A 2022 RSA Conference Recap: IRL Edition

For the first time in a (long) minute, the RSA Conference was back as an in-person event. And COVID was a topic for several RSA talks in 2022 like “The Zoom Effect: A Framework for Security Program Transformation” and “The Transformation of Post Pandemic Mental Health,” for starters. Here’s a quick overview of some of the sessions from RSAC 2022 that we enjoyed (as well as a cameo from an Enigma machine).

Please note: If you’d like to stream sessions, you will need to purchase a pass to do so!

RSA Sessions We Recommend

“Assessing Vendor AI Claims like a Data Scientist, Even if You Aren't One” by Joshua Saxe (@joshua_saxe)

Are you skeptical when a security vendor begins bragging about claims of artificial intelligence (AI) and machine learning (ML) woven into their product? Then Joshua Saxe, the author of “Malware Data Science,” has the talk for you! He provides a guide on exactly how you can interview a vendor to ensure their claims about incorporating AI into their product are substantiated. You can trust Saxe to be a SME on this topic – after all, as a Chief Data Scientist, he is constantly grilling various vendors about their technology. His goal with this talk is to change the conversation around AI and ML in cybersecurity, ensuring clearer descriptions and more transparent efficacy.

“Are Low-Code and No-Code Tools a Security Risk?” by Mark Nunnikhoven (@marknca)

The short answer to that question is: well, yes they are. Any tool you introduce into your environment presents some risk to your attack surface. Low-code and no-code tools allow pretty much anyone to drag and drop components to create a new and custom cloud-powered business solution. Given that ease of use, these tools are becoming increasingly popular in enterprises, as Nunnikhoven states, “because they make great business sense.” And as you can imagine, some things can go quite awry. Nunnikhoven doesn’t leave things in a state of despair; he shares how to begin the process of identifying low-code and no-code tools in your environment – and ensuring that they don’t put your company in jeopardy.

“The Simple, Yet Lethal, Anatomy of a Software Supply Chain Attack” by Jossef Harush (@jossefharush) and Erez Yalon (@ErezYalon)

Presentations showcasing exploits are always of interest, and this talk by Jossef Harush and Erez Yalon is a highly informative deep dive into software supply chain attacks. As they explain via the SLSA (Supply Chain Levels for Software Artifacts) framework, threats exist at every step of the software supply chain. The researchers highlight how disturbingly easy these attacks are for adversaries to pull off. Being aware of how these supply chain attacks work – and understanding how to prevent them – is imperative.

“Drones and Autonomous Vehicles: Privacy & Security vs. Surveillance” by Jodi R. Daniels (@redcloveradvsrs) and Justin Daniels

As indicated by our project the Danger Drone, we’ve always had a thing for drones and their application in terms of security and privacy. So this talk from Jodi R. Daniels and Justin Daniels piqued our interest. Drones and autonomous vehicles have become more prevalent, and that trend is only likely to continue. This talk centers around five key questions:

• What can we learn from the history of innovation?
• What kind of data is being collected by this type of technology?
• What is the current regulatory environment?
• What are the ethical considerations?
• What are the stakes presented by drones and autonomous vehicles?

This is a must-stream for anyone even faintly interested in this increasingly topical subject matter.

“What Do We Owe One Another in the Cybersecurity Ecosystem?” (Keynote) by Jeetu Patel (@jpatel41) and Shailaja Shankar

This talk is a little different than others on this list as it really shines a light on our world’s interconnectedness. This can be a good thing, and it can be a very bad thing from a security perspective. One issue somewhere along the supply chain can cause issues for everyone else involved (like mentioned in the talk from Harush and Yalon). Jeetu Patel points out several trends he has observed in his work and shares some alarming statistics, like 60% of small businesses that are hit by a cyberattack will go out of business in only six months (and that can carry tremendous ramifications). Shailaja Shankar discusses the “security poverty line,” which comes down to four specific dimensions: budget, expertise, capability, and influence. All in all, this talk drives home the point that security is a shared responsibility.

Some Other Cool Things That Happened at RSAC 2022

Not only did we catch a few amazing talks, but several Foxes were lucky enough to try their hand at an IRL Enigma machine, a codebreaking device widely used in the early twentieth century. We were also fortunate enough to participate in the first ever Cyber Trailblazers event, co-sponsored by other members of the ForgePoint Capital network. And we must admit that it was nice to see people outside of device screens for a change!