectre and Meltdown within the trusted environments. While there was only one apparent presentation on the subject at RSAC 2018, it was quite thorough.

Automating Security Operations

Security analysts and engineers have gotten very good at scripting and automating menial tasks, spawning the Security Orchestration and Automated Response (SOAR) industry. Bruce Schneier mentioned in his session that since people are the weakest link, we should consider automating everything to eliminate the human dependency. If a task cannot be automated, then orchestrate it so there is little room for error when the human involved is following a prescribed procedure.

The big takeaway from the SOAR sessions I attended was the common reference to OODA, the shorthand term for Observe, Orient, Decide and Act, which simply means to sequentially and iteratively collect data, analyze and filter it, run some decision logic and finally perform corresponding action/s.

Some presenters went as far as creating the Easy Button™ for security analysts, using an AWS IoT Button, whose single-click would send a SMS text with an immediate audit of his AWS environment while a double-click would perform remediation and confirm via a separate SMS text message. The entire OODA logic was programmed within an AWS Lambda function.

Without much more effort, these IoT buttons could be weaponized as per the risks to serverless functions identified by my colleague, Piotr Zbiegiel, in his earlier blog post. In the case of a microservice capable of automatically and administratively remediating findings, it would have to run with significant privileges.

Blockchain on the Hype Cycle™: The Cryptographers’ Perspective

A keynote session, “Cryptographers’ Panel,” initially agreed unanimously that the blockchains are overhyped with their currently unsound engineered principles. However, presenter Ron Rivest found some of their properties like latency rendering them impractical but some other properties interesting, specifically with them being decentralized, immutable, and publicly accessible. Fellow presenter Adi Shamir, who is also currently involved with the panel for standardizing post-quantum cryptography algorithm/s, supported their immutability for purposes of resisting threats from quantum computers. In the case of contracts and wills, they could be memorialized on the public ledger so that even if their encryption is cracked in the future, their credibility and authenticity could still be verified. The major takeaway here is that we may be able to guarantee integrity of historical facts, but perhaps not their confidentiality because adversaries can collect encrypted traffic today and break it in the future.

Other sessions focused on blockchains including a use case in health insurance for identity management, highlighting their risks, implementing private ledgers, and financial gains from mining cryptocurrency on compromised systems hosting PII while completely ignoring the PII itself.

Continuing the Discussion

Interested in learning more about what’s emerging with Blockchains, Encryption, Security Orchestration and Automated Response, or other offerings from our Technology Consulting practice? Visit www.protiviti.com or contact me for more information. This is an exciting space to be a part of as we move forward to showcase our current accomplishments and build out new solutions.

Raheel Malik

Manager
Technology Consulting – Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More