Last week, Morphisec officially came out of the cyber security closet at the RSA Conference in San Francisco. It was a great opportunity to hear some impressive speakers, network with like-minded peers and take the Morphisec solution out for its first public airing.
The conference may have celebrated its 25th anniversary, but it still has plenty of life left. Never mind the panels, presentations and discussions, there were virtual reality headsets to test out, light sabers to score and craft brews to drink (in a CyBEER Ops glass). The Federal Reserve recruiting team even handed out bags of shredded money.
It was sometimes hard to find the substance amidst all the products, pitches and prizes.
This seemed to be a theme – marketing hype overshadowing real innovation. Others I spoke with agreed. One insurance company CISO lamented that RSAC has become a sales show dominated by large vendors, lacking expert depth. And many analysts and reporters have too many RSA conferences under their belts to be impressed by anything – an attitude we hopefully changed.
During a meeting with one research firm, the initial bored expressions of the analysts made it clear they expected a demonstration of yet another security product making claims to greatness. I received only polite smiles when I promised to show them something truly new and exciting. However, as I explained Morphisec’s Moving Target Defense approach and technology, their faces grew more animated. By the end, they seemed to rediscover some of the enthusiasm missing from the conference. As one reporter from a well-known digital magazine commented about Morphisec’s technology, “it’s brilliant, truly simple, and no one else is doing anything like it.”
The relative lack of disruptive thinking may not just be a problem of RSAC, but of the security industry in general. Last year, as the new president of RSA, Amit Yoran stated in his address at the 2015 conference that “thinking about the problem differently begins with admitting some current technologies don't work as well as expected. He noted that monitoring for malware is dependent on finding known signatures, and is incapable of detecting unknown threats, and called SIEM an increasingly useless moneypit."
This year Yoran shared some statistics that elaborated on this theme: An RSA survey indicated that 90 percent of security professionals are not satisfied with the state of security, while Gartner estimates that 60 percent of IT security budgets are spent on incident response. According to an official RSA blog post, “Yoran insists those two findings are intertwined. Simply put, Yoran believes the industry is spending way too much time on incident response, and not enough on preventing attacks from happening in the first place.”
In my eyes, this show’s glitz cannot hide the tarnish of repackaged messages and old defense dogmas. Many claim that the security industry is short one million experts. I will venture that throwing more resources at a problem, without game-changing cyber defeating solutions, is not the answer. Morphisec seeks to tread the path of innovation. We’re sure that there are enough early adopters willing to journey with us for one simple reason – the old way doesn’t work.