RSA 2022 Musings: The Past and The Future of Security
One of the things I do every year at the RSA conference is to wander the expo halls trying to deduce themes and trends for the industry.
Before I go into my specific observations, I wanted to share what impressed me the most this time. My first reaction was the normalcy of it all — it came as a shock as this was my first big event after, well, RSA 2020. It definitely felt like the industry was back, with all its goods and some of its bads. Economic challenges notwithstanding, there was definitely a lot of excitement in the air (not sure that the freshly laid off employees of vendors with huge expensive booths would relate to that however…)
So, what was the theme that came to me as I was wandering the halls? It was the past and the future. What does this mean, specifically?
As I was looking at the security vendors and their technologies, I realized that security vendors that apparently peaked in relevance, say, in the mid-2000s had huge booths and did brisk business, selling whatever they sold before. Serving the past is good business in security! At the same time, vendors that focus on securing modern cloud environments, all those CSPMs, CWPSs, CIEMs (don’t even!) and now SSPMs, CNAPPs and perhaps even CDRs are flooding the market seeking to secure the future. These vendors also have huge booths!
So, RSA floor strikes me as a perfect, if bizarre, blend of the past and the future of security. The past is strong, yet the future now is strong too! Cloud-natives and the growing ranks of “cloud immigrants” (those not born in the cloud, but who fully embraced it) live in the 2020s. At the same time, some organizations are moving to enter the 1990s or perhaps 2000s, in regards to their IT tools and practices. There are people buying their first SIEM in 2022. There are people adopting virtualization in 2022. There are people moving to “next-gen” firewalls (a great innovation of 2005) in 2022.
To further illustrate this point, one of the innovations sandbox participants showed the slide that mentioned that the VPN market alone today is larger than the entirety of all cloud security markets, defined broadly and loosely, and then rounded upwards. Somehow that fact blew my mind! Another related bit somebody shared with me was a concept of a “descendant vendor” — they are not dead, not dying, they are making good money, but nobody sane would think that they are an important part of the security future…
Securing the past is still good business, but now securing the future is also good business [not the distant future, BTW].
Now, onto the themes I’ve picked on.
XDR — XDR was everywhere, with many vendors touting open XDR (so, basically SIEM?), native XDR (can be anything) and several other types too. XDR itself is still crazy and undefined and there are signs that some vendors are making it even broader, fuzzier, like selling TIP as XDR. For examples, some were saying that they are “XDR for something” (like we are very broad but also somehow focused on one domain … say what?).
XDR’s older brothers — EDR and NDR — are now joined by DDR (one vendor claimed “Data Detection and Response”) and ITDR (no, not for IT, silly: “Identity Threat Detection and Response”). I have not spotted CDR this time, but maybe I should have — more on this below.
There was definitely a lot of MDR as well, as more organizations are looking for help with detection and response, while classic MSSPs are delivering annoyance rather than security operations excellence. In one area of the expo floor, you can walk past many booths and it would be all MDRs for miles and miles …
Zero trust is even more everywhere, and this one is turning silly quickly. A password manager claimed “zero trust for passwords” while a SIEM/UEBA vendor promised to reveal all zero trust secrets (I bet they use VPN internally…). A firewall management vendor claimed to “simplify zero trust.” An anti-DDoS vendor promised “better zero trust visibility.” Yet another proclaimed that ZTNA 1.1 is over — and I bet a fair number of organizations haven’t even registered that ZTNA truly arrived yet for them. As a side note, I did see some SASE, but a lot less than zero trust.
Cloud security is very visible! To me, it represents a big part of the security industry’s future (and its present for many too — see the above theme discussion). I also noticed that new vendors and even vendor categories are still appearing in this area, we are still very much in the Cambrian explosion here. So, we have a space with a growing number of vendors and categories, all morphing and fluidly evolving, and all that happens around what the cloud providers are doing in security. Very fun!
I noticed that the cloud security wave is still triggering a lot of “as code” promises by the vendors — spotted “forensics as code”, “cloud governance as code”, “detection as code” and a few others. This is cloud thinking percolating through the industry, slowly but surely. To me, this is a good thing!
BTW, I was looking for the emergence of CDR (Cloud Detection and Response) so I was talking to a few vendors building tools to do detection, investigation and response in the cloud. These would be covered in a separate post, but I think cloud IR would get exciting soon…
Naturally, I was also on a lookout for SIEM and how it is doing nowadays. Pretty much every SIEM vendor is a SIEM/SOAR/UEBA vendor. But why not just accept that in 2022, SIEM = SIEM + SOAR + UEBA? If your SIEM has no SOAR and UEBA, it is not really a SIEM anymore. As one such incomplete vendor claimed, “we are not a SIEM, we are a ‘SIEM replacement’”… hmm… OK, I agree “my engine, 2 doors and 3 wheels is not a car… but a car replacement.” Very credible, that. As a funny side note, one vendor’s booth asked: “Is your SIEM a money pit?” I think somebody should have added in crayon “… Can our not-quite-SIEM tool be that instead?”
Finally, a quick note on ML and AI. I think we are past the silly screaming phase of security ML and into the solid operationalization phase of a hype cycle here. I’ve seen decent examples of how companies used ML techniques for various security tasks and how they got good results, backed up with numbers and such. This took a few years, and some got there earlier, but we are definitely in the calmer waters in this regard.
What about things not seen or seen less: maybe it is just me, these below I’ve seen less than I expected:
- Ransomware: perhaps vendors now assume that by the time their tools are purchased and deployed this will be a solved problem.
- Data security: it has happened for a few years, but somehow data security (whether encryption or DLP or some new space) has been less noisy lately, nobody seems to be disrupting it.
- IoT/OT security: very few, very small vendors focus there, and some who used to are pivoting away. So still no money in it? But this is perhaps changing in the next few years. Anyhow, a decent question for RSA 2025…
UPDATE: listen to our RSA 2022 Reflections podcast episode here!
- “Special — RSA 2022 Reflections — Securing the Past vs Securing the Future” (ep70) podcast
- RSA 2020 Reflection
- RSA 2019: Happily Not Over-AI’d
- RSA 2018: Not As Messy As Before?
- RSA 2017: What’s The Theme?
- RSA 2016: Musings and Contemplations
- RSA 2015: Rise of Chaos!!
- RSA 2013 and Endpoint Agent Re-Emergence
- RSA 2006–2015 In Anton’s Blog Posts!