Evolution: 360 Tan Xiaosheng's RSAC 2016 essay

Author: Tan Xiaosheng

RSA conference is undoubtedly one of the most important conferences in the network security industry, is the annual security product review, like maverick security circle people of course can not help but take RSA ridicule, heard a joke is: during the conference, someone sent a Twitter question: "What security conference has been held in San Francisco recently?", the implication is that RSA is more commercial, not a pure security technology conference. It is no wonder that compared to the top security academic conferences such as IEEE S&P, ACM CCSS, NDSS, usenix security, the content of the RSA Conference is not so academic-oriented, compared to blackkhat, defcon, the RSA Conference is not so "offensive and defensive technology" oriented, but the annual RSA Conference is undoubtedly the network security industry's review and discussion of network security products, ideas, and even regulations.

Coincidentally, the first RSA Conference was held in 1992, that year I just graduated from college, 25 years, RSA Conference is constantly improving, this year's conference has more than 40,000 people attending, more than 500 manufacturers participating in the exhibition, more than 700 keynote speeches or special reports, this conference awarded the former president of the RSA Conference Arthur Coviello Lifetime Achievement Award, the famous "King Arthur" has white hair but is still active in the network security circle, the conference guests are not lacking in the US Department of Security, In the face of emerging cybersecurity threats, we acknowledge that past cybersecurity products and concepts are "failing", but the strong demand will undoubtedly bring about a new spring in the cyber security industry.

Putting aside the numbers provided by the organizers of the conference, the subjective feeling is that the number of participants in the conference is increasing year by year, especially the innovation sandbox (innovation sandbox) link on the first day of the opening of the conference, four years ago, when the first participation was placed, only a few hundred chairs were placed, and thousands of chairs were placed this year, but the speed of seat increase could not catch up with the speed of the audience increase, and after a few minutes late, the seats in the venue were already full of people.

The number of domestic participants has also reached a new high, and this year's "Baidu Crayfish Cruise" has more than 180 participants, exceeding the expectations of the organizers and seeing many new faces from China.

In addition to the old exhibitors such as NSFOCUS, Shanshi Wangke, Andian, and the manufacturers who have participated in the exhibition in recent years, such as 360, Cheetah, Anheng and other exhibitors, Microbud (threat book), Huajia and Webray have participated in the exhibition for the first time and have a bright performance.

The purpose of domestic manufacturers to participate in the exhibition is different, some are really international market promotion needs, some of the exhibition is for the news export to domestic sales in the domestic publicity, the international docking of the exhibition is the best NSFOCUS, the booth style, booth interactive design and international fully in line, the United States uncle stand booth speech, the business internationalization strategy is very clear, it seems to be on the right road! Antian is a very pragmatic enterprise, not too big booth, but the founder "Jiang Haike" (Xiao Xinguang) personally stood on the platform to negotiate with various partners / potential partners, "Virus Wanted" poker has also become Antian's business card, Haike fell asleep on the table on the crayfish, it still looks quite distressing, you can imagine how his time in San Francisco was arranged.

The booth of Shengbang (webray) has the most Chinese elements, and the staff of Peking Opera costumes moved the "door god", which attracted a lot of attention, but what I want to ask is......., does the foreigner know what the door god is?

Needless to say, Huawei's booth is a large special exhibition booth, a large number of participants, and a large international company.

Overall, most of the Chinese companies' exhibition level compared with their counterparts in the United States there is still a big gap, although from the initial "display board to see the word" has evolved to through the TV, large screen to do video playback, interface display, there are blonde staff reception and distribution of gifts, but in the interactive design is still a lot worse, if it is to really promote their own products, strength, not only to send gifts on the line, look forward to next year's domestic exhibitors and exhibition personnel have more "effective interaction".

The theme words of the RSA conference have always attracted much attention, and the history of the past 24 years has proved that the RSA conference has the ability to grasp the industry trend, and the themes of the last four years of the conference are "big data", "share, learn, secure (share, learn, security)", "change(change)", "connect to protect (through the connection to protect)", using big data methods to do security is already an indisputable fact, We all agree that the security industry needs to change and is changing, so what is the interpretation of this year's "connect to protect"? Conference Chairman Amit Yoran made an interpretation in his keynote speech, but it is not too much, I think, back to the essence of the Internet, in such an era of human-machine interconnection, everyone's interconnection, machine-machine interconnection of all things, the Internet of Everything is a double-edged sword, the security problem is due to the Internet of All Things has become more prominent and urgent, and the solution is precisely in the Internet of Everything, the power of network gathering people, the power of network gathering machines, the power of network gathering security. Threat intelligence, security crowdsourcing is the practice of "connect to protect", I have always believed that security as a service (security as a service) is the way out of network security, in the foreseeable future, security talent is scarce, security knowledge is scarce, security information processing capabilities are scarce, the security into a cloud service, the use of the Internet to integrate resources (including people and information) the ability, it is possible to provide users with affordable security.

Compared with the previous 3 years, this year's RSA conference lacks eye-catching products, and can feel the homogenization tendency of products, but the practicality of products is improving, and the following are a few feelings of seeing exhibitors:

"Threat intelligence", "detection", "response" and "automation" are the hot words when exhibitors introduce their products this year, "threat intelligence" and "detection" have been hot words at last year's RSA conference, this year added "response" and "automation", this year's innovation sandbox top ten innovative products the first place is phantom, It is a product that automates security response.

In the past many years, security products focus on "protection (prevention)", we take "can not break, take away, do not understand" as the goal, but in the face of natural defects in the architecture, security is full of holes in the system, there are various weaknesses of people, we are always experiencing a variety of "breach (breach)", finally, we have to painfully admit that the attack and defense imbalance, we may not be able to prevent, so retreat to the second, the pursuit of "detection (detection)", Hope to be breached as early as possible to know, but how long to detect the attack is a problem, in the past the discovery time of the attack was measured in "hours, days, weeks, months" as a unit, now, I hope that this detection time is shortened to "seconds", and after detecting the attack to make timely action to deal with, "automation" has become the only choice.

Back in 2010, when I first took over the technical operation and maintenance team of 360, why not face a similar situation? More than 10 people operated and maintained more than 1,000 servers, supporting dozens of businesses in the company, and the business scale was still growing at a rate of several times a year, and it was completely unable to meet business requirements without taking the road of automated operation and maintenance, and finally the operation and maintenance automation construction let us out of the nightmare of operation and maintenance.

Compared with IT O&M automation, security O&M automation is more difficult, and "false positives" is a major problem, and it will also be the most important indicator to test whether a secure O&M automation product/service is available.

Terminal security in the past few years there has been a trough of time, this year carbon black (that is, the previous bit9, changed the brand), cylance, crowdstrike, and even the emerging countertack has a lot of booths, 360 terminal security team leader Zhang Cong has an article about the participation feelings: rsa 2016: terminal strong return, detection response rises. The revival of terminal security is not a simple regression, but the comprehensive application of traditional technologies and new technologies, traditional concepts and new concepts in terminal security: there are products based on static analysis of code, there are products based on application behavior analysis, both products of opportunity rule engine, products based on big data analysis engines, products based on hooking to do behavior detection, and products based on virtual execution and virtualization to do behavior detection.

EDR (endpoint detection & response) connects endpoint protection with detection and response to implement the concept of "connect to protect", and gartner is said to treat edr as a separate product category.

One of the products in this year's innovation sandbox is called projectwise, which is jokingly called the "American version of the sky eye" by 360 colleagues, and its idea is almost exactly the same as that of the "360 sky eye": listen to the network traffic through full packet capture, and then do big data analysis to find abnormalities in network traffic. 360 has been exploring this direction for more than 3 years, and has combined big data in the package with big data in the cloud, which has been very successfully applied in 2015.

Byod is the hot word of the RSA conference two years ago, almost extinct this year, when seeing the mobileron booth was a little surprised, last year's gartner symposium when the gartner analysts discussed why byod did not heat up, gartner analysts' view is that the application of the enterprise is still based on messaging (message), email, workflow and other applications, Byod's improvement in the security of such applications is not very obvious, but he is still optimistic about the direction of enterprise mobile application security, and believes that this demand is objective, but the form of the product may be different.

iot security this year was also mentioned more, keynote link also talked about, but exhibitors on iOT security products are still relatively small, in the exhibitor list search "internet of things" this set of keywords, can search out more than 70 manufacturers, but how much is and iot touch the side, specialized products and solutions less.

bastile is one of the top 10 products of the innovation sandbox, which we call "American version of Skyscanner", is a product that detects false ap and wifi attacks in the wifi network, 360 launched in 2015 "Skyscanner" product card is this positioning, but 360 Skyscanner has a stronger ability, not only has the ability to detect attacks, but also has the ability to actively suppress illegal nodes, which can make illegal aps unable to work. Recently, I just won the bid for a security defense project for public wifi in a southern city. Last year's RSA conference and blackkhat saw two products with wireless network detection capabilities, but its design is wired network and wireless network security balance, so the wireless network features are not very strong, specifically for wifi security products or the first time to see, in the face of the most vulnerable wifi network, I believe that this type of wifi security products will have a market.

Last year zscaler invited the audience to the stage at the RSA conference site to "smash the box", sledgehammers, brazes, baseball bats against the "box" of various network security devices, once attracted a lot of eyeballs, this year's box smashing game is still in progress, but the caretaker is obviously a lot less, exhibitors provide a lot of web security cloud services, web security cloud services have become the industry standard.

Apple's dispute with U.S. law enforcement over the issue of decryption of encrypted iPhone data was a hot topic of discussion at the conference, and Serrast founder Dong Jing wrote an article on the topic: Back to the Original Intention - One of RSAC's 2016 essays.

The discussion of this topic is very American, and it will eventually rise to a philosophical level to discuss, and I believe that this discussion is very valuable, and regardless of the outcome of the discussion, it will have a significant impact on people's future lives.

During the meeting, I had a meal with the manager of one of the funds I did lp and several big guys in the Silicon Valley security circle, and also watched two projects with the fund manager, and the overall feeling was that good projects were difficult to find, unreliable projects were flying all over the world, and the valuation was too high. Find reliable people, reliable projects, the biggest challenge to VC, the Investment Exit Mechanism in the United States is still relatively different from the domestic one, and the opportunity for intermediate exit is relatively small. A fund run by several Silicon Valley security ringers themselves adheres to their own principles: only invest with their own money, only invest in people they know.

Jews are a powerful force in the cybersecurity industry, and even some bigwigs say that if divided by ethnic group, Jews are the most powerful ethnic group in cybersecurity, and during the RSA conference in the past 3 years, they have contacted many Israeli companies and are very impressed: university professors and partners with military service background/ business company background to start companies, active financing activities, covering from cryptographic algorithms to big data analysis, from illegal wifi detection to DLPs, From security phones to web script detection and other segments of security, in terms of the number of residents in Israel, the number of cybersecurity startups that have produced so many is admirable and worthy of our reflection and learning.

As a summary, the 25th RSA Conference in 2016 reached a new peak of the RSA Conference, although the exhibited products lacked dazzling new stars, but the conference was very accurate in judging the general direction of the product, the social hotspot capture (Apple iPhone decryption incident, the security problem of machine intelligence) was timely, the conference speakers were heavy enough, the views were sharp enough, and from the number of participants and guest specifications, we can see that the entire society attaches great importance to network security to a considerable degree.

Domestic network security enterprises are close to the world's leading level in several technologies and products, but the average gap is still very large; In terms of cooperation between security companies, compared with their Western counterparts, they are basically in the Spring and Autumn Period and the Warring States Period; There is a quantity of exhibition participation, but there is still a lot of room for improvement in quality; The internationalization strategy deserves serious consideration, 360 security and Cheetah Mobile have made some achievements in the internationalization of personal products, but in the internationalization of enterprise security products and technologies, if compared with Israeli companies, we still have a lot to do.

Editor-in-charge: Tan Xiaosheng