RSA was good this year, but I didn’t really notice any major new trends. Nothing on the scale of—say—AI, or blockchain. But there were some disruptions that looked quite interesting.
The overall themes I saw this year were largely the same as last year, with a few notable changes.
- AI talk has become a lot more tempered and realistic. People are realizing it’s more like saying you have a database, and you really have to describe HOW you use it, and not just say you have it.
- Lots of threat intelligence stuff.
- Lots of focus on orchestration.
- Lots more OT stuff.
I suppose the S1 Ranger thing (below) qualifies as Asset Management.
I’m dissapointed to not see much about Asset Management. Maybe next year, when the Linux desktop becomes popular.
Chronicle Releases Backstory
The Backstory release by Chronicle appears to be groundbreaking.
They’re doing a cloud-based offering that is priced by your employee count rather than data usage, and that’s tens, hundreds, or even thousands of times faster than existing solutions.
It’s basically using all the Google magic secret sauce regarding scalability and speed, to do super fast correlation of malicious behavior for an enterprise’s data.
They just launched, but they’re already getting a ton of partnerships.
The key is the ability to go backwards, which is a play on Chronicle and Backstory, which is cute.
They are keeping all your data (I think indefinitely?) and letting you say things like,
We just learned about this APT, which uses this one domain, which we happened to notice that someoene else on your network went to 14 months ago, and it was Julie, and here’s everything else she’s done since then, and everyone else who’s been to that domain.
Oh, and in 250ms.
This and the next tool are definitely the biggest disruptors I saw at the show.
SentinelOne Previews Ranger
SentinelOne is—according to what I’ve seen with multiple customers—the top endpoint protection product, and what they showed at RSA is a new tool called Ranger that allows their installed agents to look laterally at what else is on the network.
So it’s asset discovery using their existing sensors as opposed to installing a bunch of taps or gateways.
It’s super interesting because it’s getting directly into Tanium’s world, which is all about visibility and management.
Ghidra release by NSA
I was in the talk where NSA released Ghidra, and I thought it was quite interesting.
As I wrote after the announcement for the talk, I thought the whole thing was basically a well-meaning PR stunt. That is, a PR stunt for all the right reasons. So, more like a gesture of kindness.
And that was spot on.
What I found interesting about the tool—and the thing that made all the difference—is that Ghidra was not a new tool that they just released for some good press. Oh, no. It’s the primary tool they themselves use, and have been using for years.
The undisputed king of reverse engineering tools has been IDA Pro forever, but with this release the market has instantly changed.
Not only is Ghidra free, while IDA Pro is multiple thousands of dollars, but it actually has many unique features that even IDA doesn’t have.
- There’s a back button for changes that won’t mess up your entire session
- There is support for many platforms
- There’s a decompiler that can go from binary to C pseudocode
- There are collaboration features
…and these are just a few of the differences.
Ghidra instantly became the one and only true competitor for IDA Pro, and in many ways it’s far superior.
This couldn’t have come at a better time, because I’m about to learn some basic RE myself.
It’s quite impressive actually, and I can’t wait to dive into some basic RE CTF challenges.
Solid show, for what it is.
If you come to RSA thinking you’re at Gartner Security, or reInvent, or DEFCON, you’ll be sad.
But if you see it as a chance to see old friends and learn what the industry is doing, it can be enjoyed.
Think of it as the Momentum Partners PDF in real life.
- NSA also has other open source tools, including an SDR framework called REDHAWK.
- Axonius is also another Asset Management play, which takes the asset inventories from tons of vendor products and unifies them into one.
- Inky (which I’ve advised for in the past) is also super cool tech, if you’ve not seen it.