In and Around the 2017 RSA Conference

Interesting announcements on cognitive computing, endpoint security, middleware, and threat intelligence

As you may have guessed from my blogs, I was really excited about the year’s RSA Security Conference.  At the end of January, I wrote a blog about my expectations for endpoint security at RSA.  I followed up with another ditty about network security banter at this year’s show and concluded the series with a blog about security analytics and operations talk at RSA. 

Yup, I was all set to head to San Francisco at the end of last week when fate and personal issues jumped in.  Alas, I had to cancel my plans.    

Despite my geographic separation, I continue to monitor RSA from afar.  Here are a few stories that jumped out at me as of now:

1.      Sophos buys Invincea.  Okay, this was a few days before RSA but it’s a big story and the timing was in RSA’s neighborhood.  Sophos purchased a next-generation endpoint security leader with great technology that lacked some of the Sand Hill Rd. buzz of its competitors.  Sophos comes away from this acquisition with a great go-to-market and packaging opportunity.  It can bundle Invincea with core Sophos AV, SurfRight anti-exploit technology, or its network security offerings acquired from Astaro and Cyberoam.  It can also package up some or all the pieces as endpoint security via the cloud.  Aside from the value to Sophos, the Invincea deal also represents a new phase of market consolidation with the acquisition of a next-generation endpoint security market leader.  Look for more deals, a few IPOs, and VC panic soon.

2.      Watson meets cybersecurity.  IBM was already offering Watson for cybersecurity but sales were limited to large government intelligence and law enforcement agencies.  This week, IBM announced a version of Watson that is tightly integrated with QRadar, opening cognitive computing capabilities to about 8,000 existing IBM customers.  Watson for QRadar is very different than lots of the machine learning algorithm stuff being discussed at RSA.  Rather than artificial intelligence, Watson for QRadar is designed to emulate the behavior of threat analysts by supplementing internal security alerts and events with exhaustive searches of threat intelligence, social networking sites, blogs, etc.  Watson for QRadar is especially timely given the global cybersecurity skills shortage.  When frustrated CISOs can’t find, or hire skilled cybersecurity analysts, they will be motivated to kick the Watson cybersecurity tires at the very least.

3.      McAfee extends Open DXL.  I’ve written expansively about a Security Analytics and Operations Platform Architecture (SOAPA).  The thought here is that disparate security tools like SIEM, EDR, threat intelligence platforms (TIPs), and incident response platforms (IRPs) will be bridged together using middleware to form an enterprise-class event-based software architecture.  Of course, software architecture tends to be the domain of vendors like Microsoft, Oracle, and Tibco rather than the security crowd.  Nevertheless, McAfee gets it and has been pushing its Data Exchange Layer (DXL) and Open DXL for some time.  At RSA, McAfee extended Open DXL with a new Python client, added integration, and new partnerships.  While I doubt whether software integration infrastructure will get a lot of headlines this week, it’s a fundamental requirement for dealing with enterprise security messaging scale, communications, and integration and thus deserves a lot more industry attention. 

4.      Momentum for the Cyber Threat Alliance (CTA).  A few years ago, cybersecurity leaders like Fortinet, McAfee, Palo Alto Networks, and Symantec formed the CTA to exchange and collaborate on threat intelligence.  The organization has been relatively quiet since its inception before making a splash at RSA this week.  CTA announced the addition of two significant new members, Check Point Software and Cisco.  Additionally, CTA broadcast that former White House cybersecurity leader, Michael Daniel, will become the organizations first president.  We’ve talked about threat intelligence analysis and sharing for years but the fact remains that this discipline remains immature and informal today.  With its new members and leader, perhaps CTA can help threat intelligence sharing evolve so it can finally reach its true potential.

While I miss the energy of the Moscone Center, I’ll be following news, watching videos, and posting more blogs.  Stay tuned.   

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10