The general wisdom of a defense being 100% effective has come to an end. We see the realization of a new reality where at least one or more systems within an environment are compromised, and now the job of IT Security is to minimize damage, and to discover and neutralize intruders after they have entered the environment.
Target’s breach was also a common wake up call for many at the conference confirming that even at the largest companies in the world, the basics of simply having different random passwords on each device and server was not being done. The Target breach pointed out that many breaches are not from the lack of technology, but from the lack of corporate competence. Concurrent with the disclosure of the fundamental incompetence of IT security at Target, their CIO left in March 2014.
As a company we are pushing privileged identity management from a point solution that is used to remediate existing poor practices and implement a hard control into the realm of a privileged identity security platform. Our latest versions are being deployed in a headless configuration (no console or web GUI needed) and being driven by PowerShell and Web Service APIs. These APIs orchestrate the discovery, randomization and release of credentials for a limited amount of time as a baked in feature of each machine (virtual and physical) and application’s lifetime. In essence our product is becoming a platform for cloud providers, MSPs, and government projects that are seeking to secure identities as part of their offering stack.
We have also seen our product move from a compliance requirement to being part of a cyber-warfare strategy to minimize the surface area of the entire environment. The product is used by both Red (offence) and Blue (defense) cyber warriors to find weaknesses and to minimize them (depending on which team is using the platform). The evolution from basic compliance, to core security, and then to cyber-warfare/defense and what it means to product development has been one of the most interesting areas we have been working on these days.
The other evolution has been the requirement from many customers for a hard SLA for security coverage in strict periods of time, every day, with no down times or unscheduled outages. Certainly this is in line with the move from point-in-time compliance to handling real threats that are occurring every hour of every day (yes, hackers and nation states attack after the auditor leaves).
RSA was quite a show, and with it we have all seen that the worst case scenarios of the "future" are "today’s" reality. The general wisdom of compliance having any lasting value has been dropped as a valid concept, and those CIOs that cling to it should be looking for another job. RSA taught us that there are no perfect solutions, only mitigations to minimize risk and damage and the duration an intruder can move around in your environment.