More than three years after the COVID pandemic threw the global economy — and the technology conference business — on its ear, the RSA Security Conference was back in force this year, with attendance and a theme, Stronger Together, that celebrated the diversity of the information security community and promoted a sense of post-pandemic healing.
But amid the crowds and good vibes in and around San Francisco’s Moscone Center there was a palpable sense of unease at this year’s show. The world’s first “hot” cyber war in Ukraine and a steady drumbeat of nation-state backed attacks on software supply chains might have had something to do with that. And then there's the prospect of AI-fueled disruption that loomed over the event, prompting questions about what lies ahead for cyber defenders in the industry, enterprises and in the public sector.
Here's a look at some of the big takeaways from this year’s RSA Conference.
[ See ReversingLabs @ RSAC 2023 for key highlights from our experts | Plus: See all of our great posts from the show ]
Software supply chain security gets messy
Threats to software supply chains were a prominent theme this year. Supply chain threats and attacks have been a top concern for organizations in recent years, especially after the attack on the firm Solar Winds made it clear that sophisticated, nation-state actors were capable of penetrating and leveraging trusted software supplier relationships to plant malicious code.
At this year’s event, the recent 3CX hack ensured that conversations about software supply chain security would occupy center stage. The picture that emerged from RSAC was complicated, however, with a range of experts warning that not enough was being done to manage supply chain risks and counter growing attacks.
Despite the media attention to supply chain attacks such as SolarWinds, CodeCov and 3CX, awareness of such threats still lags within the development community, said Karine Ben-Simhon, Vice President of Customer Advocacy at the Trellix Advanced Research Center. Ben-Simhon spoke during a panel discussion on supply chain threats, trends and mitigation strategies.
“We all know about it, we’ve all heard about [supply chain threats], but as a community, we haven’t done enough about it. There are a lot of organizations that are not aware of this type of threat."
—Karine Ben-Simhon
Instead, conversations about software security within development organizations and the information security industry still focus on software vulnerabilities to the exclusion of other risks, said ReversingLabs Product Manager Charlie Jones in his RSAC talk on supply chain threats.
“There's a disconnect between this hyperfocus on the detection, the response, the mitigation of vulnerabilities in software [and] the actual threats that we see being taken advantage of and targeted in the threat landscape. Focusing on vulnerabilities simply isn't enough — and it tends to not be that effective."
—Charlie Jones
Shift left loses its luster
RSAC also showed that the orthodoxy that security needs to “shift left” and become a developer priority is starting to crumble in the face of pushback from developers and others who argue that loading sole responsibility for security on developers is a bridge too far.
Omer Yaron, the Head of Research at Enso Security, said during the supply chain threats, trends and mitigations panel discussion that shifting risk was not realistic.
“[Developers] don’t have the time or the expertise to do security.”
—Omer Yaron
RSAC 2023 showed that the software industry hasn’t arrived at a consensus on how to delegate responsibility for securing the software supply chain. However, several presentations sketched out the broad outlines of a future in which the security of software is easier for development teams and customers to assess and monitor.
Supply chain security: It's complicated
Open-source software, which is included in 75% to 95% of all applications, is challenging security teams. Unlike traditional cybersecurity threats such as endpoint security, software supply chain attacks aren't cookie-cutter incidents but bespoke creations that differ from one another in ways that complicate the job of defenders.
But help may be on the way. Several presentations at RSA sketched the broad outlines of a future in which the security of software supply chains will be easier for development teams and customers to assess and monitor.
For example, consider the Open Source Software Foundation’s Security ScoreCard, a free tool that assesses open-source projects based on their adherence to 18 best practices, including whether the project is actively maintained and whether it uses secure workflow features, such as branch protection.
“It’s like having a speedometer on your car to tell you ‘How fast am I going?’ said Naveen Srinivasan, one of Security Scorecard's maintainers who spoke about it with Brian Russell, an open-source product manager at Google.
Srinivasan said the RSA talk, "How do you trust open source," was just the latest stop in a tour of technology conferences. His goal is to make developers aware of the free Scorecard tool and get them to use it to assess the security and integrity of the open-source software they rely on.
Multiple speakers also weighed the pros and cons of Software Bills of Materials (SBOM) — a key element of recent federal guidance on supply chain security. As with other supply chain security initiatives, SBOMs face pushback from development organizations, which fear they will be a cumbersome new compliance requirement with little practical security value.
But SBOMs need not be a burden, and will provide a critical bridge between software suppliers, development organizations and end users, said Kate Stewart, Vice President of Dependable Embedded Systems at the Linux Foundation.
Speaking alongside Chris Blask, Vice President of Strategy at Cybeats, Stewart said that widespread use of SBOMs will reduce the thrashing and inefficiency that characterize current responses to supply chain threats. Already, the FDA is requiring SBOMs for medical devices, while organizations in healthcare are gearing up to use open-source and proprietary tooling to leverage SBOMs to monitor what's deployed in their environments, as well as the impact of software vulnerabilities like Log4J and other supply chain risks.
Blask said in the session, The World on SBOMs:
"Knowing is half the battle. If you have an image from the vendor, you want to know what's inside that and look to the vendor to update it. But any insights you have will help you deal with vulnerabilities in things you don't control."
Learning from Ukraine’s “hot” cyber war
Just like the 3CX hack focused attention on supply chain risk, Russia's ongoing war on Ukraine has brought concerns about cyberwar to the forefront, as one of the world's first "hot" cyberwars stoke fears of a broader conflict.
Despite rumblings that Russia's cyber assault on Ukraine was a bust, NSA Cyber Director Rob Joyce debunked that idea in an address to RSA Conference attendees.
“There’s a lot of narrative that it isn’t so significant inside the cyber activity from Russia, but I think that’s from a viewpoint of people who aren’t actively trying to defend each and every day the types of attacks that are hitting them [Ukraine].”
—Rob Joyce
In 2022 alone, there were more than 2,000 cyberattacks against Ukraine from Russia, demonstrating that this war’s cyber front is far from insignificant, Joyce said.
Equally significant is Russia’s desire to attack Ukraine’s critical infrastructure (CI) in an effort to hurt civil society. Based on NSA intelligence, Joyce said there have been Russian cyber attacks on Ukrainian CI organizations, “but they haven’t gotten to the devastating effect that I think Russia wanted to achieve, and still seeks to achieve.”
While Russia has not been entirely successful in its goal of damaging Ukrainian CI, it is alarming that this adversary is still actively looking to damage those Ukrainian institutions.
Russian-based threat actors have already targeted CI outside of Ukraine. Last week, leaked intelligence documents revealed that a Russian hacktivist group targeted a Canadian gas pipeline in February 2023, which could have led to an explosion at the company’s gas site. What was also alarming about this incident was the fact that the hacktivists were in communication with Russia’s Federal Security Service throughout their operation. This is a testament to Joyce’s last point on the conflict:
“Hacktivists out of Russia are a natural resource for Russia.”
The number of cyber attacks on Ukraine, as well as the type of institutions targeted and how Russia is using cybercriminals to advance their interests, shows the Russian war on Ukraine is a cause for concern for global cybersecurity.
All in on AI? The bad guys are
Finally, it wouldn't be a technology show without talk of artificial intelligence. At RSA, the rise of accessible AI tools like ChatGPT was a big RSAC buzzword — and squarely on the minds of security teams. It's clear that AI will have an impact on many different areas within cybersecurity, and will both benefit and cause harm to cyber defenders.
For software supply chain security specifically, AI looks messy — and underbaked, said Idan Wiener, CEO and co-founder of supply chain security tool vendor illustria, during the supply chain security panel.
“ChatGPT is not there yet.”
—Idan Wiener
For anyone who adopts AI tooling, whether it be defenders or attackers, their processes will become “faster,” Yaron said. The alarming reality: AI is “already being used by attackers.”
That threat is only going to grow, said Ali Khan, field CISO at ReversingLabs. "AI is going to proliferate a lot of the new malware. Threat actors are going to be able to produce much faster."
The ability of attackers to scale will strain the resources of defenders, he said. Think of a traditional SOC writing YARA rules to defend against and detect signatures or hashes. But with LLMs, they're producing things so fast that you could almost write code on the fly and remove the detection logic that security operations would be dependent on, Khan said.
Rather than hiding from AI, however, the solution for organizations is to embrace it. "The best way to threat model is by immersing yourself as a red team," said Khan. "I highly recommend organizations invest more in purple team emulation, where you take your red team and you take your blue team and try to combine the scenarios that we know are being used by large, generative AI."
Finally, Yaron pointed to the elephant in the room: “Any AI system is software by itself,” meaning that it too has the potential to be the target of a software supply chain attack.
In his State of the Hack talk, Joyce echoed the supply chain security panel:
“In the near term, I don’t expect some magical, technical capability that is AI generated that will exploit other things. What I do expect is that adversaries that figure out how to integrate generative technology or other AI technology into their workflow are going to outpace the people who don’t.”
—Rob Joyce
[ See ReversingLabs @ RSAC 2023 for key highlights from our experts | Plus: See all of our great posts from the show ]
Photo courtesy RSA Conference on Twitter.
