RSA Conference 2017: Anticipating Network Security Chatter

I recently posted a blog about my expectations for endpoint security at the upcoming RSA Conference. Similarly, here’s what I anticipate hearing about network security:

1. DDoS protection. While data breaches get front page, above the fold headlines, DDoS attacks remain relatively invisible. This is puzzling since DDoS attacks happen almost daily. A quick review of the news shows that the Trump hotel website, Sonic (ISP in CA), Emsisoft, and Lloyd’s Bank have all been hit with DDoS attacks over the past few weeks. These are relatively pedestrian attacks compared to the now infamous Mirai botnet DDoS attack on Dyn back in October and the subsequent attack on French hosting provider OVH a week later. These particular DDoS attacks generated between 60mbps and 1tbps worth of traffic! It’s also worth noting that we are seeing a rise in stealthy application-layer DDoS attacks as well as blended threats of DDoS and ransomware together. DDoS attacks are still a tad on the geeky side to play a starring role at RSA, but I do expect a lot more DDoS chatter. Good thing because a lot of security professionals don’t really understand modern DDoS attacks and need the education. Vendors like Akamai, Arbor Networks, F5, and Radware will lead these discussions but I expect a lot of folks from the next-generation firewall crowd to join in.

2. Cloud meets network security. Admittedly this is a big category including everything from securing cloud-based workloads to using the cloud as a network operations control plane. Securing cloud-based workloads has given rise to things like micro-segmentation and cloud security specialists like CloudPassage, Illumio, and vArmour. In reaction, traditional firewall companies like Check Point, Cisco, Fortinet, and Palo Alto offer cloud-based workload security software of their own, but they’re not alone—since its software, McAfee, Symantec, and Trend are also engaged. This is shaping up to be a ferocious battle forcing the firewall crowd to embrace software and create some security mojo with the DevOps crowd. Should make for good banter in San Francisco. On the other front, network security vendors are moving toward cloud-based operations for configuration, policy, and change management. Cisco cloud defense orchestrator (CDO) and the Fortinet security fabric are good examples here. I’m anxious to see what steps these and other vendors are taking to make cloud control planes more powerful and ubiquitous.

3. The software-defined perimeter (SDP). I follow this market enough to know that most security and networking professionals haven’t a clue about what it is, so I’m hopeful that vendors use the RSA Conference for SDP education rather than marketing hype alone. To me, SDP means connecting users and devices to network services using attribute-based access controls and continuous risk scoring. Think of an end-to-end secure tunnel that enforces rules based upon who you are, where you are, and the current threat landscape. Vendors like Cryptzone and Vidder have SDP products, but I think this market will also attract companies like Aruba (HPE), Cisco, and ForeScout who play in network access control as well as service providers like AT&T, BT, and Verizon. If done right, RSA 2017 should be an SDP coming-out party.

4. Scale and consolidation. On the hardware front, network security vendors’ face two opposing forces. On one side, they face unprecedented network scale—more bandwidth, packets, devices, sessions, etc. On the other, network security vendors are trying to squeeze more functionality into standalone NGFWs and other gateways. Oh, and I can’t forget to mention that most of these packets are now encrypted so SSL decryption must be part of the mix. These trends are driving a new class of wildly powerful boxes, price wars, and fierce competition. As an old hardware guy, I look forward to talking about nerdy stuff like multi-threading, network I/O, parallel processing, etc.

5. Network security analytics. There’s a lot of activity in this space from the likes of Arbor, Blue Coat (Symantec) DarkTrace, Lancope (Cisco), NetFort, RSA, and Vectra Networks. These tools track activity from Layer 3 through 7, apply rules and machine learning algorithms, and help organizations navigate cyber-attack kill chains based upon suspicious network activity. Large enterprises are buying commercial tools or replacing old tools with new ones with the hope of accelerating incident response, establishing “hunting” activities, or aligning external threat intelligence with network traffic telemetry. This is another technology I’m quite familiar with so my main interest is how artificial intelligence and process automation are proceeding here.

While there will be tons of technologies at RSA, enterprise organizations still spend about 50 cents of every security dollar on network security monitoring and controls. As always, this should make for a robust network security dialogue at the Moscone Center.

Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s cybersecurity service. Read more ESG blogs here.