3 Trends and Predictions from RSA 2015


[ Me giving my IoT Attack Surface Areas Talk at RSA 2015 ]

One of the things I do at RSA every year is look for trends that allow me to make predictions for 2-10 years in the future. You can see these trends in the number of vendors trying to do the same thing, and while it can sometimes be hard to tell the difference between the dog and the tail, I think the floor does tangibly indicate what’s on the mind of the industry.


So here are the things that displayed prominently for me this year:

  1. Multiple Data Lakes: One of the main things being sold this year basically equates to a search algorithm. Companies are pitching their ability to help you find insider threats, key business events, whatever. This is great, except it requires that you send THEM all your events, logs, data, etc. After the first one you’re like no problem. After three you’re like that’s weird. After 37 of them it’s like, “This is a problem.” Companies who want 37 types of analysis on their data, events, and logs cannot (and should not have to) manage 37 different data lakes to facilitate that. The same concept applies to capturing netflow and pcap, which many companies are doing as well.

  2. Business Intelligence = Security Intelligence: I saw a number of business intelligence companies on the floor this year that are now branding themselves as security analytics companies. Reminds me of network detection: see/identify/act. Whether that happens at the network, transport, application or whatever layer doesn’t matter much. Same with analyzing data and events. If you’re an expert at finding events in lots of data you probably just need some time and security expertise to retool into “security intelligence”.

  3. Cloud-based Filtering: There were many, many cloud filtering companies. Firewalls, proxies, gateways, whatever. They filter web traffic, network traffic, identity, authentication, whatever. Everything is moving there. And they’re all talking about who did it first, who is most comprehensive, etc.


  1. Enterprises will unify on a single data lake that provides filtered faucets that control data access for particular analysis engines. We’re all familiar with firewalls and proxies doing this (for AV, etc) and the same thing will happen with a single enterprise data lake. Enterprises will hear about Red Owl or whatever cool new algorithm for finding insider threats, and instead of setting up a tap and storage infrastructure, they’ll just squirt them a data feed from their single, unified, internal data lake that has everything they need in it. The current model works much like door lock manufacturers selling buildings along with their locks. Thanks, we already have a building.

  2. The cloud becomes dominant as the primary security choke-point. Companies like Zscalar are in a phenomenal position, but soon the providers (Verizon, Layer 3, et al) may start getting more involved because they are your onramp (and offramp) to your business. On the outgoing side from your business, they filter your DNS, your web traffic, your URL lists, etc. And then on the way in they can scrub your traffic for attacks (Cloud WAF, DDoS, etc). Right in the middle of everything is a brilliant place to be. Expect providers to start partering with, and buying, security filtering companies like Zscalar, WebSense, etc.

  3. The data lake end-game combines IoT and Minority Report: Everyone’s whispering about the same thing on the RSA floor, even if they’re whispering subconsciously. The game is to capture everything and let math sort it out. Want to know if someone is about to steal data from your company internally? Want to know if a customer is about to buy your product after looking at an ad? Gather everything you can, and look at the data. So we’re looking at having—especially with things like the Apple Watch—more data about employee behavior than ever. They’ll gather when they come to work, when they sit down in their chair, what they browse, what sites they visit, and who they interact with. How many meetings did they create? How many did they cancel? What shares did they browse? Now look at all this data, for 100,000 people, going back 10 years, when you know which ended up stealing data, or changing jobs, or writing something bad on Twitter, or whatever. Expect the trend to be to collect everything (I mean EVERYTHING, including personal data that’s incentivized to opt-in), put it in the lake, and then to look at math to sort it out.


  1. One of the main spaces that couldn’t wait to build you a lake of their own was insider threats. Not sure if that’s a residual Snowden effect, or if it’s just the fact that nothing else is working, but it’s interesting. What I find most interesting about it is the big data “capture everything” and let math sort it out type of possibilities.

  2. Threat Intelligence gets an honorable mention. They’re still everywhere, despite the latest DBIR making it quite clear that the value has so far been dubious. It’s early, though.

  3. With DDoS getting more and more nasty it’s starts getting more natural for the providers themselves to be the ones doing the filtering.

  4. When I give company names I’m giving examples of people in the space, not necessarily saying they’re good fits.

  5. Because of the explosion of big data analysis (sorry), there are two main winners: those who can create the centralized data lake for a customer, and then the companies that can provide search algorithms (some call it business intelligence or security intelligence) that point at that data.

Related posts: