RSAC2021:https://www.rsaconference.com/usa
新冠疫情如同黑天鹅一般,改变了人们的工作生活。不仅让RSA Conference首次以全虚拟化的形式与大家相见,也让人们与网络深层捆绑,网络安全的重要性越发凸显。
RSA Conference作为全球瞩目的行业先锋会议,一直是技术研究发展的风向标。今年,官方从2000份早期报告中洞见未来趋势,经过反复的筛选与研判,终于在今年的RSAC2021上重磅发布了新一年度的十大安全趋势。
下面小安就结合原文,逐一为大家介绍RSAC2021十大安全趋势!
趋势1:安全管理岗位角色演变
Evolution of Roles: As we’ve seen every year, there were many submissions that spoke to the evolution of the CISO, who is increasingly required to have more frequent communication with the board; thus, attendees at RSA Conference 2021 will have the opportunity to learn about the ways that CISOs can develop new communications skills. We are seeing a trend in the rise of Chief Product Security Officers (CPSOs), a role PC member Megan Samford on the Securing All the Things track pointed out is separate from a CISO. The CPSO, “covers the security of what a company sells—building security in, both in terms of features and secure development throughout the lifecycle of a product.”
?小安点评:随着信息安全在企业中地位逐渐提高,安全管理岗位的职责也在随之变化。CISO(首席信息安全官)如今已无法完全适应安全管理需求,紧接着便是CPSO(首席产品安全官)岗位的产生及CIRO(首席信息风险官)的转化。这两种岗位的职责与CISO有一定的差异,但又是企业不可或缺的,那么其所需的技能和素质则是企业及安全圈需要共同探讨的内容。
趋势2:人工智能与机器学习
Straight Talk about ML & AI:This year’s PC for the ML & AI track was pleased to see talks that focused on the practical realities of using AI and ML. “These are vast, confusing technical areas, and in previous years we saw a lot of “magic unicorn glitter”—which made this year’s submission a welcome change,” wrote Diana Kelley and Saurabh Shintre. “The trend this year was towards lessons learned, applicable takeaways for organizations and practitioners as well as limitations and issues around potential harms of AI.” Kelley and Shintre really appreciate seeing more practical use cases in submissions offering ways to generate and catch spam using AI tools like Generative Pre-trained Transformer 3 (GPT-3), how ML can inject fairness into federated learning, how to stop attacks on advanced driving-assistance systems, and how ML is in use today at large financial services institutions to advance data visualization and automation to combat fraud.
?小安点评:人工智能与机器学习一直是安全行业,特别是学术圈和安全团队研究的当红炸子鸡。而近几年最为迫切需要解决的则是,如何将其成果落地,转化为产品或者企业防护方案。目前国内外我们也看到了一些主打人工智能和机器学习的商业安全产品,同时也看到了一些专攻AI的团队做出的一些人工智能对抗攻击成果,它于安全的未来仍然广阔。
趋势3:信息操纵及其影响
Information Manipulation and Its Impact: A resounding theme this year is echoed in the title of one of this year’s Human Element sessions: Invisible Security: Protecting Users with No Time to Spare. Trending more than phishing, though, was disinformation campaigns. Andrea Little Limbago, PC member on the Human Element track, wrote,“There were also several submissions on disinformation campaigns and their security impact. On the one hand, this is not surprising given the widespread impact of these campaigns from many of the same threat actors.”
?小安点评:信息操纵也是今年RSAC提出的重要趋势,新冠仍在欧美肆虐,各色社交媒体上虚假信息层出不穷,近期国内的成都49中事件和巴以冲突中的信息战也凸显出信息操纵的影响力和重要性。
趋势4:勒索软件
Ransomware Attacks: Greg Day was not surprised to see a continued focus on ransomware in the Hackers & Threats track. “We have seen the attacks becoming more sophisticated and targeted. Often they are now carrying multiple payloads such as ransoming data access but also either reselling the data on or extorting further funds under threat of posting non-public data in the public domain,” Day wrote. “And while some ransomware is still focused on random victims, others have become far more targeted. The healthcare industry has certainly seen the pain from this.”
?小安点评:纵然老生常谈,又不得不谈。本来各国对勒索软件的抓捕查封活动已经使勒索软件增速放缓,Darkside给燃油公司的沉重一击又让大家认识到攻防失衡的现实。相比去年,勒索软件又在“服务质量”上更进一步,甚至还开创了只公开数据作为勒索的新潮流。基础设施,医药健康等公司和机构,未来更需要着力应对这种威胁。
趋势5:共享和如何共享
Share and Share Alike: Submissions reviewed by the Analytics, Intelligence & Response PC revealed that more intelligence sharing is needed. Todd Inskeep wrote, “Several organizations have learned lessons that work in specific sectors (like the Cyber Threat Alliance for the cybersecurity industry) and plan to share lessons on how to make sharing work better and make it more valuable. Perhaps the most intriguing thesis is that aligning intelligence sharing to business needs can drive more valuable sharing of insights.”
?小安点评:情报业务愈发展,安全圈愈发现情报共享的重要性。为实现1+1>2,仅仅简单的情报共享还不够,需要有更深入的合作和更完善的合作机制。此次提出的趋势便是情报共享,首先呼吁安全圈加大合作,其次便是探讨如何更好地合作。
趋势6:企业安全中的人员、制度及技术变幻
Resilience of People, Processes and Technologies:Resilience, which is core to our industry and is key to define clearly, was highlighted more and more in submissions as discussions shift to calibration of risk; indeed, our Risk Management & Governance track is full of actionable approaches. The challenge of the rapid flip to a predominantly dispersed workforce was significant enough that we decided to highlight it in the new Securing the Remote Workforce track, designed to provide prescriptive guidance to threats from a home-based workforce and recommendations for organizations needing to adjust to the normalization of changes that have been implemented. The track will also look into the future and deliver concrete ideas to help organizations thrive in a sea of change. Assessments have shined the light on challenges and opportunities for organizations that have quickly pivoted, and continuous controls monitoring is being used to help companies raise the bar and evolve cybersecurity resilience. Threat hunting was a significant “micro trend” within this macro trend of resilience, with submissions focused on proactive approaches and picking up on untraditional and difficult-to-find threat indicators like lateral movement, exfiltration, compromised accounts, C2 activity detection, impossible journeys, internal recon, abnormal processes and many more nuanced activities as they worked to scan themselves in search of problems. The significant uptick on “art of the hunt” submissions was of great interest, as was the employment of artificial intelligence to enhance the work of human hunters.
?小安点评:天数难测,在企业适应刚刚建立的企业安全策略前,环境和需求就已经产生了变化。不说疫情带来的居家办公潮流,企业自身也在不断调整,而如何使企业适应安全策略,以及如何使安全策略适应不断发展的企业,就成了核心的问题点。
趋势7:供应链安全
Supply Chain Security & Software Integrity:Another trend within the macro trend of resilience that bears its own review is supply chain security and, related, software integrity, particularly in light of the SolarWinds breach and the ever-growing list of related breaches, a theme that will be touched on in many keynote and track sessions. The 2021 submissions explored the implications of our supply chains on third-party risk, physical security, operational security and business continuity, and also examined the very real and growing geopolitical tensions on supply chain resilience. Always seeking actionable guidance in the material put forward for RSA Conference attendees, the Program Committee was pleased to see sessions focused on the Digital Bill of Materials (DBoM) and Software Bill of Materials (SBoM) as tools to help address supply chain risk management challenges and public-private collaboration opportunities. Reliability, code integrity and good development practices as a theme within DevSecOps & Software Security submissions was also at an all-time high in the proposals reviewed, pointing to steps in our community toward more secure application development processes.
?小安点评:供应链安全带来的巨大收益已经让攻击者和企业甚至政府都不得不重视它。如今,发生过的供应链安全攻击事件已经切实影响到了企业安全、人身安全甚至国家安全,防范势在必行。而DevSecOps作为产品生命周期安全性的解决方案,也会成为供应链安全中绕不开的话题。
(SOLARWINDS 供应链攻击事件波及全球)
趋势8:零信任
Zero Trust … with Whispers of SASE Emerging:Zero Trust, likely assisted by the overnight remote workforce, rocketed up the adoption curve. We’ve started to see a healthy bank of submissions from end-user organizations willing to share explicit, direct experiences and recommendations coupled with guidance on controls and technologies needed to help overcome roadblocks to implementation and ease the steep learning curve. Submissions have matured to explorations of security capabilities, debates about the pros and cons of standardizing interfaces (i.e., APIs) for integrating different vendor products, potential architectural challenges and opportunities, and actionable guidance for companies looking to secure access for workers, workloads and the Enterprise of Things. SASE, however, seems to be where CASB was a few years ago, ascending the vendor hype cycle, though we would anticipate seeing rapid changes here.
?小安点评:零信任如今已不是高高在上的名词,大到政府国防部,小到企业都已经有了应用零信任的实例,但零信任实施过程的各种坑点和布置难度仍让不少人望而却步。零信任的部署优化,以及后续的运营分析,功能扩展可预见都将在未来同步进行。
(常见的零信任架构模型)
趋势9:云!云!云!
All Hail the Cloud:Related, but worth its own call out, is the explosion of high-quality cloud security-related submissions. Sessions explored the challenges and opportunities of remote management and delivery of … everything. “Everything as a Service” themes, supported by a cloud infrastructure, permeated submissions—endpoint, identity, network, email and security operations centers, as ways to protect sensitive information, were examined. Submissions also explored the impact of primarily cloud-based deployments on timely dissemination of threat intelligence to all vectors of compromise, which are no longer deployed in centralized locations. On the application security front, we also observed submissions around purpose-built cloud applications that required security in the apps, and on the other end, more adoption of cloud services, with the expectation of app security built-in. The far-reaching impact of this rapid move to the cloud will arguably be felt for years, presenting—perhaps—an opportunity for security to no longer introduce friction into the system and rather help reduce friction in the system. Indeed, there seems to be a significant opportunity here for developers.
?小安点评:云服务爆炸发展引入了大量的安全问题,同时也促生了不少云相关的安全解决方案。特别是疫情环境下的远程办公、业务迁移都成为了热门话题。当然对于安全公司来说,云也是一个重要内容和亮点,目前就出现不少借助云实现多点协作防御的安全产品,同时云原生安全也在飞速发展,云将成为安全圈未来发展的重要助力。
( 某企业云安全访问服务(Sangfor Access)架构图)
趋势10:隐私与信息安全
Privacy Further Entrenched into Architecture & Operations:The changing nature of the privacy conversation, which we did touch on in last year’s trends, continues to evolve. Whereas in the early years our Privacy track was fairly narrow and of interest exclusively to privacy practitioners, this year the overlap of selections of “privacy-minded” sessions within other tracks was profound, and mature privacy-focused frameworks and codification of processes have emerged that will further drive privacy into corporate architecture and operations. Very clearly, privacy is a cornerstone to the cybersecurity ecosystem, seeming to move to a core value vs. a compliance checkbox for many, though unintended consequences are emerging and the hackers are taking note. The tone of privacy-related submissions also changed. Last year CCPA seemed positioned to take over the federal scene and radically disrupt industry but seemed to lose some steam when COVID-19 hit, and the tenuous balance between privacy and security lay raw, exemplified very clearly in contract tracing challenges and other risks related to identity tracking. New legislation in the area of data protection, privacy and security has also emerged, and the California Privacy Rights Act (CPRA) with its GDPR-like reach in California will likely change the way we’re regulating ourselves in upcoming years. And, as with every other area of our lives and industry, COVID-19 has likely forever impacted the relationship between privacy and security, and clear lessons have been learned.
?小安点评:隐私正逐步深入,并融合到现有的信息安全体系中,甚至逐渐成为现代信息安全生态的基石。隐私保护,不论是技术上的,企业防止数据泄露、信息安全存储等等,还是政策上的,信息安全和个人数据法律法规,都会随着隐私观念深入人心及隐私意识融入安全而逐渐扩充完善。
总结
在疫情的考验下,让RSAC 2021今年的主题“弹性”(Resilience),越发引人深醒。而今年公布的十大安全趋势中,从勒索软件、供应链安全、零信任到云安全,已多次映入现实,让人们看见网络安全威胁的破坏性。
回顾主题,网络安全行业的发展正用实际提醒我们,亟需建设一个富有弹性的生态空间。