Challenge Accepted is a podcast from Arctic Wolf that has informative and insightful discussions around the real-world challenges organizations face on their security journey.
Hosted by Arctic Wolf’s VP of Strategy Ian McShane and Chief Information Security Officer (CISO) Adam Marrè, the duo draw upon their years of security operations experience to share their thoughts and opinions on issues facing today’s security leaders.
In this episode, our two hosts fly solo and talk about their recent experience at RSA 2023, the largest cybersecurity conference in North America.
During their conversation, the two discuss the current state of cybersecurity conferences, their thoughts on RSA for 2023, the role AI had at the show, and the interesting potential for secure browsers in the enterprise space.
Ian McShane 0:00
Did you want to switch it around this time? And you want to start off with the welcome or do you want to keep it the same?
Adam Marrè 0:05
Let’s keep it the same this time. I promise, I will get ready to do it. I like you introducing it, so it’s good.
Ian McShane 0:12
All right, hold on. Let me just think about what we’re going to say. Latest episode, yada, yada. I should have asked Dan if he actually wants us to call it Stronger Together. I know that was the tagline of RSA, but that feels awkward to say that out loud, stronger together. Hey, Adam, I feel stronger hanging out with you, man. Thanks.
Adam Marrè 0:31
Yeah, I feel stronger with you. Stronger together.
Theme Music Plays
Ian McShane 0:48
Hello, everyone. Welcome to the latest episode of the Challenge Accepted podcast. My name is Ian McShane, I’m VP of Strategy here at Arctic Wolf.
Adam Marrè 0:55
Hello, everyone. Adam Marrè, CISO of Arctic Wolf. And we’re here to talk about RSA. This week is a little bit different. We don’t have a guest. It’s just the two of us having a nice conversation about what we saw at the RSA Conference in San Francisco.
Ian McShane 1:09
Yeah, we’re going to talk about the buzzwords, the booth designs, and really what we thought was interesting, a conference that has a reputation both good and bad.
Adam Marrè 1:17
And hopefully we’ll get some takeaways on sort of where the cybersecurity industry is as a whole and just our general impressions, so let’s get into it.
Alright, so it was great being at RSA this year. Great conference, I think it was really the first one where it seems like everyone’s back from the pandemic or any disruption, we were in San Francisco. It just felt like everything was back to its full swing again. What did you think Ian?
Ian McShane 1:46
Yes, it’s a funny one. Because I’ve heard some people say that they thought it was busier than last year. I’ve heard other people say it wasn’t as busy last year. Sorry, it wasn’t as busy this year as it was last year. Personally, it felt to me like there were a lot of vendors around and not many end-user organizations. Unless a vendor is an end user consumer or something else. It certainly felt like everyone I talked to, every badge I saw had a vendor name on it of some kind.
Adam Marrè 2:11
Yeah, I really do think that it’s kind of gotten a reputation largely of being a vendor con, in many ways. You know, vendor on vendor.
I don’t know if that’s totally accurate. I do think there’s quite a bit of other value there. But and maybe it was just this year and the macro economic environment or something, but I do know quite a few people who usually send someone from their security organization to the conference, who didn’t this year.
But I will say walking the streets, walking the halls, to me, it didn’t feel smaller. But it has been a number of years since I’ve been there. So I’m probably not the best judge.
Ian McShane 2:46
It did seem pretty busy. I mean, full disclosure, I didn’t actually get to any of the talks or the sessions at RSA this year. So it’s probably hard to gauge the actual attendee type, just from the vendor hall where you are actually surrounded by vendors. So maybe that’s my clouded judgment.
Adam Marrè 3:04
Yeah. But I mean, I heard similar things to what you heard.
Ian McShane 3:08
I mean, personally, I have to say it was great to catch up with people that we work with that I haven’t seen for a while, like you, I hadn’t seen you in person, Adam for probably about a year. I think it was May last year, we last caught up in person.
Adam Marrè 3:20
Yeah, it was interesting, both inside Arctic Wolf and outside the company, I felt like I was able to catch up with people that I haven’t seen in person in quite a while. Arctic Wolf has grown so much over the last year since I’ve been here, some people I’d never met in person, and had that weird, you know, I’ve only met you on Zoom situation where you’re shorter than I thought you were and people look at you. And you know, they’re thinking the same thing. So I did have a few of those moments.
Ian McShane 3:48
Do you generally like security conferences as an attendee?
Adam Marrè 3:52
It’s a mixed bag for me, I do and I don’t.
I especially love conferences, where we get great technical presentations, and I really enjoy those or even some of the classes you can take.
Also, just when it’s a just huge mass of humanity and it’s hard to get anywhere and go to a restaurant, I don’t enjoy that part of it. So yeah, I don’t know. I like some of the smaller conferences, maybe. There’s a great one in Utah, where I live called Saintcon, where you get some really high-quality presentations, and it’s just not with the same number of people. It’s a great conference.
Ian McShane 4:32
The bit I struggle with is I’ve been in the vendor world for basically my entire adult life now. I don’t remember what it was like to go to a show when I wasn’t a vendor. I don’t remember what it was like to go as a practitioner. I think you were probably a bit closer to that. Right? I assume you’ve attended as both law enforcement and as an end user organization, right?
Adam Marrè 4:57
Correct. Yes. In fact, this is my first time as a security vendor.
Oh, on the dark side?
Yeah, all the rest of the times it’s always been as law enforcement, which there was, we would try to go pretty incognito. But sometimes we were more or less welcome to some of the presentations, so they think we’re there to like, catch people which we weren’t. We’re just there to learn like everyone else. I mean, I’m sure there were others who were were there to catch people, certainly not us. And then as an end user. And I’ve really enjoyed a lot of those. And certainly building the relationships is great. But man, RSA was just huge.
Ian McShane 5:35
Have you been to Black Hat recently? I’m interested in the non-vendor comparison of RSA and Black Hat. Because, in case you haven’t noticed, I’ve got a fairly jaded perspective on some of these conferences.
Adam Marrè 5:46
I actually haven’t in a number of years, it’s been a long time. I used to back when I was a fed. I used to send friends to go to those and then come back and let me know what happened and things like that. But no, I haven’t been in a number of years.
Ian McShane 6:00
One of the observations I had prior to the pandemic was that Black Hat has moved away, it was moving in the same direction as RSA, instead of being a primarily an educational forum for people to go and listen to interesting talks. It was becoming more of a selling tool, or a demand generation tool for vendors, which was was starting to get a bit frustrating.
Adam Marrè 6:25
Yeah, and I have also heard that and unfortunately, think that’s the situation.
The Rise of AI in Cybersecurity
Ian McShane 6:30
One thing I was thinking about prior to RSA was how many booths were going to be slapped with stickers talking about ChatGPT. I was expecting to see like ChatGPT everywhere, you know, intelligent bot this, AI bot that, but I guess a lot of the booth printing was finished before the rise, or the re-rise of AI, right.
Adam Marrè 6:52
Yeah, I was expecting the same thing, generative AI everywhere. And you know what, I just didn’t see it amongst all of the other buzzwords on the vendor booths.
I heard that it was talked a lot about in some of the talks and presentations. So I think it was more contained to that. And I did, though, overhear and then heard myself when I was going around to some of the vendor booths, them throwing AI into the conversation. So I definitely know, sort of the verbal slapping of the sticker on the product, but not not as much on the actual booth.
Ian McShane 7:32
Yeah, I heard the same thing.
I think there was one vendor, and I’m assuming we probably shouldn’t mention vendors by name, but there was one vendor, I think that announced the integration of some of that ChatGPT like technology into their platform in the form of a chatbot, which again, you know, isn’t really new.
And that’s a funny thing. I think, is it fair to say that marketing is trying to push generative AI and AI in general as the new hotness, again, when the reality is like the security industry, if anyone, has been one of the fastest adopters of AI or machine learning.
Adam Marrè 8:05
Yeah, I do think, and we can probably have a whole show on that. But the hype around AI is a really interesting thing.
I think both it does behoove organizations to look at this new generative AI, especially if they haven’t been looking at it recently to understand what the power of large language models is, and find value there, if they can get value both, within their product and across the organization.
I mean, I think it’s a really important thing to do. I also think it’s important not to let your marketing team go crazy and overhype what’s possible with it. And also not to jump the shark too early with your product itself.
But this has real bottom line implications. I think there was a company recently that does education, I think it’s chegg.com. They do like education. And they mentioned the effect of generative AI on their bottom line and their stock took a huge hit, like 30%-40% or something like that.
Whereas I think if they controlled the message a little bit more, they may have been able, you know, if they’re saying, ‘Hey, we’re integrating, this is how we’re innovating rather than-
Ian McShane 9:13
Oh I see, they took a hit because they said they were using it.
Adam Marrè 9:17
Yeah, so a lot of times we like to poke fun, like everyone’s getting on the bandwagon, but to some degree, if everybody’s thinking about it, they do you know, investor analysts and shareholders and everybody else they want to know, ‘hey, are you staying up with the latest hotness of AI and you’ve got to have at least a story around it.’
Hopefully, it’s a true story. Hopefully, you’re being accurate and helping guide people down the path of like, ‘yeah, maybe it doesn’t do what you think it does. And that doesn’t mean what you think it means. But here’s how we are using it.’ I think it’s really important to do and I think I saw some of that at the conference and then also just people throwing it out to, if we can make a sale because we have AI, that’s great.
Ian McShane 10:01
Yeah, I will say I thought this year, there were less of the scareware type of headlines. And I certainly didn’t see these, ‘Unless you buy this, you’re gonna get pain,’ like there wasn’t as much like scare away against about something like ransomware.
I mean, there was still people walking for badge scans left, right and center. You mentioned an interesting point like around AI specifically, I’ve been very much on the team of eye rolling when I hear people talking about malware generated by by AI or by ChatGPT. But one thing I did here at RSA was a specific example of a proof of concept that uses an open AI-like technology to rewrite its main Python code with every infection.
So trying to avoid detection by trying to obfuscate its wormlike behavior, which I thought was an interesting take on it. Now, obviously, if you’ve got an environment that’s got good detection, and strong prevention capabilities, it’s not necessarily going to change the game. But being able to mutate again, is again, proving how cyclical this industry is, if you think back to the early days of file based malware, and how things were specifically tailored to rewrite themselves to avoid heuristic type rule detection.
Adam Marrè 11:15
Yeah, absolutely. It is interesting to see the cyclical nature of the industry. And I think those kinds of applications, ChatGPT, or whatever generative is going to help write phishing emails, and there’s all these really obvious applications, although that one’s a little clever. I hadn’t heard that one until RSA.
But I’m interested to find out when people really get to dig in and spend some time with this, how it’s going to affect both attackers and defenders. So once maybe some of the hype dies down, we can really dig into this as an industry. I am curious to see what sort of unanticipated things are going to come out of it.
But I also did want to say that I think there are real reasons why companies are all talking about AI. I just wanted to see where the rubber meets the road on this. But I was also curious, we’ve kind of dived into that subject that particular hype model that’s out there. But I’m curious, what was your sort of take on, especially down in the vendor hall, what was sort of your take on, as much as that is sort of a funhouse mirror of our industry, en masse as a whole? What is your take on that? And what do you think it reflects on the industry, or at least how the industry is thinking about?
Ian McShane 12:36
My favorite thing to tell people that I saw at RSA was one vendor booth had an actual Whack a Mole game. And if that isn’t the perfect analogy of cybersecurity, I don’t know what it is. I didn’t, unfortunately, get to spend any time and see if they were linking that into their talks, or if it was there for ironic reasons, or just for entertainment. But I thought that was pretty great.
Adam Marrè 12:54
Oh, that is great. That is amazing.
Ian McShane 12:57
But in general, what the most interesting thing and the most surprising thing this year, was that outside of the bigger vendors on the north side, the biggest booths in the south side seem to be startups, or smaller organizations than I would expect to see having big booth are mostly big clouds, cloud security companies, but they had some enormous booth presence there. And compared to their size and market penetration, I was pretty surprised.
Adam Marrè 13:29
Yeah, I think kind of what I was sensing, and, this was just my subjective experience, but I think what I was sensing on the floor is, you’re starting to see this real, or maybe not starting, but it was definitely a reflection, like a real-world reflection of kind of platform versus point solutions, right?
So you had a lot of little booths, and some medium-sized booths of point solutions, very specific tools, or services for a specific cybersecurity application, right?
And then you have more of these platforms, or people trying to be platforms, your Google Cloud, Microsoft, all these big vendors. What I was seeing is a lot less interest around those point solutions and a lot more interest around the platforms.
And in talking with other security leaders, I do think there’s this especially in this time of, tightening the belt, this idea of like, I’m looking at platforms, and I think we’ve talked about on the podcast before, like, is it platform or best in class, right? Because sometimes you’re making the choice between the two and I think what I was seeing was maybe a lean toward platform if I can get, 70%-80% solution, and it’s already on the platform I already have, I already know it integrates, if it’s not a non-integration I can get that value out of it. And I’m just gonna go with that. That was one of the things I think I was seeing while I was there.
Ian McShane 15:00
A corollary to that, and now I’m second guessing whether that I’ve actually used that word correctly. The opposite view to that is that I saw also a lot of people talking about platforms and the platform-ization of security.
But what I took away from it was that we are at risk of perfect being the enemy of good, like everyone’s talking about being able to do everything you want from this tool on day one, like Zero Trust is a great example, because I’ve heard two or three talks from different vendors talking about Zero Trust. And they all seemed to be leaning into how, air quotes because this is audio, but how easy it is to roll out Zero Trust to your entire organization.
And I’m standing in the back thinking maybe that’s fine for small organizations, but I would prefer, and this is where I want your perspective on this, I would prefer to take bite-sized chunks and get it right maybe by attack surface, maybe by group, and really think about least privilege in that group, rather than similar to how MFA used to be described as, “Oh, it’s too hard to do everything, I’m not going to do it at all.”
So hearing all these big talks about our platform can take everything you’ve got and roll it all into one thing and build your security platform all at once seemed a little bit scary.
Adam Marrè 16:12
Yeah, that is daunting.
I mean, if you’re at like the perfect moment in your growth, as a business, there might be just a great moment for you to jump on a platform like that. And then as you grow, you can grow into it. And you don’t have to do a lot of rip and replace.
But almost no one has the money to spend when they’re at that moment to do that kind of rollout. So yeah, I think obviously, they can make it sound easy, but that can be really hard.
I think where a platform like that can really shine is where they can either just work well with what you have existing right now and integrate with that. Or it’s something that you can do piece by piece, right? Like, I can roll out this, this year. And the next year I can buy this additional license or this additional item, and I can roll that out.
But it is all part of the platform, and I can replace what I have and roll out something new. I think that’s a much more realistic model. Because trying to do a holistic, I’m just going to completely change my environment, lift and shift or however people want to, it’s always way harder than you think it’s going to be and it’s always going to take longer. It’s like remodeling your house, it’s going to take more money. It’s supposed to be ready by Christmas, it’s Easter, you’re not in yet, it’s gonna be something like that.
Ian McShane 17:27
I realized that the folks that are talking, trying to sell the dream of ease and simplicity and security, right? But hearing people say, ‘all you have to do is add your cloud API keys, and we’ll take care of everything else for you’ has red flags and alarm bells ringing at the top of their lungs.
Adam Marrè 17:41
Yeah, I do think another challenge for the platforms, and I think you and I noticed this, we took a moment we walked around together kind of look at the booths. And when you get that large, or you have that many different elements to your solution, you can have every buzzword slapped on the side of your booth or your box and it just becomes like, ‘Well, what do you do?’ I look at the vendor, I’m like, ‘so I’ve heard of you. And now you have every buzzword in cybersecurity. And what do you do?’ Like what’s the value you bring?
And you can get lost in the noise.
Ian McShane 18:17
I felt like threat intel was that badge of honor this year, like almost every single booth whether it was Cloud Endpoint.
API security had this label of threat intel for intelligence on the side, whether they were consuming, it using it, producing it. I don’t know what but it seemed like that was the phrase that was around, I was surprised to see that so much more than than AI to be quite honest.
Adam Marrè 18:37
Yeah, it’s true. We definitely saw a lot of that. So was there anything at the show that you were particularly excited about? Or thought might have some promise? Or would be something you want to take another look at?
Ian McShane 18:52
I mean, I still feel like as an industry, we try and cater towards the cutting edge. So again, talking about being able to roll stuff out and deploy it and having spent so long talking to normal organizations, not the halves of the world that have an unlimited budget and unlimited people to throw at it.
I still feel that there’s a huge amount of the market that is not catered for, because these tools don’t run themselves, these tools are not cheap. And when you’re catering for the top 100 organizations globally, that’s how you communicate with the rest of the market. And I think it alienates some of these customers that can’t do it.
But there was someone that both of us were talking to that attended either your talk or my talk right at our booth. And they were saying that they were getting frustrated and having to have this conversation because they were a construction company, I think, and they were getting frustrated and trying to communicate how important cybersecurity is to a construction company, but no one comes to market to them because they’re not on the cutting edge of technology or something.
Adam Marrè 19:54
Yeah, I do remember that conversation. And it was interesting to me that I think there is another assumption that if you’re not a tech company, or if you’re not in heavily in tech, that you don’t understand cybersecurity and don’t care about it.
And here we have some representatives from a construction company come up through that company and they’re as concerned or more concerned than anyone else and really understand the space. And we’re trying to figure out what the right solutions for them are.
So I think it is a really good point about focusing on the whole market, and not just the largest enterprises.
Ian McShane 20:29
Just making it more accessible, which is really what it is like, I think, and that’s nothing new for this year. I know you said, but a take away from this year, but it’s the same old thing. It’s like it’s just not accessible, or it’s not as accessible as I think it should be like we should be as an industry focused on making security usable by anyone.
Adam Marrè 20:48
Yeah, really that sort of demystification of it. And also, maybe some of these enterprises need to get a little bit better at saying like, ‘here’s the everyday solution. And yes, we have this super complex or solution that’s really mature for a large organization, but we can also serve you at the SMB size or in whatever vertical you’re in.’
Ian McShane 21:12
Yeah. What about you? So obviously, I’ve been vendored for my entire life, you’re straddling that post of being representative of a vendor, but also a consumer of a lot of this technology, or, dare I say it, someone with purchasing authority. Right. So what did you take away? Or actually, did anyone ask you if you had purchasing authority? Because I think that’s a great question. I used to hear a lot.
Adam Marrè 21:36
No, they did not. I tried to be fairly incognito, did not want to let anybody know what I do for a living. Because as soon as I do, it’s like blood in the water. And here come all the sharks.
But yes, I did compare salespeople to sharks, but I didn’t get a lot of that. But one thing I got a little excited about I saw a couple of vendors for secure browsers. And it’s one of those things where you’re like, I know, an idea is good when I’m hearing it explained to me, and I think ‘well duh, of course,’ and then you ask yourself, why hasn’t anyone else done this? You know?
And there are usually detailed reasons of why it hasn’t worked that well before and what the shortcomings were. But there are a couple of maturing solutions now in that space. And there’s some great applications for it like contractors, or interns or other segments of your employee population that you want to control. Like, in the case of contractors, I don’t want to have to send them equipment. But maybe I can just let them log in and force them to log in through a secure browser where I can see everything on it, and not allow them to take anything outside of it. Almost like they got a virtual desktop or something like that. But it’s much more lightweight than that. Some pretty cool innovations and solutions there that I’m taking a look at.
Ian McShane 22:54
So is that like the new Thin Client, like you mentioned, instead of sending out hardware? Is it the new the replacement for Citrix and stuff like that?
Adam Marrè 23:01
Exactly. And it’s like orders of magnitude easier to administer, and for people to use, frankly, and the speed is, because it’s just a browser right now we’re just controlling it. You’re avoiding a lot of the problems of having to like fork chromium or something like that. You own that fork. And they’re doing it in different ways than that. So they don’t have to do that. And it’s just layered on top.
So that was one thing that I thought was interesting. And then the other space I’m curious and watching is the SSPM space, which is, most people are familiar with CSPM, called security posture management. This is SAAS security, posture management, which is where they’re essentially doing the same thing for your your cloud, your AWS, or GCP, or whatever it is, but what they’re doing with all the different various SAAS solutions you have.
So Salesforce or NetSuite, or Google Cloud or Microsoft 365, whatever it is, right. And basically hitting all those and making sure that you have all the right security configurations set up and all of those I mean, of course, they’re gonna live and die by, do they integrate with all of the SaaS providers that we have as an organization and things like that, but that is really cool, there are large companies that have it, there are point solutions.
It’s an interesting space that I’m watching to see if some real value can come out of that. Because, we’ve all seen the data breach reports, we know how many times a misconfiguration in a SaaS service is what not just the cloud services like S3 buckets, but also SAAS service. Right? You might not have had the right security configuration setup.
Ian McShane 24:37
Yeah. One of the one of the foremost jokes of certainly of RSA Conference is always the amount of swag that gets given away and folks that buy a badge to come and just collect swag and sell it on eBay. Did you actually see any interesting swag? Full disclosure I actually didn’t come away with any swag this year. I didn’t get the chance to really figure out who was giving away anything interesting.
Adam Marrè 24:58
First of all, I should caveat this with I am not a swag guy. So if I come up with an extra backpack, or socks or a mug, it’s probably going to end up at Goodwill or something, or maybe with my kids if they’re interested in it, but no, I didn’t. I don’t have a great eye for that.
But I didn’t see anything super interesting. I love the Red Bull Racing water bottles that we gave out at one point, I thought that was a cool one. But I mean, there was some fun T shirts and things like that I saw but nothing major.
Ian McShane 25:33
The one thing I missed this year, so up before the pandemic, there was this growing trend of instead of giving out swag, some of the smaller vendors would make donations to an animal shelter. And unfortunately can’t remember this specific vendor. But it was always in the walkway between the two main halls. And on the last day of the conference, they would have an animal shelter, bring in a bunch of puppies or a bunch of kittens and stuff. And you could get your badge scanned and pet some animals or something like that, which felt like not only a good way to, I guess, chase the pointless badge scanning metric, but actually do some good for the community.
And like you say, rather than just give away T-shirts that again, end up in a landfill or Goodwill, that felt like a much better way to spend some money.
Adam Marrè 26:13
Absolutely. I love that idea. Much like, a number of years they sort of wrote some policies around who can be around the booth to attract to it and I like that they tighten up those rules to get rid of that culture. It might be good to have maybe a little bit more muted culture around swag. And let’s do more things like donate to charities, I actually really love that idea.
Ian McShane 26:36
I like that, trying to be a bit more ethical with things rather than just produce more crap. Yeah.
Adam Marrè 26:41
So stepping back, sort of my last take on on the conference for me was if I’m looking at it, like I’m looking at the whole landscape of cybersecurity, especially from a vendor standpoint is it really seems like to me, we’ve hit like peak vendor, peak number of vendors.
I think someone’s done a calculation that there’s five or 6,000 different cybersecurity vendors worldwide. Maybe that’s a low estimate, I don’t know.
To me, it just seemed like, well, that was borne out by what I saw. And I know, if you look at the reports of the amount of investing in M&A activity, it peaked a few years ago, and it’s been sort of steadily coming down, I think, my prediction, I think we’re gonna see is a sort of a great consolidation, in some of these point solutions of like, preventing left handed people on Tuesdays from clicking on phishing links are going to be either run out of business or they’re going to be subsumed in some larger corporations, and we’re gonna see a bit of a consolidation across the industry.
But that’s just sort of my take. I mean, it didn’t quite seem like pets.com, you know, the web in the ’90s. But, kind of close in some way.
Ian McShane 28:02
I mean, I think the capitalist economy over the last 10 years has really enabled a lot of investment, which means that there are a lot of companies that are, in my opinion, providing very small features that should be part of a bigger problem solving platform, right.
So exactly, as you say, I think that this industry has talked about vendor consolidation from the side of the consumer or the the end user organization for a long time about trying to get this mythical single pane of glass, this thing that manages everything and can bring everything into one usable, manageable platform.
I think you’re definitely right, I think there’s just too many vendors for the amount of humans that can actually operate these things.
Adam Marrè 28:42
Yeah, absolutely. So I think we’ll see that, but I think another takeaway is that the industry is definitely alive and well.
Ian McShane 28:53
Like I said, it was good catching up with you in person. It’s great to compare notes about RSA as well and make sure that we took away the right things. So thanks everyone for listening. Thanks for hanging out, Adam.
Adam Marrè 29:04
Yeah, it’s been great and thanks, everyone.