RSA Conference 2022 – Reflections

Pictured (from left to right) Stewart Bertram, Giorgos Georgopoulos and Ben Strickson

The RSA Conference hosted in San Francisco burst back onto the cyber security scene after a two year COVID enforced hiatus – and some of the Elemendar team were there to see it! 

So, what were the main themes that came out of RSA 2022?

‘Zero Trust and Observables’ is the short answer, but let’s jump into these concepts and their implications in a little more detail. 

• Zero Trust: It seemed that nearly every second vendor was selling a ‘Zero Trust’ based solution. For those unfamiliar with the concept, Zero Trust is a strategic approach to cyber security that eliminates implicit trust within a network in favour of near constant identity verification and validation. This a smart approach given the fact that the lateral movement phase of many cyber-attacks exploits the inverse of Zero Trust, that being the implicit trust that comes with common network features such as shared network resources etc.

• Observables: The concept of observables is centered around detection of an intruder using a combination of data that would not typically be considered an indicator of compromise, such as a malware sample. For example: host activity, registry key access and URL visits do not normally trigger an alert in a conventional network security environment. However, within an observable based environment this pattern could be identified as malicious and lead to the breaking of an attacker’s kill chain. Observables are similar to indicators of compromise but more suitable, as there is no obvious smoking gun that can be encapsulated as a classic indicator of compromise. Therefore Zero Trust shifting to observables is a smart move given the rise of no malware/living off the land style of intrusion that we are seeing become more and more common.  

So, those were the big two trends, sharing commonalities in the consumption of new security tools and services by consumers. Networks typically need significant reconfiguring to support a Zero Trust approach and conventional ‘windows logging’ is not granular enough to catch observable based activities. As such the message from both these industry trends was clear – the threat is getting more potent, the defence surface more broad and the need for investment on specialised security technologies acute.

Hype of hard facts?

The cynical amongst you may say that the current industry trends are just hype and the latest iteration of a “must have” new technology. After all, the universe did not end when Zero Trust and Observables did not exist, right? While cyber security is not averse to fashion trends, in this case I do believe that the industry’s collective push towards Zero Trust and Observables is justified.

The cyber threat landscape has a fast-changing threat profile, especially compared to the more static “bomb and bullet” based areas of risk management. Whilst Zero Trust and Observables were not being pushed as hard a decade ago, the last ten years have seen the proliferation of more dangerous threats trends within the cyber landscape. These include: 

1. Existential cyber threat: it’s a fact that there are businesses that no longer exist as a result of a destructive cyber-attack. Ransomware actors have been the main drivers for this trend over the last few years. However, more Nation State and Non-State actors have started to play this game.
2. Everyone has an APT: once a select club, now every major nation state has at least one APT group, with many competing groups having access to remarkable hacking technology, unimaginable even a few years ago. Inexpensive and effective, APT is the new “go to” intelligence collection capability for most states in 2022.
3. Hugely broadened attack surface: Bring Your Own Device trend was in many ways a herald for the raft of security issues that were virtually mandated by the globally distributed working practices COVID bought. Within this context and a slow return to the “everyone into the office” approach, the attack surface has never been larger. 

Within this context the strategic approach mandated by Zero Trust and Observables is a no brainer. Years ago, security teams had weeks or even months to respond to a network intrusion as threats were not there to encrypt and ransom the network but instead steal data. Fast forward to 2022 and security teams must detect and mitigate cyber threats within seconds of a compromise.  

“Seconds” may sound like an exaggeration but take a look at the table shown below. Created by the operators of the LockBit 2.0 Ransomware, this advertisement shows the sheer speed of their ransomware over other ransomware gangs.

Figure showing Ransomware comparative table

Within the context of the data shown in the table above, and the implication of the damage that malicious malware can do, Zero Trust and Observables are viable solutions. For both approaches there is (theoretically) improved defence as Zero Trust frustrates lateral movement and Observables lead to increased detection. So, in a nutshell these two RSA industry trends are, in Elemendar’s view, not just industry fluff. 

The future…

If you accept my 3 key observations regarding the rising threat landscape, several trends will emerge within the field of cyber security. One of these future trends will be better use of cyber threat intelligence. In fact a key part of this will be as a result of advanced technologies such as Machine Learning to establish frameworks (e.g. MITRE ATT&CK) within our cyber defences, just as we at Elemendar are already doing.