What I learned at RSA 2019: What’s going on in biometrics, mobile threats, and more

Information overload: I learned about mobile threats, the biometrics push, and more.

As I near my one-year anniversary at BrianMadden.com, I had another first: my first RSA Conference.

Unlike my time at Citrix Synergy and VMworld in 2019, I largely used my time at RSA 2019 to cram as many meetings as I possibly could, with some Expo hall time thrown in there. Will do one final run through on Thursday.

I will say that none of the conferences I attended previously hold a candle to the size of RSA. There was so much to see and do; definitely impossible to stop by a third of the Expo Hall attendees. Security is a crowded sphere.

What did I learn?

Over the past two days, I met with a lot of incredibly knowledgeable security industry folks who were willing to let me ask all sorts of on topic and random questions. This isn’t an exhaustive run down, just a report on what interested me and that I can talk about right now. Expect more in the future on others.

Most of the technologies and concepts have been around for a while, but seeing how they work in the context of specific products and conversations at RSA was a good way for me to improve my knowledge base.

Several people I spoke with were quick to heap praise on Apple, both for their willingness to offer users privacy, but also to help show the appeal of biometrics to a wider audience. Now, the enterprise is ready to jump on board. With so many employees using biometrics in their everyday life, it’s more easily accepted and some even expect it—I’d rather use my face to log into an app than type out a dang username and password any day.

Biometrics makes multi-factor authentication less of a friction point and will play a starring role in the eventual death of the password. Not only is it used to handle the initial log-in process, it’s also part of behavioral factors that help enable things like continuous access.

For companies that would prefer a slower transition into biometrics, they can look to Veridium. The vendor offers options to companies looking to dip their toes into biometrics but maybe don’t want to jump all the way in just yet. I spoke with CEO James Strickland and Ross Penny, global head of systems engineering, to learn about the authentication provider. Their goal is to make it easy for companies to adopt biometrics without having to purchase hardware, instead employees and customers can use their smartphones.

Companies can take advantage of things like TouchID and FaceID, but even lower end smartphones can still provide a use. Using what they call 4F (four fingerprints), the Veridium app takes a picture of the user’s fingers to verify, and to help against replay attacks the app can ask users to move their fingers. Their biometrics solution can be used as a separate app or integrate into a company app with all the same features via SDK.

For companies still reticent to use biometrics completely or maybe have regulations to deal with, Veridium offers push notification options, and can also be used alongside a normal password instead of as a total replacement. I spent a long time at their booth watching demos and asking too many questions.

Speaking with Jackson Shaw, the vice president of product management at One Identity, a full-stack IdP, I learned about their use of biometrics to help authenticate users for PAM (something I plan to look more into). Their solution develops a profile of privileged users after five days of deployment. From then on, it can verify via keystrokes and mouse clicks, whether someone who they say they are. Everyone types differently. It’s not new tech, but always really cool to see additional implementation in more places.

Zero trust
The term that is on a lot of people’s minds, even if not everyone is a fan of the term itself. During a few of my meetings, I asked about opinions on zero trust. The term itself can put some off. Phil Dunkelberger, co-founder of the FIDO Alliance and CEO of Nok Nok Labs, says that while zero trust says we shouldn’t trust anything, we should actually work toward 100% trust. It should be assurance signals, not trust signals that companies should use to ensure each user is who they say they are. “Zero trust” also just sounds scary, which isn’t great for potential customers.

Also, with more companies using contractors, the best hope is for extending the identity perimeter. When I spoke with Wendy Nather, head of advisory CISOs for Duo Security, she explained that it isn’t that we shouldn’t trust users, but figure out how best to trust them and for how long. Contract employees remain a tricky question for companies around access. They often work for multiple companies and so MDM is rarely an option. Duo has an angle here, offering a solution that allows companies to at least determine if the device that will access their app, network, or whatever can be trusted. They can check the security hygiene of a device: is the OS up to date, is there a lock screen, etc.

Mobile security and Verizon Mobile Security Index
The Verizon Mobile Security Index released Tuesday. The 2018 version only included survey results, but this year’s offers some data from vendors like Wandera alongside. I haven’t finished combing through the report, so I might have a follow later when I get some additional info.

I did sit down with Michael Covington from Wandera, who offered some thoughts on the data (which they previously showed me for our look at mobile security). Ransomware appears as a high concern for survey respondents in the Verizon report, but I got conflicting signals during my research for our mobile research report. Michael explained that he expects companies will begin to worry more around cryptojacking soon enough. (When I spoke with Check Point, they felt that ransomware wasn’t a problem for mobile like it is for PC.) Attackers want a quicker monetization method, which cryptojacking provides, and is easier for broad attacks. Michael still thinks ransomware will continue to see use for targeted attacks.

A couple vendors expressed interest in the next Verizon Data Breach Index Report, which probably will be out sometime next month. Michael, along with me and many others I’m sure, hope this is the year mobile makes an appearance in it. The Mobile Index Report seems to be a mea culpa from Verizon since the 2016 DBIR made it sound like mobile wasn’t a contributing factor to data breaches. The 2018 report didn’t contain data just survey results, so the 2019 mobile report continues to show progress from the vendor.

Some final quick bits that I found interesting
Where will two-factor authentication be in two years? Will it be replaced by MFA, continuous, behavior-based, or AuthN? While it’s good for security now (providing any additional factor makes it more difficult to access an account), it remains a friction point with users, which can affect adoption. It can also be an additional cost that some companies can’t shoulder. Plus, some of the factors (looking at you, SMS) are too easily hacked. Some will be glad to see it gone, but this won’t mean the end of multiple authentication factors, though it will require further research before I totally understand the changing landscape here.

App aren’t as secure as we’d like to believe. Bad actors don’t necessarily need to access the app to still find a way to steal data. This came up while speaking with Arxan, which we last covered in 2017 when they acquired Apperian. Some app developers don’t ensure the app is protected enough and many bad actors can just pull it apart for its code, which can hold data that is supposed to be protected. They have an upcoming report that will break this down and I’m eager to read it.

An illuminating conference

Since a lot of my focus since joining BrianMadden.com has been around security and mobility, this conference was a blast to attend. Plus it provided me with a list of topics to dive in and learn about and maybe cover in the coming weeks.

For another view of RSA 2019, check out Jack’s article covering EUC-focused announcements.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.