My RSA Expectations – Blinding Spotlights

Having been to more RSA events than I am willing to admit, the highlight for me is always watching for new products being released and security startups coming out of stealth showing their never-before-seen technologies to detect data breaches before they happen. At this year’s RSA event most of the older more mature technologies will be found in north building and most of the security startups with new ideas will be found in the south building (Exabeam’s booth #S2722).

While it’s always inspiring for me to see how creativity is applied to find new ways to help companies protect themselves from data breaches, it also creates a huge challenge for CISOs.

A CISO walks into RSA

A CISO walks into RSA (joke implied…) and gets bombarded by new technologies that all can help protect his/her company using a budget that was set for last year’s projects at best. What really happens? Well… every CISO that I meet always says the same thing; “If you want my business, show me something I can’t see with other technologies I already have. I’ll have to convince everyone that what you have is worth pulling the plug on a different project already in flight.” Keep that in mind – all of the technologies available today, provide some insight into security threats, which in theory sounds great, however – too many spotlights can make you blind.

We are blinded today by the amount of information that we have, which makes it almost impossible to run a security operations center with tens of thousands or even hundreds of thousands of alerts and events flying in from tens or hundreds of products. If we look at some of the large data breaches that happened over the past few years, most of them had some indicator. However, when a security analyst sits in front of all of these spotlights, it’s hard to tell what’s important, what’s not, what’s a false positive and what’s just noise.

Not another spotlight

Exabeam isn’t just another spotlight. It takes existing data and organizes it in a way that builds stories from it. Imagine a user coming from a VPN, carrying in a malware and connecting to different systems in your organization, the malware then starts scanning and touching computers and servers in an attempt to steal data. In some cases the malware tries to tap into multiple point-of-sale systems. That sounds interesting right? But what would give you that whole story today? Your anti-malware will throw an alert, which you may or may not ignore. Your windows logs will show access data, which you may or may not be looking into, if you are lucky you will get an alarm when a user is trying to access a point-of-sale device.

All of these data points are spotlights, but they do not mean anything until they become a story, a way to track what happens and flag behavior that is suspicious across silos that exist between people with different expertise and different points of view.

I expect to see many new spotlights at RSA this year. Exabeam’s mission is to make the full story readily apparent and tie everything back to the story of an attack.