June 16, 2022

EP70 Special - RSA 2022 Reflections - Securing the Past vs Securing the Future




Subscribe at Google Podcasts.

Subscribe at Spotify.

Subscribe at Apple Podcasts.

Topics covered:


Do you have something cool to share? Some questions? Let us know:


[CHILL MUSIC] - Hi, there. Welcome to the "Cloud Security Podcast" by Google. Thanks for joining us today. Your hosts here are myself, Tim Peacock, the Product Manager for Threat Detection here at Google Cloud, and Anton Chuvakin, a reformed analyst and an esteemed member of our cloud security team here at Google. You can find and subscribe to this podcast wherever you get your podcasts, as well as at our website,

If you enjoy our content and want it delivered to you piping hot every Monday afternoon Pacific time-- except for this special episode coming out late in the week-- please do hit that subscribe button. You can follow the show and argue with your hosts on Twitter as well, Anton, this is our second ever RSA wrap-up episode. Last year we egged on Heather for did RSA really happen. But this year, it really did happen. We walked the show floor. There were people, there were booths, there were parties.

- Yes. Yes. And moreover, I want to start from my first impression of the RSA. When I landed-- well, landed.

- Landed from Freemont.

- Got to the Moscone-- when I got to Moscone, I was shocked by the normalcy of it, of all of it. It looked like humans mulling around and talking to other humans. You know? The whole thing just shocked me with its normalcy. This was my first big event after RSA 2020.

- Which was not a superspreader event, somehow.

- Which was not a superspreader event because I think, if you count the news coverage, one person got sick maybe at RSA?

- Maybe. Maybe.

- Yeah. So I think that maybe. Nobody knows, but it wasn't any kind of brouhaha of, like, oh my god, you infected me. So deep in my heart, I frankly don't think this one would be bad, but I have no idea.

- I wore my N95 on the floor. I was--

- Yeah, for sure.

- I was armored. I was shocked by how many people were walking around maskless.

- Correct. Yes. I was at the Innovation Sandbox. It was like a big crowd of people sitting together, and I was kind of hiding behind my respirator and like, oh my god, I'm going to be fine. But ultimately, a lot of-- hundreds of people are in the same room for three hours.

- Oh, God. Well, OK. OK. Enough about the masks.

- OK. Enough of that.

- One thing I noticed was that nobody was dressed up like a viking this year, so Norse security must really, really be a very dead horse to beat on. I did see people in lab coats, but that was really the only costumery I saw. I think the industry has come a long way since I joined it, and even further since when you joined it.

- I think there were some caped people in vaguely superhero-ish themes.

- That's so much better than it used to be.

- I remember them flying by-- well, running by me, and I felt like, oh, superheroes. And that's the only costumey-- well, costume I picked. Yeah.

- That's amazing. What progress we've made there. Where have we not made progress? Because I'm sure there's things we can make fun of now.

- Yes. And I would probably prefer to start at zero trust.

- Ah, zero trust.

- Because, to be honest, I felt like last year, two years before and a few years before, people are trying to say, zero trust is kind of a big theme. But I felt like this time, zero trust is really being jammed down my throat because--

- Yes.

- I mean, I've seen a password manager claiming zero trust for passwords.

- I saw a physical access card company claiming to be zero trust.

- No.

- Yeah. Yeah, yeah, yeah. Their booth said passwordless auth. I'm like, yeah, because you're key cards.

- Right. But did they say zero trust specifically? But--

- They did. They did. They said passwordless zero trust key cards. I was like, what the f--

- I think people are overdoing the whole attach to a theme this time because, to me, zero trust was kind of a bit of an oppressive presence because--

- Yes.

- It showed up from another example. I remember an anti-DDoS vendor saying that they enable zero trust visibility. So it's not the point that they're wrong, the point is that it's a very tenuous little, tiny thread connecting them to zero trust. There's a connection, don't get me wrong. But it's like, really?

- But not a strong one.

- No. Like, do you really have to say that? So zero trust was one thing that kind of maybe not annoyed me, but it was everywhere, including many places where it frankly shouldn't be.

- Well, this does answer a mystery, though. We had wondered for a while why the ZT episodes were so popular. It's all the booth designers were listening to those episodes and thinking, oh, I should put that on my booth.

- I think so too. But they were-- some of them were a year late, but that's OK.

- Yes.

- Yeah.

- And some of them perhaps a thematic dollar short. What else did we see? I saw a lot of MDR.

- MDR. Yeah. But it's almost like there was an MDR alley.

- I think the whole thing was an MDR alley.

- You walk past the MDR vendor booth and then next to an MDR vendor, what do we see? An MDR vendor. What about the next booth? Hey, it's an MDR. But I'm not annoyed by MDR, by the way, if you do it well because I think a lot of people need help.

- No, I think it's a good model.

- Yeah. It's a good model.

- It's definitely going to help.

- People who don't know how to do detection, they don't how to cook, they don't know how to even reheat.

- Right.

- So they need help with everything. They want to go to a restaurant and get detections from an MDR to refer back to cooking.

- You think about it, why should a school district have a cybersecurity person? They shouldn't. A school district should not think about this.

- That's a good example as well. So MDR to me, if you do it well, if you don't just relabel an old, annoying, barely working model and you do an MDR well, especially for cloud.

- Yeah. Cloud abstracts nicely. You don't have to worry about all the different kinds of weird firewalls and VPNs people have hanging around. Speaking of VPNs, what's the crazy thing you learned about VPNs? Because this-- I took it in stride, but I think it's still probably eating at you. So what was your VPN lesson?

- It's eating at me, and that's what led me to think of a bigger theme at this RSA. So I was at the Innovation Sandbox and there was a vendor-- actually, it was the same vendor who--

- Was there any actual sand there?

- No. But it was dark, so maybe it was under somewhere down there.

- Disappointing.

- So the point is that it's a vendor-- it's a vendor we had on a podcast, but that's not the point. The point is she showed this slide that highlighted the fact that the VPN market today has the same size as all cloud security markets combined. If you define them broadly, round them up, and VPN market alone is larger than all of them put together. So that blew my mind because it reminded me this-- the immense power of the past. We live kind of in the future here at Google, and we sometimes succeed, and frankly sometimes fail as well--

- A lot.

- --when we try to offer products to clients and deal with clients.

- Yes.

- But this whole VPN thing kind of struck me as, well, that's a huge multi-billion-- dozens of billions number that people spend on VPN, which is kind of the opposite of zero trust. It's the model from-- what is it? '80s? '90s? At the latest, the '90s.

- At least.

- And it's a huge spend. Way more than cloud sec spend. Way more than a lot of other type of modern security spend. So that's why I was kind of in this whole, are we living in the past? Are we living in the future? Where are we? So RSA gave me this strong schizophrenic feel of, well, actually, it's both.

- Yeah. I mean, it speaks to two things. One, it speaks to how enduring network technology can be for people. And two-- and this is something that I believe every day when I wake up and go to work-- we are in the early, early days of cloud migration for most people.

- Yes. And we are in the very early days of cloud sec, cloud security, as a bunch of technology spaces. So you may think that, hey, there was this CSPM vendor that was acquired in 2018. They launched probably in 2015. So it's like seven years--

- No.

- --likely more. But these are kind of outliers. I bet people who are launching cloud security vendors today, they're not late, frankly.

- No. No, not at all.

- Because the mainstream is coming.

- I thought it was so interesting to compare the booth strategy of Orca, Wiz, and Lacework.

- Ah.

- I'm sure that people at each of those companies would object to me putting them into a bucket together, but I think of them as a bucket together. Like three startups, kind of similar age, similar problem, similar messaging, but their booths could not have been more different. Wiz had this big, big booth in the front of the south hall.

Orca was a very thoughtful booth, I thought, with really cool things. I actually got one of their orcas. And I asked for it, unlike my compatriot who insisted on playing the claw game until she won. And then Lacework had a tiny, like, a 5 by 10 crammed into the passageway between the north and south hall. And I thought it was so interesting to see three very different approaches from the vendors that I think of as kind of the same.

- They're also probably really visible. I don't know. I haven't done the studies, out of these, the most visible cloud security vendors, but to me, these are among the most visible cloud security vendors. So if you wake me up at 3:00 AM and say, hey, name three cloud security vendors, I'll probably name these three.

- Yeah. Yeah, yeah, yeah. And then you might name PAN, and then you might go back to sleep.

- I probably won't answer the question. But--


- So OK.

- But the idea is that it's still interesting that these vendors, to a large extent, are securing what is the future for many mainstream organizations. Sure, for their clients they're the present. For us at Google, I don't know if they're the past or not. The point is that we know how to secure our own stuff. But for many, many, many organizations, they're the future.

- Yes.

- It's not the firewalls, not the routers, not the VPNs, not the SIMs, not the other tech. It's kind of this type of cloud security packaged bundle vendors that are the future, likely, for many organizations.

- What did we say in episode three? You can put your firewalls to rest in a bucket somewhere. You don't need to worry about them anymore.

- That's pushing it, and I don't want to offend people who are, in fact, putting firewall appliances as the first stage in their cloud journey. In fact, in a little presentation that I've done in the Google Cloud booth, I kind of said, frankly, I don't have compassion for people who are copying their entire on-premise security stack in the cloud, but I do have compassion for people who think of it as their first step.

Because ultimately, if all you know is data centers and your first step is to replicate a data center security strategy in the cloud, in the long term, you'd be wrong. But as a first step, I am compassionate with this. I can see how this is kind of OK. I mean, is it great? No, but it's probably the best people can do in some organizations. And so if you do journey to the cloud with your firewall under your arm, I think you're OK as long as eventually you realize-- no, don't make the face.

- No, see, I have to disagree. I think if you start your journey to the cloud with a firewall under your arm, you're embarking on a journey through a foreign country with your personal dictionary. You can't learn French by studying English phrases. I mean, actually, you can because those languages overlap a lot, but take a more exotic language.

And I think the concepts are so meaningfully different, like a firewall is never going to help you with your IAM. A firewall is never going to help you lock down API access when API access is through Like, it's just not how it works in the cloud. I think we disagree on this one.

- I don't disagree with you because I actually think that as long as it's consciously seen as the first step, maybe the first step out of three, maybe out of 15. But would you rather they completely ignore the firewall and go to the cloud without cloud knowledge and without the firewall?

- Well, the cloud network is a firewall. You don't need a firewall.

- Well, you know that. I know that. But they don't know that.

- But [SIGHS] I don't know. I don't know.

- OK. This is a good one.

- This is a good one. Yeah.

- This is a mental model question to a lot of people. Like, how are they translating their mental models to the cloud? Are they starting with what they know? Are they starting from, I have an open mind, I need to learn? Or they start somewhere else? I don't know.

- I mean, do you get off the jet in Tokyo and say to yourself, oh, that bowl of ramen, that looks like spaghetti. Or do you get off the jet in Tokyo and say, ramen. What is it?

- But ultimately, ramen and spaghetti are both noodle products.

- But if you try to put marinara on your ramen, you're going to have a bad time.

- You would eat it once and then decide to put the proper sauce, so I still think it's not completely wrong. And again, I am what-- I guess I was kind of diagnosed as a neophiliac. I love new more than old. Somebody joked about it at Gartner when I said, I prefer new. But ultimately, I don't want to force my habits on others. If you prefer old as a transition step, that is OK, and a lot of security industries seem to be going down that path. I want my network traffic capture.

- Well, of course the industry goes down that path. They want to keep selling the stuff they've been selling for 30 years.

- Yes. But you know what? I think we are replicating a ginormous industry debate in miniature between Anton and Tim with me, this time, by the way, arguing for--

- The past.

- --legacy as a first step is OK.

- Yes. You are not being a neophiliac right now.

- Yes. Correct.

- You're being a Luddite.

- Yeah. Kind of being on the side of inertia.

- Do you know where the word Luddite comes from, by the way?

- Nope.

- This is a good one. Ludd was the name of a dude who led a group of workers in protest who smashed spinning wheels at a factory because they were losing their jobs to the factory. Ludd led a labor protest that resulted in the sabotage of a factory, and we get the word Luddite from this one dude.

- But this analogy relies on the implication that network filtering technology built by a CSP is superior to everything that a firewall vendor ever built. I don't think that's a truth. Some of the cloud firewall in code didn't even have login on the outbound, so I'm not sure we are talking about inferior/superior. It's just the applicability context is different. Data center firewall works great in a data center. Cloud firewall and code works well in the cloud. Do you want to copy one to another environment? Well, that's your choice.

- That is your choice.

- OK. This is interesting and I feel like this is-- I hope our audience is finding it useful because I do think that we are replicating a big industry debate in a condensed form, and I don't know. I think industry is pursuing both at the same time--

- Oh, of course.

- --because people are buying the traditional tech, they're adopting into the cloud, they're moving it, they're testing it, discarding it sometimes, and people are adopting the modern stacks.

- And some people are doing both at the same time without realizing it, and hopefully on the right track, not the opposite track.

- Correct. So let's talk about something more annoying.

- Please.

- XDR!

- Ah! Ah! Ah!

- You sound like I stepped on your big toe or something.

- Stepped on all my toes.

- Oh. Well, there's that. I jumped a little bit. But I feel like this time the XDR balloon has expanded even more.

- Yes.

- And the point is that, imagine we had a clear definition of XDR and you are the vendor who is kind of corrupt in the accepted definition. Everybody would think you are kind of an ass.

- A jerk.

- But ultimately, there is a definition. But in this case, there is no definition. And imagine that we have this fuzzy, vague definition or a fight in definitions, and then people expand this even further. Like I've seen a vendor that sells threat intelligence promising XDR.

- Really?

- And I bet their vision of XDR is not-- does not match any other vision of XDR.

- Is that the AlienVault XDR?

- I think that brand is gone. No, it was somebody else. But the point is that XDR is expanding like gas from a gaseous cloud that didn't have a shape, so I don't know. This gas analogy sounds kind of weak.

- It certainly suggests that the creator of it might be a wind bag.

- Oh.


There is that.

- No, but I'm with you that the XDR term lacks rigor. A lot of people used it in a lot of different ways on their booths. And I think if you were a space alien dropped into Moscone, you would not have come away from that show with anything more than a gaseous, nebulous definition of what XDR maybe might be. It wouldn't be helpful to you.

- Correct. And if you're an alien with money or a seesaw with money, would you really want to give money to people who sell you that? I don't know. I am befuddled by that. Unless you and your vendor have a consensus definition between you two-- which is fine, by the way.

- Totally fine.

- If you're a vendor, I'm the seesaw, we agree on what's XDR and I want that, I'll give you money, you give me XDR. That's fine.

- At that point it doesn't matter that it's XDR. It just matters that it's something you want.

- Correct. It matches my requirements and my use cases. That's exactly right.

- Do you think the industry runs a risk of damaging the XDR brand and leaving us without the thing to replace EDR if people keep misbehaving by using it in so many ways?

- Normally I want to laugh at you and say, ha ha ha, Tim, damaging the XDR brand? You mean damaging it further?

- You know what I mean.

- I mean, things are going to get worse and less clear before they become more clear, provided they ever become more clear with XDR.

- Yeah, that's a good question.

- At this point, I don't know.

- Unclear.

- Yeah. Hype cycle, if I'm having a hype cycle picture in my head, I think XDR is-- no, no, no. I think it's past the peak. We might be in the--

- Oh, really? You think we're in the valley?

- No, no, no. I think we are starting the descent from the peak. That's my impression. This is like-- I'm sure my former colleagues would have it somewhere in there.

- OK, so you want to make a bet then? You want to bet one GSU that next year's RSA has less XDR? That's a post-split GSU, by the way, not a full today GSU.

- Probably wouldn't bet that much, but I can bet you a decent coffee from a Google office.

- Oh. High monetary value right there.

- Yeah. That there would be less XDR next year. Correct.

- OK. OK. I think there will be more XDR next year, so I'll take your Google coffee bet.

- OK. Perfect.

- Let us know on Twitter what you think, listeners. Whether there will be more XDR or less XDR next year, or the same amount.

- RSA 2023.

- That's right.

- Right?

- That's right.

- So on a positive note--

- Please.

- On a very positive note, I've picked that ML/AI mentions are a lot more tamed.

- They're down.

- They're down, but they're also hugely increased in quality. People are giving examples, people are showing studies, people are using-- people are not screaming at the top of their lungs, we have AI, or define their companies as we're a cyber AI. All of this, I think, is gone. We have use cases and we have people with legit operationalization of ML/AI techniques for security. So there's a lot less of it in the air, but I bet there's a lot more of it in metal, in the actual product.

- Well, I mean, that's true of my world too. You look at the stuff I've done, I have a real--

- But you never screamed--

- No.

- --about AI because you don't have any marketing. How about that?

- Well, let's not have that on the show. But I will say I use AI/ML every day in production at tremendous scale to detect real life attacks for real life cloud customers, and we almost never talked about it as such. Conversely, when I was at Shape, we did use AI/ML, but we didn't use it in the production line, and we shouted about it.

- Exactly.

- So it's interesting so quickly how we've shifted away from it.

- We did.

- I think we'll see the same thing with XDR. The industry damaged the term. People had to back away from it, or else they would have got ripped on by guys like you and me.

- True. But I think XDR-- I don't know. I mean, let's-- I'm taking the bet. So next year we'll check, and I still feel like we would start the descent. The question-- sorry. I don't mean to dwell on XDR too much, but to me, the question isn't, will the mentions go down? The question is, will XDR descend into a trough and die as opposed to come out of the trough and then go up the adoption curve? So to me, the more doomsday prediction is, let's put it this way, not impossible that the XDR would descend and stay there.

- Well, there's a big question here because we've had AI winters before.

- Yeah.

- And AI is like, what is dead may never die, to misquote "Game of Thrones" on that one.

- Yeah.

- Like, is XDR going to be what is dead may never die? AV stayed dead. I don't see anybody talking about AV these days.

- Oh, fair point. But OK, fine. I think enough of XDR. Do you have anything else fun? You picked anything-- I mean, I can share a few things that I've been investigating. For example, I was trying to figure out, what are those modern SOAR vendors doing? There's a newer batch of SOAR vendors.

- Really?

- Yeah. They're trying to reinvent/remake SOAR, and to me, one of the challenges in my head is, can these new SOAR vendors really not be pushed into the same lane as the original SOAR vendors?

- Which is to be a feature of a SIM.

- That, but also promise low code but ultimately require coding to deliver.

- Yeah. The question of promising not coding and then coding. That's a perennial topic in our industry, isn't it?

- Correct. Correct. But I think that I was looking for signs that certain things they built, maybe the times have changed, maybe the technology stack have changed, maybe the environment where they operate.

- Have they?

- I don't know. I mean, it's still a question in the back of my head. I don't have an answer. I have a question that, are newer SOAR vendors doomed to be the same as old SOAR vendors or not?

- I guess we'll find out.

- Correct. Probably RSA 2024?

- All right. Well--

- Maybe?

- We can bet coffees on that one too. All right. Well, listeners, thank you for joining us for another RSA wrap-up episode. Let us know on Twitter or on LinkedIn what you noticed at RSA, what you think we should bet about for next year. And if you didn't find us on the show floor and say hi, you can find us next year because we'll be there one year from now. With that, thanks so much.

- And now we are at time. Thank you very much for listening, and of course, for subscribing. You can find this podcast at Google Podcasts, Apple Podcasts, Spotify, or wherever else you get your podcasts. Also, you can find us at our website,

Please subscribe so that you don't miss episodes. You can follow us on Twitter at Your hosts are also on Twitter @Anton_Chuvakin and @_TimPeacock. Tweet at us, email us, argue with us, and if you like or hate what you hear, we can invite you to the next episode. See you on the next "Cloud Security Podcast" episode.


View more episodes