The second day of the RSA Conference was packed with sessions, keynotes and insight from cybersecurity experts.
As a first-time RSA attendee, I was excited to jump into my first full day and learn as much as I could. Here are some highlights.
Amanda uncovered three threat hunting scenarios for Sysmon, and showed how Blumira’s team was able to detect a Microsoft Exchange compromise via Proxy Logon with a series of suspicious behavior, ranging from NET user recon commands to SYSTEM mounting remote systems in the C drive.
After Amanda’s session, I headed down to the main hall to catch a keynote presentation, The Journey To The Self-Driving SOC. Nir Zuk, CTO and founder of Palo Alto Networks, argued that today’s security operations center (SOC) is ineffective; humans cannot triage, respond and investigate alerts quickly enough to make a real impact. Instead, Zuk said, we should model the SOC after the self-driving car, centering it on AI and ML rather than humans. This requires a massive amount of diversified data to train ML algorithms — and that data needs to be in one centralized location.
Completely automated SOCs are already a reality, said Zuk. But listening to this keynote, I wondered how many organizations can realistically afford to implement these suggestions. Training ML models, as Zuk pointed out, requires a massive amount of data storage and processing. A bare minimum approach to deploying and maintaining a ML model costs $60k over the first five years, according to PhData — and that approach likely won’t scale over time and omits key features that will lead to performance degradation. That $60k also doesn’t account for other factors such as data storage, hardware and software costs.
Zuk’s approach certainly wouldn’t be viable for any small to midsize business — who, as Patel mentioned in yesterday’s keynote, are struggling to stay above the security poverty line. At Blumira, we recently published a guide for folks without the budget to staff a full SOC — let alone train ML models — to get SOC-like capabilities. You can download that here.
RSA day two brought another interesting session, What (Actually, Specifically) Makes Security Programs EVEN MORE Successful? Wendy Nather, Head of Advisory CISOs at Cisco, and Wade Baker, Partner and Co-Founder of Cyentia Institute, surveyed 4,800 IT and security pros to understand which actions led to success in a security program.
Five practices had the greatest statistical likelihood of improving all the desired program outcomes across the board, including recruiting and retaining talent, creating strong culture, and avoiding major incidents. Those five practices were:
The message here, Nather and Baker emphasized, is not to replace people with automation, but to combine them. That’s an approach that we can get on board with at Blumira. We find that providing SecOps teams with automated threat response provides better outcomes by saving time and filling in gaps of expertise — especially for smaller teams with fewer resources. Tools such as automated workflows, built-in playbooks and dynamic blocklists speeds up the process of investigating and responding to an alert and takes guesswork out of the equation.
Stop by Blumira’s RSA booth #3222 in the South Expo to get a demo, snag a free t-shirt, and speak to one of our security experts.