Cybersecurity teams worldwide face an increasingly broad range of risks, with malicious actors ramping up operations.

In a panel session at RSAC Conference 2026, Ed Skoudis, president of SANS Technology Institute led attendees through an array of key issues encountered by frontline security practitioners in 2026.

From AI-related risks to supply chain security and operational complexity, teams now contend with a confluence of overlapping challenges, panelists noted.

Panelists included:

• Heather Barnhart, head of faculty and senior forensic expert at SANS Institute and Cellebrite
• Joshua Wright, faculty fellow at SANS Institute and senior technical director at Counter Hack Innovations
• Robert Lee, CEO and founder of OT cybersecurity firm Dragos and SANS Institute fellow
• Rob T Lee, CAIO and chief of research at SANS Institute

Dual implications of AI

The impact of AI was a recurring talking point throughout the session, as with RSAC 2026 more broadly. Attendees heard that while AI offers huge opportunities for security practitioners, it also creates new risks.

Wright specifically highlighted a looming wave of AI-related software zero days due to the integration of these solutions across enterprise technology stacks. This is creating a dynamic new frontier for security teams and bad actors.

Indeed, hackers and other malicious actors are now actively “industrializing” the use of AI to target potential weak spots in software security and pounce on flaws. This means enterprises need to re-evaluate how they respond to critical vulnerabilities.

“We need to start measuring [vulnerabilities] in how many tokens it requires for an AI model to find a previously unknown vulnerability,” he said.

“I think we are quickly headed toward a time period where we’re going to see not maybe one or two, or maybe three, zero days in a week, but a week of hundreds of zero day[s],” Wright commented.

These will be designed by AI, he added, creating opportunities for bad actors to be able to target organisations en-masse and causing huge disruption.

“I don’t think we’re ready for this,” he said.

The plus side for security professionals, panel members claimed, is AI will assist in countering this new wave of potential risks. Wright said the technology will offer enterprises a chance to “resolve this patching dilemma” and keep pace with the scale of malicious activity in coming years.

Operational technology risks

Another key risk area, highlighted by Robert Lee, is operational technology (OT), which is now a leading target for state-backed groups and malicious actors.

Traditional motives, such as financial gain, are still present but aren’t the only incentives. The critical nature of these systems and their use in areas such as national infrastructure, healthcare, and manufacturing, he said, make them appealing targets to simply cause disruption.

Risks are rising on this front, research shows. Analysis from Bridewell found 95% of CNI operators faced some form of cyber incident in 2025, for example.

“We see some state actors and non-state actors, they’re very opportunistic, they’re going to hit a manufacturing facility and wipe what they can and cause chaos,” he said.

“Some are doing it for money, some are doing it for influence. There are multiple state actors that are planning … how to take down major portions of a country.”

Taking advantage of AI

With this growing array of potential dangers, security teams are now forced to adapt rapidly to compensate for the changing tactics of malicious actors.

There’s room for AI to help support and streamline processes for teams, particularly in incident response, Barnhart noted. Enterprises and individual practitioners that capitalize on the benefits of the technology, will have a key advantage in years to come.

“AI is not going to take your job. However, if you are in digital forensics or incident response and you learn to use AI to make yourself more powerful, you will steal that person’s job,” she said.

Enterprises around the world are flocking to agentic AI tools in 2026, with research from Microsoft showing that 80% of Fortune 500 companies are already using agents in daily operations.

Agents represent a step change in how enterprises leverage AI, with autonomous bots carrying out tasks on behalf of employees and helping to unlock marked productivity and efficiency gains.

Yet many organisations aren’t fully aware of the potential risks associated with these tools, according to Vasu Jakkal, corporate vice president for Microsoft Security.

Speaking during the opening keynote session at the 2026 RSAC Conference in San Francisco, Jakkal said the integration of agents in customer-facing environments will require a re-evaluation of enterprise risk management.

Trust, Jakkal said, will be crucial for safe and secure deployment of agents, which is why observability, security, and governance will be crucial.

“Humans and agents are working together, and we are only just scratching the surface of AI, but as is always with the case of technology advancement, there will always be those who will use it for nefarious purposes,” she said, adding that the use of AI in malicious activities has reached an “inflection point”.

Microsoft’s own intelligence operations have observed bad actors using AI primarily to improve their “trade craft”. They’re using the technology to curate more efficient phishing lures and debug malware, for example.

“We’ve seen this in operations by North Korean actors Jasper Sleet [and] Coral Sleet, where AI enables sustained, large-scale misuse of legitimate access to things like identity fabrication through social engineering and really long-term persistence at very low cost.”

“Structurally different”

This brave new world of AI-powered malicious activity means cyber defenders now face new considerations when contending with potential risks, Jakkal said.

Indeed, malicious activities as a result of AI aren’t just faster, they’re “structurally different, and in this new reality, security has to change", Jakkal said.

Jakkal noted that organizations have relied on “layers of siloed point solutions, static policies, and human-reliant response”, but bad actors don’t take this into account.

“They think in graphs, and with agents, they can now operate continuously at machine speed across these graphs,” she explained.

This means enterprise security needs to shift from a traditional approach shoring up specific control points, toward a comprehensive architecture where defense is a proactive, not reactive approach. AI, she said, will be crucial in facilitating this change.

“At Microsoft, we believe the future of security is ambient and autonomous, just like the AI it needs to protect,” Jakkal said.

“You can’t simply turn on security, it has to be something that’s woven deeply into every layer of the AI stack – from agents to apps, to platforms, to infrastructure. It needs to be always on, always there, everywhere.

“We need to use agents. We need to use agents that are continuously discovering, testing and fixing the attack path in an always on self defending loop so defenders can address these attacks before they happen.”

Humans in the loop

Ensuring humans are kept in the loop will be crucial in this process and a key factor in building trust, especially given that IDC research predicts more than 1.3 billion agents will be in operation by 2028.

Areas such as identity security will become more important than ever in ensuring enterprises can keep a close eye on agents while they operate behind the scenes.

“They must be secured with the same vigilance that we use to secure people,” she said.

Similarly, the rise of “double agents” – those that have been manipulated by malicious actors to engage in nefarious activities – have already been observed by Microsoft.

With this in mind, Jakkal expects observability to be a key enterprise focus in the coming years.

“We cannot protect what we cannot see,” she said. “And in this era of agentic AI, organizations will need an observability control plane.”

Observability won’t rest solely with security teams either, she said. Developer teams and IT teams will also require shared controls to shore up identity and data security, and to ensure robust governance of agents.

The stakes are high when it comes to safe and secure agentic AI adoption, Jakkal said, which underlines the need for a trustworthy approach to integration. It will also have long-term positive implications for enterprises, if done correctly.

“As we do this, I know that we will build trust at the very core of our organizations, and security becomes that incredible catalyst for innovation.”

FOLLOW US ON SOCIAL MEDIA

Agents are weaving their way into frontline operations across a range of industries, according to Cisco’s chief product officer Jeetu Patel, and that means security is more important than ever.

Speaking during the opening keynote session at RSAC Conference 2026, Patel told attendees that agents should now be thought of as “digital co-workers” in enterprise settings.

Indeed, human workers are operating in tandem with agents, with the latter carrying out tasks on their behalf to help alleviate strain and reduce manual toil.

While this offers huge advantages for workers, there are some drawbacks, Patel noted, particularly given they require deep access to sensitive enterprise data. It’s here that risks are elevated for those using agents, he added, meaning safeguards are key.

“You have to give them access to all your systems so that they can work on your behalf,” he said.

“Here’s the fact with these digital co-workers: you can’t really go check their resumes. You can’t make reference calls to make sure that these agents are working well, you can’t do any background checks.”

Key concerns at present rest on the fact agents “follow instructions very literally”, meaning there’s room for potential mistakes.

“They operate without any fear of consequence,” he said. “I mean, what are you going to do, fire an agent? What you’re starting to see is there’s a tremendous amount of complexity.”

Given the risks involved, Patel said a critical imperative for security teams moving forward will be to “make sure that we protect the world from agents that might go rogue”.

But security teams operate at human speed, he noted, meaning they need to essentially fight fire with fire, leveraging AI-based tools to monitor agent activities.

This is an area in which Cisco has been building tools aimed specifically at improving safety, observability, and security. Among these is the launch of Defense Claw, a security framework for Open Claw deployments.

“That means if you’re using Open Claw and you want to make sure you’re safe and secure,” he said. “This is completely open sourced.”

Treating agents like humans

Patel noted that long-standing practices such as zero trust are applicable in helping monitor agent activities. Simply put, agents should be treated with the same level of scrutiny that humans have in recent years.

“For years we’ve talked about this notion of zero trust to provide what we call least privileged access to humans, which means only give it permissions to do things that you want it to do,” he explained.

With agents, Patel said enterprises will need to do “much more than just access control”. Indeed, given agents act autonomously, there needs to be a shift away from access control toward “action control”.

“Which is going to need to verify behavior and provide control to the agent when the agents start going awry.”

FOLLOW US ON SOCIAL MEDIA

Cybersecurity professionals are in the vanguard of driving safe, responsible AI adoption, according to RSAC executive chairman Hugh Thompson.

Speaking during the opening keynote of RSAC Conference 2026 in San Francisco, Thompson said security professionals have never been more important amidst a period of growing cyber risks and rapid technological change.

“There’s a certain dynamism that exists right now in cybersecurity,” he said. “AI is rapidly changing everything around us. It’s changing everything, it’s forcing us to rethink how we [keep information safe].”

AI tools are helping security practitioners respond to threats more efficiently than ever, Thompson noted, unlocking significant productivity gains.

Yet while the benefits of the technology are becoming clearer in cyber, malicious actors are also flocking to these tools. Indeed, Thompson said the increased use of AI among bad actors is forcing enterprises to “reimagine” how these tools can be used for nefarious purposes.

The duality of AI has been a recurring talking point over the last two years. The technology is delivering benefits for organizations and individual workers, yet a host of studies over the last year have highlighted the growing use of AI among malicious actors.

Recent analysis from Kaseya, for example, showed 2025 was an “inflection point” for AI and cybersecurity, with traditional tactics such as phishing now supercharged by the use of the technology.

Around 83% of phishing emails use AI content in some way, the study found, with 40% of business email compromise (BEC) techniques now using generative AI.

This is where the cybersecurity function will be a critical factor in ensuring safe adoption of the technology en-masse globally. Moreover, cyber professionals have an opportunity to take the lead in facilitating this mass shift.

“We cannot be passive observers on this AI journey,” Thompson told attendees. “AI and cybersecurity are so deeply intertwined, we can’t let AI be something that happens to us. Instead, it’s our responsibility as cybersecurity professionals to make AI work for us.”

AI needs cyber pros

Thompson noted that AI “cannot operate sustainably” without robust security safeguards and practitioners offering a guiding hand for IT leaders.

With that in mind, fostering a more synergetic relationship between this domain and other business functions will be crucial – and RSAC Conference represents an environment for professionals to engage on the topic.

“I would argue AI just made our jobs way bigger in cybersecurity,” he said. “Conversations that will happen this week, in the sessions, in the halls, will help shape the future of AI for years to come.”

The power of community was a another key talking point throughout Thompson’s opening keynote, which saw him joined on stage by newly-appointed RSAC chief executive, Jen Easterly.

Easterly said the strength of the global cybersecurity community will stand organisations in good stead during a period of technological change in which malicious actors are becoming increasingly aggressive.

“This is our community, and we should draw strength from that, because together, we are stronger than any threat,” she said.

“Together, we're building trust in a world that desperately needs trust, a world increasingly powered by the most consequential technology of our lifetime, moving faster and faster than ever.

FOLLOW US ON SOCIAL MEDIA

The RSAC Conference 2025 last month left CISOs to process a whirlwind of discussions, innovations, and evolving strategic imperatives. Building on themes that gained significant traction in previous years, 2025's event solidified several critical areas demanding CISO attention, from the pervasive influence of AI to the increasing personal and professional pressures of the CISO role itself.

For security leaders navigating this complex terrain, the key takeaways from San Francisco were both challenging and clarifying. With a focus on agentic AI, identity security, collaborative defense, and human-centric strategies, the conference provided valuable insights for security leaders.

Agentic AI: transforming security operations

Agentic AI, defined by autonomous systems capable of independent decision-making, was a major topic at RSAC Conference 2025. Cisco unveiled an open-source 8-billion-parameter Foundation AI Security Model, which is intended to improve detection and response capabilities within security operations centers (SOCs). This model is designed to automate tasks such as identifying intrusion methodologies, assessing severity, and generating compliance reports.

Vasu Jakkal, corporate vice president of security at Microsoft, highlighted the transformative potential of agentic AI in cybersecurity, discussing how AI agents can work collaboratively to detect and prevent intrusions, thereby reducing the cost and complexity of sophisticated security operations.

Identity security: beyond human users

The rise of digital ecosystems has resulted in numerous non-human identities, like machine-to-machine communications and AI agents. Traditional identity management is now inadequate, prompting organizations to secure these digital identities against unauthorized access and system compromises.

Comprehensive identity governance solutions are required, covering both human and non-human entities, with strong authentication and authorization protocols throughout the enterprise.

Collaborative defense between public and private sectors

RSAC Conference 2025 underscored the vital importance of collaboration between private enterprises and government agencies in addressing evolving digital challenges. Sessions emphasized the importance of sharing intelligence and coordinating responses to close gaps in cybersecurity. Collective knowledge and resources can help organizations better manage modern digital issues, creating a stronger defense network.

Speakers and panellists deliberated on strategies for effective public-private partnerships, advocating for open communication channels and trust-building measures. These partnerships aim to streamline intelligence sharing on harmful activities, making it more actionable and timely, while also pooling technological resources to tackle sophisticated malicious campaigns. Despite political shifts and challenges that can sometimes hinder collaboration, the overarching consensus was that such alliances are indispensable for fortifying both national and organizational cybersecurity postures.

CISOs are advised to foster partnerships through intelligence-sharing forums and collaborative plans, enhancing preparedness against emerging risks.

Human element as the persistent core of cybersecurity

While technological advancements dominate the cybersecurity landscape, the human factor remains a critical component. Keynotes and sessions consistently highlighted that human behavior, decision-making, and collaboration are irreplaceable elements in building robust security frameworks. Despite the proliferation of automation and artificial intelligence, the ability of humans to adapt swiftly to unforeseen security challenges and coordinate responses across diverse teams remains unmatched. This human-centric approach reinforces the significance of fostering a culture of vigilance and resilience within organizations, where each member is empowered to contribute to the collective defense.

The emphasis on community and shared responsibility further underscores the importance of continuous education and awareness programs. These initiatives are designed not only to enhance technical knowledge but also to cultivate critical thinking and proactive attitudes needed to counter increasingly sophisticated digital intrusions. By integrating these programs alongside cutting-edge technological defenses, organizations can strike a powerful balance, ensuring that while systems evolve to meet new challenges, the human element remains the persistent and vital core of cybersecurity success.

Innovation and investment driving the future

A key takeaway for CISOs from RSAC Conference 2025 is the recognition of ProjectDiscovery's open-source platform for managing system weaknesses as a game-changer for under-resourced teams. Its advanced scanning capabilities highlight the growing importance of accessible security tools in democratizing cybersecurity efforts.

While AI dominated many sessions at RSAC Conference 2025, the long-term implications of quantum computing and security also cast a significant shadow. The core concern, extensively debated in sessions and among experts, centered on the future capability of fault-tolerant quantum computers to break the encryption algorithms that currently protect vast amounts of digital information worldwide. As reported by ITPro, this isn't a distant academic exercise but a looming challenge requiring proactive measures today.

The "harvest now, decrypt later" imperative

A central theme resonating through quantum-focused discussions at RSAC 2025 was the concept of "harvest now, decrypt later" (HNDL). This refers to the practice of adversaries collecting and storing currently encrypted data with the expectation that future quantum computers will be able to decipher it. This makes the potential quantum threat an immediate concern, even if cryptographically relevant quantum computers are still several years from realization. Data with a long shelf-life – sensitive government secrets, intellectual property, personal health information, and financial records – stolen today could be decrypted tomorrow. This understanding shifts the quantum problem from a future hypothetical to a present-day data security risk demanding attention.

The primary cryptographic systems at risk are asymmetric, or public-key, algorithms like RSA and Elliptic Curve Cryptography (ECC), which underpin secure web communications, digital signatures, and much of the internet's trust infrastructure. While symmetric encryption is also susceptible, it’s generally considered more resilient to quantum cracking, often requiring larger key sizes for continued protection.

Navigating to a quantum-resistant future: post-quantum cryptography

The primary pathway to a quantum-resistant future, as emphasized throughout RSAC Conference 2025, is the adoption of Post-Quantum Cryptography (PQC). PQC involves the development and deployment of new cryptographic algorithms that are designed to be secure against intrusions originating from classical or quantum computers. The National Institute of Standards and Technology (NIST) in the US is playing a pivotal role in this transition, currently in the final stages of standardizing a suite of PQC algorithms. Organizations were strongly advised at the conference to closely monitor NIST's progress and prepare to align with these forthcoming standards.

The migration to PQC is anticipated to be a complex and resource-intensive undertaking, significantly more involved than previous cryptographic transitions. It will require careful planning, thorough testing, and a deep understanding of where and how cryptography is currently used within an organization.

Organizational preparedness: the time to act is now

Organizations were urged to approach preparation methodically rather than with panic. The first essential step is creating a comprehensive cryptographic inventory to identify all instances of cryptography deployed across applications, systems, hardware, and data stores. This process helps organizations understand what requires protection and the algorithms currently in use.

Following this, strategic planning becomes vital. Organizations need to develop detailed roadmaps for migrating to Post-Quantum Cryptography, taking into account the lifecycles of their data and prioritizing the safeguarding of the most sensitive and long-lived information. Testing and experimentation with candidate PQC algorithms in controlled, non-production environments is another important step. This enables organizations to evaluate performance characteristics and integration challenges, ensuring smoother transitions when new standards are adopted.

Additionally, fostering crypto-agility is recommended. Designing systems and protocols to be adaptable enables organizations to update cryptographic algorithms efficiently as vulnerabilities emerge or standards evolve.

Although the timeline for the arrival of quantum computers capable of breaking current encryption remains uncertain, the consensus at RSAC 2025 underscored the urgency of addressing the "harvest now, decrypt later" threat. Immediate planning and preparation for the post-quantum era are critical steps toward safeguarding the future integrity of digital systems.

The field of digital protection is continually advancing, and the integration of artificial intelligence in cybersecurity is proving to be a pivotal development. This was unmistakably clear at the recent RSA Conference 2025, where, as reported by ITPro, the overwhelming sentiment was that AI is no longer a future concept but a present-day reality shaping security strategies.

AI discussions at RSAC Conference spotlighted the technology’s dual role in creating challenges and offering defenses. The focus was on how AI enhances security operations centers (SOCs) by managing alerts and accelerating incident responses, proving its critical role in tackling sophisticated digital threats.

AI’s enhanced detection and predictive capabilities

One of the most significant contributions of AI in cybersecurity lies in its ability to dramatically improve the speed and accuracy of identifying potential harmful activities. Machine learning algorithms, a core component of AI, are adept at processing and analyzing immense datasets in real time. They can discern subtle anomalies in network traffic, system logs, or user behavior that might indicate an unauthorized system entry or the presence of malicious software. This capability is crucial for spotting novel or heavily disguised harmful acts that traditional signature-based detection methods might overlook.

AI-powered predictive analytics programs are becoming increasingly valuable. By learning from historical data and identifying patterns often associated with system compromises, these tools can forecast potential vulnerabilities or points of weakness before they are actively targeted. Natural language processing (NLP), another facet of AI, also plays a vital role. NLP algorithms can analyze the content of emails and other digital communications to identify the hallmarks of phishing attempts or other forms of social engineering, helping to flag or block deceptive communications before they can cause damage. This is particularly relevant given the persistent challenge organizations face from targeted deception campaigns aiming to trick employees.

Automating defense and managing vulnerabilities with AI

Beyond detection, AI is instrumental in enabling automated response mechanisms, a critical factor when dealing with the speed at which digital disturbances can unfold. AI-driven security orchestration, automation, and response (SOAR) platforms can execute predefined actions almost instantaneously when a security issue is identified. This might involve isolating an affected device from the network, applying a necessary software update to close a known vulnerability, or blocking communication with a recognized source of harmful activity. Such automation not only speeds up response times but also frees up human security teams to focus on more complex analytical tasks. Reinforcing this trend towards more sophisticated automation, as reported by ITPro, developments such as an agentic AI security assistant aim to automate further and accelerate threat investigation and response by having AI autonomously conduct investigations, significantly reducing manual effort for security teams.

AI tools are revolutionizing vulnerability management by scanning systems for flaws and prioritizing critical issues for resolution. User and entity behavior analytics (UEBA) leverages AI to detect deviations from normal activity, signaling potential risks like compromised credentials or insider threats for swift investigation.

The collaborative future: AI and human expertise

While AI offers powerful advantages, its most effective application in cybersecurity is as a collaborative tool that augments human expertise. The sheer volume of data and alerts generated in modern IT environments can overwhelm human teams; AI excels at sifting through this noise to highlight genuinely concerning events. This allows skilled professionals to apply their contextual understanding and nuanced judgment to complex situations where AI alone might fall short.

Discussions also highlight AI's dual-use nature, as both defenders and bad actors leverage it, driving the need for resilient and explainable AI (XAI) to ensure trust and accountability. AI helps address the cybersecurity skills gap by automating tasks and enhancing analysts' effectiveness.

While challenges like training data quality and adversarial threats exist, AI's role in automating responses and managing vulnerabilities is critical. As it matures, AI will become even more integral to predicting and tackling digital threats, making its strategic adoption essential for robust cybersecurity.

"Community. It’s what makes us strong in cybersecurity." These were the emphatic words of Hugh Thompson, executive chairman of RSAC, as he opened the RSAC Conference 2025. His address, setting the tone for the week, repeatedly underscored that in an era of escalating digital complexity and sophisticated harmful actors, the collective strength of the cybersecurity community – a direct manifestation of collaboration in cybersecurity – is not just beneficial but essential.

In a blog post from the conference, the consensus among the security community and industry leaders was that facing sophisticated, often globally coordinated digital sources of disruption requires a united front. As reported by ITPro, collaboration can be as simple as pairing cybersecurity employees with data scientists, so they can compare notes. The era of siloed defense is rapidly giving way to an understanding that shared knowledge and coordinated action are paramount for collective resilience.

Strengthening public-private partnerships

The call for community resonates strongly with the ongoing efforts to bolster public-private partnerships (PPPs). At RSAC Conference 2025, the dialogue around PPPs stressed the vital link between government agencies tasked with national cyber defense and the private sector entities that manage critical infrastructure and vast data repositories.

These partnerships aim to facilitate a bidirectional flow of information: government agencies can provide declassified intelligence on emerging digital challenges and harmful actor tactics, while private enterprises can share real-time observations of harmful activities encountered on their networks. The goal is to create a more comprehensive understanding of the environment of digital challenges, enabling faster, more coordinated responses to protect critical services and the broader digital ecosystem. Emphasis was placed on overcoming traditional barriers such as speed, trust, and actionable intelligence delivery within these frameworks.

Advancing intelligence sharing ecosystems

Security intelligence sharing is fundamental to collaborative defense, and RSAC Conference 2025 highlighted advancements in enhancing these ecosystems' effectiveness. Moving beyond the simple exchange of indicators of compromise (IoCs), there is an increasing emphasis on sharing richer, contextual intelligence, including comprehensive tactics, techniques, and procedures (TTPs), often aligned with standardized frameworks like MITRE ATT&CK. This approach enables organizations to transition from reactive blocking to more proactive defense strategies informed by harmful actor behavior insights.

Information sharing and analysis centers (ISACs) and information sharing and analysis organizations (ISAOs), tailored to industries such as finance, healthcare, and energy, continue to evolve, offering valuable sector-specific intelligence. Moreover, the automation of intelligence sharing through standardized protocols like STIX/TAXII is essential for disseminating critical information at machine speed, a necessity in countering fast-moving digital disturbances.

Thompson's guidance on learning from everybody encompasses both internal and cross-sector collaboration. Within organizations, it’s imperative to foster a security-aware culture where IT, security, development, and business units collaborate effectively. Externally, exchanging best practices across industries strengthens defenses against common digital issues, thereby enhancing overall resilience, as Thompson recommended.

Fostering internal and cross-sector cooperation

Collaboration isn't solely an external endeavor; it’s equally vital within organizations. RSAC Conference 2025 sessions underscored the need to break down internal silos, fostering closer cooperation between cybersecurity teams, IT operations, legal departments, and business units. Cultivating a culture where cybersecurity is viewed as a shared responsibility, rather than the sole domain of the security team, is essential. This includes integrating security considerations into the entire lifecycle of products and services, often referred to as DevSecOps.

Beyond individual organizations, cross-sector collaboration is also gaining traction. Harmful actors frequently reuse tools and techniques across different industries. By sharing experiences, best practices, and lessons learned, organizations in one sector can better prepare for challenges that have already impacted others. This broader learning loop enhances the defensive posture of the entire business community.

The overarching message from RSAC Conference 2025 regarding collaboration in cybersecurity was one of urgent necessity and practical application. While challenges related to trust, data sensitivity, and operationalizing shared intelligence persist, the fundamental understanding is the benefits of working together far outweigh the difficulties. Building these collaborative bridges is no longer a strategic option but a foundational requirement for navigating the modern cybersecurity landscape.

RSA Conference 2025 highlighted critical discussions and innovations shaping cybersecurity. With record attendance, the event showcased AI advancements like Cisco's open-source security model and Google's Gemini Security Agent, demonstrating AI's transformative impact on defense strategies and system economics. Emphasis was also placed on consolidating tools to streamline operations and enhance protection, urging leaders to balance innovation with accountability and preparation.

AI moves from initial excitement to robust engineering

Generative AI took centre stage at the Moscone Center, but the focus shifted from impressive early capabilities to governance and safety measures. Cisco’s Jeetu Patel emphasised that traditional adversarial simulation exercises have limitations, introducing an open-source foundation model tailored for security tasks. RSAC executive chair Hugh Thompson urged the cybersecurity community to embrace adaptive strategies as AI reshapes the financial dynamics of system intrusion attempts and digital protection. Microsoft showcased Security Copilot 2.0, now capable of generating detailed corrective action playbooks. The takeaway for CISOs: prioritise AI-driven security operations center (SOC) tools to improve response-time efficiencies, but prepare for new budget lines dedicated to model review and robust input validation testing.

The rise (and associated considerations) of agentic AI

The RSA Conference 2025 explored "agentic AI," focusing on its benefits and governance challenges. Autonomous systems like 1Password and Okta’s AI credential vaults are gaining traction, but concerns about oversight and accountability remain. SOCs must implement stringent logging to monitor actions, ensuring these agents operate securely and transparently.

Quantum-preparedness goes mainstream

As the Cryptographers’ Panel convened at RSAC 2025, veteran mathematicians—including RSA co-inventor Adi Shamir—warned that the industry’s fascination with AI is eclipsing a more pressing problem: the quantum challenge. Panellists argued that ransomware’s reliance on cryptocurrencies has distorted the original aims of public-key cryptography, yet they agreed the bigger danger is “harvest-now, decrypt-later” collection of today’s data before large-scale quantum computers arrive.

Their prescription was immediate crypto-agility: start mapping every RSA- or ECC-protected asset now instead of waiting for the final round of NIST post-quantum standards.

Regulators are now backing that urgency with hard deadlines. The UK’s National Cyber Security Centre roadmap sets 2028 for discovery of non-quantum-resistant keys and 2035 for full migration to quantum-resistant algorithms, explicitly warning against “last-minute chaos”. Australia’s latest Information Security Manual goes further, disallowing RSA, ECDSA and related primitives in high-assurance systems by 2030. Similar timelines are under discussion in Canada, Japan, and the EU, signalling that board-level compliance clocks are likely to start before the decade’s end.

Against that backdrop, RSAC speakers urged organisations to launch certificate inventories this summer, budget for hybrid transport layer security (TLS) deployments, such as X25519-Kyber, in 2026 and demand clear post-quantum cryptography (PQC) road-maps from vendors—steps that keep pace with both the regulatory deadlines and the accelerating digital challenge curve.

Consolidation and platformization accelerate

Cybersecurity vendors, like SentinelOne and Palo Alto Networks, are enhancing unified products with extended monitoring, identity protection, and cloud-native security. Analysts suggest platformization is a strategic priority to simplify tools and ease security team workloads. Organisations can streamline licenses, as vendors often negotiate margins for wider market reach, but experts recommend ensuring flexible API access for interoperability.

Identity and zero trust stay centre-stage

ProjectDiscovery’s victory in the Innovation Sandbox for its groundbreaking open-source system interface management suite underscores the growing intersection of identity and digital footprint management. A notable takeaway highlighted that machine identities now outnumber human identities in enterprises by a staggering ratio of 40:1. This imbalance is expected to drive new scrutiny of orphaned service accounts—a potential area of concern poised to compound further as the adoption of AI-driven agents accelerates.

Preparing for the Future

As cybersecurity evolves, organisations are urged to adapt swiftly. Experimenting with generative AI in SOCs can yield tangible progress in metrics like mean time to repair (MTTR). Meanwhile, mapping cryptographic weaknesses is no longer optional as regulatory timelines push post-quantum readiness to the forefront. With consolidation reshaping vendor landscapes, firms can secure favourable terms, provided interoperability isn’t compromised. Turning these pressing priorities into concrete strategies will define resilience in 2025’s cybersecurity realm.

In the fast-changing world of cybersecurity, IT leaders have to keep up with evolving threats and new technologies to stay ahead of attackers.

With nation states lending a hand to threat groups with more pointed aims than ever before, alongside the double-edged sword of greater AI adoption in cybersecurity, there’s never been a more worrying – and exciting – time to specialize in the field.

This episode was recorded live at RSAC conference in San Francisco by Scott Becker, director of Webinar Programs at ActualTech Media and Alan Liska, threat intelligence analyst and ‘ransomware sommelier’ at Recorded Future.

Together, the pair discuss the future of the sector, how threats like ransomware compare to emerging concerns such as quantum decryption, and why AI is the topic on everyone’s agenda.

Highlights

“I do think one of the things that we're starting to see… is more interest in data governance, more interest in knowing and understanding where your data is, both inside your network and outside your network. And I've seen a lot of vendors talking about that now as they grapple with the reality that data theft is such a big part of ransomware attacks.”

“China has really talented hackers. They always have and they now have 30-plus years’ experience with not just how to carry out attacks, but how to build the tools and how to develop the software and so on. So you can never discount that 30-year experience, what you can bring in. Most of what happens behind the scenes in Chinese nation state attacks in particular, we don't have access to, we don't have insight into, because we just don't know.”

“So I don't know about good ways to go forward, but it does seem like a lot of what we're talking about now is putting more of the onus back on the state and local governments for defense. I actually think that's a bad idea. It's not that states aren't capable, it's not that local governments aren't capable, there are a lot of really dedicated employees who work in security for those organizations. But you're going up against nation states, you're going up against China, Russia, and really advanced, even cyber criminal threat actors. You need the intelligence that CISA can provide.”

“So if quantum computing is 10 years away, governments need to start figuring out their encryption strategy now so they can start getting that data encrypted, to have it encrypted in time. I mean, that's just the reality.”

Footnotes

• RSAC Conference Day One: Vibe Is 'All In' on AI for Security
• RSAC Conference day two: A focus on new hacking tactics
• RSAC Conference day three: using AI to do more with less and facing new attack techniques
• Five things we learned from the 2024 RSA Conference
• “Governance is an irreplaceable role”: Microsoft Security VP on why diversity and sector expertise will keep security workers relevant in the age of agentic AI
• "There needs to be an order of magnitude more effort": AI security experts call for focused evaluation of frontier models and agentic systems
• ‘China has almost doubled their aggression in cyber’: Kevin Mandia and Nicole Perlroth warn organizations aren’t waking up to growing APT threats
• RSAC Conference 2025 was a sobering reminder of the challenges facing cybersecurity professionals

Subscribe 

• Subscribe to The IT Pro Podcast on Apple Podcasts
• Subscribe to The IT Pro Podcast on Spotify
• Subscribe to the IT Pro newsletter
• Join us on LinkedIn

RSAC Conference 2025 has been full on, with cybersecurity experts from all over the world descending on San Francisco to share trends, data, and announcements.

This year, ITPro has been providing both remote and on the ground coverage from the event, across talks covering topics such as AI security and threat actor methodology.

In this episode, Jane speaks to Rory about some of his RSAC coverage and key takeaways from the event.

Highlights

“This isn't new territory – we were having a discussion earlier and saying that quantum cryptography has been a point of discussion at RSA for many years. It's one of those situations where you have to prepare for it, even though it might be very far in the future, and you can't easily predict when a working quantum computer is going to become an actual threat.”

“Cisco has apparently found that when you fine tune AI models, it can actually increase the risk of the models themselves. So Cisco research found that tailoring models, say to your unique organizational style, data, can make them three times more susceptible to jail breaks and up to 22 times more likely to output harmful responses.”

“All of this is to say, amidst everything we're hearing about, threat actors using AI and threat actors focusing on new methodologies, the number one thing is still profit-driven groups, that are just people. They have Discords, they have Telegram channels, they message each other, they make major mistakes.”

Footnotes

• RSAC Conference 2025 was a sobering reminder of the challenges facing cybersecurity professionals
• RSAC Conference Day One: Vibe Is 'All In' on AI for Security
• “Governance is an irreplaceable role”: Microsoft Security VP on why diversity and sector expertise will keep security workers relevant in the age of agentic AI
• RSAC Conference day two: A focus on what attackers are doing
• "There needs to be an order of magnitude more effort"": AI security experts call for focused evaluation of frontier models and agentic systems
• Cyber defenders need to remember their adversaries are human, says Trellix research head
• RSAC Conference day three: using AI to do more with less and facing new attack techniques
• "China has almost doubled their aggression in cyber’: Kevin Mandia and Nicole Perlroth warn organizations aren’t waking up to growing APT threats

Subscribe 

• Subscribe to The IT Pro Podcast on Apple Podcasts
• Subscribe to The IT Pro Podcast on Spotify
• Subscribe to the IT Pro newsletter
• Join us on LinkedIn

RSAC Conference 2025 has come to an end, having once again acted as a leading platform for cybersecurity professionals to share the latest data, go into detail on new products and services, and debate some of the trickiest topics in their field.

Throughout the week-long event, attendees have heard about some of the nastiest ransomware groups currently operating, new benefits for defenders, as well as topics of concern that will bear fruit in the coming years.

Generative AI has, as predicted, dominated the discussion at RSAC Conference 2025, with a range of talks covering the extent to which it can empower cybersecurity teams and threat actors alike.

In keynote sessions, attendees were told how generative AI in security like Microsoft’s Security Copilot agents and Google’s Gemini security offerings can help cybersecurity analysts cut down their workloads and detect threats before they present an issue.

Throughout, however, it’s been evident that even the firms promoting AI uptake are keeping an eye on the potential for malicious use of AI and unforeseen AI harms. In particular, experts noted that the adoption of autonomous AI agents could come with great risks if not done right, even as the technology is used to empower cybersecurity teams.

“This is going to come with a whole new class of risks that we've never seen before, that we have to make sure we actually mitigate ourselves against," said Jeetu Patel, EVP and chief product officer at Cisco in the event’s opening keynote.

It’s no surprise that the RSAC Conference 2025 audience would be approaching AI from a place of skepticism, or even downright cynicism. Cybersecurity professionals are suspicious of technological hype by their very nature and the first to question whether digital transformation projects will introduce new vulnerabilities to their environments.

This isn’t to say that the old stereotype of ‘the department of no’ is true. John 'Four' Flynn, VP of Security and Privacy at Google DeepMind, noted that AI developers such as his own are themselves closely monitoring potential safety flaws in AI models, and urged security teams in customer organizations to have a plan to monitor AI behavior post-deployment.

If anyone in your office is going to be asking how predictable, open, and abusable an AI model is, it’ll be your CISO. This sentiment is backed up by recent Exabeam research, which found a widening gap between executives and cybersecurity analysts when it comes to AI enthusiasm.

The disparity was on full display when respondents were asked how much AI has improved departmental productivity – 77% of executives said it had driven significant improvement versus just 22% of analysts – while also highlighting that while over half (53%) of executives thought AI would increase job security, under a fifth (19%) of analysts felt the same.

But this isn’t necessarily cause for despair. Throughout the event’s sessions, experts have acknowledged that the cybersecurity community simply has to come to terms with AI adoption given the rate at which companies are adopting it.

“Start using AI,” said Daniel Rohrer, VP of Software Product Security, Architecture & Research at Nvidia, adding that from the simplest Copilot use cases to more complex deployments of AI agents,

Contributing to a session focused on the security challenges associated with AI, Rohrer added that sometimes getting the ball rolling can be as simple as pairing cybersecurity employees with one’s data scientists, so they can compare notes and ensure their AI adoption is secure by design.

Talks at RSAC Conference 2025 appeared to deliver a tone of rugged optimism, a kind of ‘roll up your sleeves and seize tomorrow’ message that balanced very real AI anxieties with a sense that if the security community can get a handle on the technology now, they’ll have the upper hand on attackers for years to come.

Panelists stressed that achieving this will require rapid action, with Jade Leung, CTO at the UK AI Security Institute, warning that emerging AI threats are moving faster than some have anticipated.

Getting ahead will require collaboration as well as technical excellence, attendees were repeatedly reminded. That this is something cybersecurity professionals can get on board with is self-evident – indeed, RSAC Conference 2025 is itself a testament to the collaborative nature of the community.

A focus on the fundamentals

It’s easy to get swept up in AI hype and overly theoretical conversations about the future of cybersecurity. But RSAC Conference 2025 pulled off a good balance between these talks and more actionable, practical advice.

In keynote speeches by the likes of John Fokker, head of threat intelligence at Trellix, as well as cybersecurity stalwart Kevin Mandia, former CEO of Mandiant and founder of the cybersecurity VC firm Ballistic Ventures, attendees were brought back down to Earth.

Fokker was able to ground his keynote speech largely in his hands-on work tracking members of the Conti group, notorious for its destructive ransomware campaigns,

Taking a similar tack in discussion with author and former cybersecurity reporter Nicole Perlroth, Mandia focused largely on the threat posed by China-backed threat actors and the emerging attack methodology demonstrated by these state-sponsored groups.

After so many days of AI-focused discourse, it was refreshing to hear Mandia advocate for as low-tech a solution as you can get to manage these rising threats: good cyber hygiene.

The security stalwart admitted that in spite of what he’s been saying for years, recent data shows that many breaches are preventable via proactive patch management first and foremost. Though he added that identity management and AI will become increasingly important, this was a moment of welcome ‘eat your greens’ simplicity in an otherwise multifaceted week.

There’s a world-weariness that comes with security events, a mood that’s hardly surprising when you consider the pressure CISOs are under from constant attempts to breach their organizations. But this only goes to make those moments of real enthusiasm stand out even more – as has been the case for some of the talks on AI agents for security.

RSAC Conference 2026 will, inevitably, revisit many of the major themes from this year. While attendees will walk away more convinced than ever that attackers will try to take them on, they can also hold onto the fact that the entire community is working on these problems.

Kevin Mandia sees the tit-for-tat global tariff escalations and general economic uncertainty related to geopolitical tensions leading directly to belt tightening by CEOs in 2025.

For the security audience he addressed on the third day of RSAC Conference in his recurring cybersecurity year-in-review keynote, the Mandiant founder said the message is clear.

“If there's any theme in RSA right now based on current events, [it’s] ‘How do we do more with less and more with the same?” Mandia said. “If you have to operate doing more with less, the AI race is on.”

Mandia’s key point aligned with the AI focus that has dominated all week at the security conference in San Francisco.

Many of the other keynote stage discussions on day three of the conference were dedicated to emerging attack techniques and problems, AI-related and otherwise.

Tom Gillis, senior vice president and general manager of the infrastructure and security group at Cisco, made reference to the “Volt Typhoon” attacks, whose motivation was a source of much debate at RSAC Conference.

“This year we saw attacks against a new attack surface. Switches, routers, and firewalls themselves are being attacked, and the goal of the attackers is not to steal credit card information,” Gillis said. “The goal of the attackers is to get in and stay in so they could turn the lights out when the time comes. So the stakes are pretty high.”

Joshua Wright, a faculty fellow with the SANS Institute, presented on a dangerous new technique called authorization sprawl.

“We're creating scenarios where adversaries are leveraging that centralized authentication process through single sign on, personal access tokens, sample tokens and the like, to be able to exploit how they're able to access different resources,” Wright said.

“This is something that we're seeing in our personal penetration tests, but we're also seeing it used by threat actors as well,” he said, identifying the ‘Scattered Spider’ team as a well-known threat actor using authorization sprawl.

“Their tactics aren't that sophisticated. They use their initial access and then they use all the resources available to them to be able to pivot throughout the network. And the thing that's so amazing about this is that their number one tool is just a browser,” Wright said.

Another security researcher on the same SANS Institute panel identified an emerging challenge related to the speed advantage AI-based attackers have over defenders and called for a legislative fix.

To establish the speed of adversarial AI agents, Rob T Lee, chief of research at the SANS Institute, cited MIT research showing that those agent systems can execute attack sequences 47 times faster than human operators.

“Speed is no longer the metric. It is the decisive weapon,” Lee said.

Even with AI to assist them, Lee contended, defenders are currently hampered by privacy laws, such as GDPR, CCPA and new European Union legislation governing AI and data.

“On the network analysis side, you can now ingest all the network analysis data into an LLM,” Lee explained. However, he noted, “This literally requires access to private data, emails, browsing history, [and] logs."

"Organizations must sanitize up to 78 percent of raw security data, taking seven to 12 minutes before that data action takes place that allows for analysis to then occur," he added.

Lee called for cybersecurity safe harbor legislation that would allow for organizations to analyze sensitive data strictly for threat detection and mitigation.

Much more detailed work must be done to evaluate the security and safety risks associated with adopting AI models, according to a panel of experts in the field.

At RSAC Conference 2025, representatives from Google DeepMind, Nvidia, and the UK AI Security Institute emphasized the current challenges involved with evaluating AI model risks and the uphill challenge security teams face to keep up with the rapidly-evolving nature of AI agents and complex AI systems.

Jade Leung, CTO at the UK AI Security Institute, said there is still a lot of open questions on the potential risks of agentic AI systems, with safety and security assessments currently unable to keep pace with the rapid development of AI systems.

Leung said that while many AI companies are working on adopting dangerous capability evaluations, it's a very hard process to do well and the extent to which it's an "evolving science" is underappreciated right now.

"We totally do see companies make substantial investments and build substantial teams, that are really running super hard at the problem," Leung said.

"And we see companies who haven't quite got teams are staffed up yet for a variety of reasons," Leung added, declining to give a specific example when prompted by Ram Shankar Siva Kumar, data cowboy at Microsoft and panel host.

"I think some companies are taking a really good stab at it, I think there needs to be an order of magnitude more effort on it really."

Daniel Rohrer, VP of Software Product Security, Architecture & Research at Nvidia argued that as AI systems become more complex, organizations will need to shift to evaluating entire AI systems.

He explained the likes of agentic AI and mixture of experts models are harder to assess from a security perspective, necessitating continuous to ensure organizations can still predict the behavior of the systems they've deployed.

"A lot of people are like, 'Oh well, this model did this horrible thing' – well, it's meant to be general purpose, it's meant to do 3,000 things, for the system I need it to just do one and I can force it to do that one very specifically and very narrowly."

"And that control, especially when we start thinking about AGI and others, that ability to exert control as complexity rises, as autonomy rises, is going to be really important."

John 'Four' Flynn, VP of Security and Privacy at Google DeepMind, agreed with the notion that security teams must repeatedly revisit the behavior of models and systems. He stated that AI developers can't entirely predict what a model will be like when they first start pre-training it.

"Any lab worth their salt has a whole team focused on leaderboards as part of post-training," he said.

However Flynn also acknowledged that even this step isn't good enough on its own.

He explained that his team has recorded discrepancies between how models rank on their red-teaming leaderboard, used to assess a model's resistance to attacks such as prompt injection, and the risks those same models show when released into the real world.

"What we've found is that's a good starting point but when you put it inside an application, when it has function-calling harnesses and there's indirect attacks that are potentially possible, your synthetic test environment doesn't always replicate what you're seeing in the real world.

Urging all organizations to start using AI wherever they can, Rohrer added that he's aware of the need for more hands-on support for leaders who don't know how to evaluate AI models they're looking to implement.

"You don't have to learn how to train models to help in this space," he said.

"I'm finding some of the best insights, for when I put data scientist and security folks together, is 'Hey, we're going to talk about this principle called control and data plane separation' and the data scientist is like, 'Well that's not how the model works at all' -- and we're like 'That's kind of a problem, let's have a conversation', even that is adding value."

Coming together as an international community to share intelligence on these risks and form better methods for benchmarking complex AI systems will be key, the panel agreed.

"Internationally, there needs to be some baseline of consensus about what we're actually talking about here, in terms of those capabilities and risks, and particularly when the risks are cross-border, and you can't really do much about it in a given country," said Leung.

AI threats and the evolving landscape

A recurring theme of RSAC Conference 2025 so far has been the evolving methods of attackers, particularly as they use AI to launch attacks more efficiently.

In response to a question on the likelihood of threat actors using AI to create polymorphic malware and other sophisticated code, Flynn acknowledged that AI models are becoming very good at writing in programming languages.

"In almost every respect that matters, this is really the year of coding," Flynn said.

He argued that the current AI leaderboards, which measure coding across a range of benchmarks and assign models an average 'ELO rating', a term originally taken from chess, show publicly available models are becoming incredibly sophisticated at code generation.

"If you just look at the ELO scores on coding webbench or various types of leaderboards, you'll see that there's this unbelievable increase in the coding performance by the frontier models. And, as you can imagine, that has a knock-on effect towards being able to do types of things that you're mentioning," he said.

Flynn clarified that while he's still unsure if it's possible to achieve these kinds of attacks with AI, he predicts that we'll know by the end of the year.

On even more theoretical grounds, the panel was divided over the degree to which artificial general intelligence (AGI) needs to be a consideration for security professionals at present. While Flynn was a co-author on a paper that predicted AGI could be created by 2030,

Rohrer argued that the date it arrives is less important than having the right framework to assess it when it does.

"What I'm really trying to understand is the divergence between my ability to measure the capabilities that are emergent as a collection, call it AGI, those capabilities and my ability to influence and control them," he said.

"As long as those curves are moving together, I'm feeling pretty comfortable about any timeline."

Cybersecurity professionals must remember they are fighting real people, not abstract threats, and recognise the increasingly blurred lines between cybercriminals and nation-states.

This was the message from John Fokker, head of threat intelligence at Trellix Advanced Research Center, during his RSA Conference 2025 keynote. Drawing on his background as a former Dutch high-tech crime unit officer, Fokker stressed the human element. "So often we forget that these cyber criminals are real people," he said. "It's tempting to anonymize threats ... but really they're just bad people, regular names sitting behind a keyboard."

Fokker, whose Trellix team provides threat intelligence to critical sectors, cautioned against over-focusing on advanced attacker tech. "A cybercriminal will always prefer a victim with weak passwords, bad patching and no MFA," he noted from experience.

A key theme was the convergence of financially motivated crime and state agendas. "In the past, you had very clear lanes of demarcation," Fokker explained. "Now those lines have blurred. Nation states are using proxies ... using cyber criminals ... causing disruption and stealing data."

He illustrated this with an investigation into the Black Basta ransomware group, leveraging leaked internal chats that revealed the group's leader, "Oleg" (formerly "Tramp" in the Conti group), and a concerning incident. "Last year, Oleg... flew from Moscow to Armenia. However, he was arrested upon arrival,” said Fokker. “Three days later, he escaped custody, and he was back in Russia."

According to the chats, Fokker said: "Oleg claimed government officials flew to Armenia to ensure he was escorted back safely," referencing a "green corridor" escape route allegedly arranged by a high-level official known as "number one." While these chat claims are unproven, Fokker asserted, "this story is just one example of the blurring lines between nation states and cyber criminals".

Despite potential state backing, attackers are fallible. Fokker described a Black Basta attack on a US healthcare firm where their encryption tool failed. "They made a major mistake," he said, which forced them to pivot to data leak threats after their primary extortion method failed.

Fokker championed collaborative intelligence sharing as the crucial defence. By mapping attackers' tactics, techniques, and procedures (TTPs) – the hardest elements for them to change – the security community can maintain detection even post-rebranding. "Once we know how they operate at the TTP level, we can spot them the moment they launch the next offensive, and that's where we hold the real power," he declared.

He concluded with a call for unity: "When you see your adversary... in clear daylight, fear melts away... Let's keep building, keep collaborating... because when we work as one community, there is no question we will reach the top."

A major focus of the second day of the RSAC Conference was sharing intelligence on what attackers are actually doing with emerging capabilities like AI, as well as quantum computing.

In separate keynote sessions Tuesday, senior executives from Google offered different perspectives about what threat actors, including nation-states, are doing with artificial intelligence tools.

Sandra Joyce, vice president of Google Threat Intelligence, detailed how advanced persistent threat (APT) groups from more than 20 countries, especially Iran, China, and North Korea, have accessed Google’s public Gemini AI services to enhance their attacks.

She provided evidence that attackers performed reconnaissance on target organizations, researched vulnerabilities, sought assistance with malicious scripting, fine-tuned phishing messages, and looked up evasion techniques.

Fundamentally, though, the attacker activity surfaced by Google Threat Intelligence was relatively low level.

“We haven’t yet seen indications of adversaries developing any fundamentally new attack vectors with these models,” Joyce said.

AI safety controls blocked some APT actors from carrying out more sophisticated AI-powered research and attacks, Joyce explained. Meanwhile, the tools themselves are capable of discovering vulnerabilities. She gave the example of Big Sleep, a previously shared vulnerability that Google uncovered with the help of an LLM. “We believe that this is the first public example of an AI agent finding a previously unknown exploitable memory issue in widely used real world software,” Joyce said.

While the empirical approach to analyzing data on the way that malicious actors are trying to use Gemini, Microsoft Copilot or ChatGPT can offer valuable clues to the actions of the attacker underworld, another Google executive in a keynote panel discussion on Tuesday provided important context about the limitations of relying exclusively on that type of data.

John 'Four' Flynn, vice president of security and privacy at Google DeepMind, pointed out that the operational security protocols of the most serious nation-state actors leave the industry mostly blind to their activities.

“I posit that most adversarial work will likely be on on-prem, open-weight models, or some sort of customized models that they’re building, because there is an issue of visibility,” Flynn said. “If you’re an attacker, obviously you’re going to be testing out all the things that are out there, but if you’re doing some really heavy lifting with AI, it may or may not be something that you do in the open.”

Another panelist with Flynn provided context about how quickly attackers appear to be moving in concert with the evolution of technological capabilities of AI itself to create new threats.

Jade Leung, CTO of the UK AI Security Institute – a UK government team of about 200 researchers – focused on how AI might affect national security risks in areas like chemical and biological attacks and terrorism.

“Clearly [AI] capabilities are moving faster than safety and security. There is a sense in which folks who are in the field, who work on these types of issues, feel like we are barely keeping up,” Leung said.

“Capabilities are not quite there yet in terms of posing significant, severe risk. But it’s not just the snapshot that matters, it’s the trend line that matters, and so the trend lines are pretty steep,” Leung said. “It is astonishing how much more capable [these models and systems are] getting in a very tiny amount of time.”

While AI is front and center as a security issue at RSAC Conference, a main stage panel on Tuesday also addressed another emerging threat — the potential for quantum computing to undermine current encryption practices.

Participants on that cryptography panel agreed that quantum computing was likely still more than a decade or more from becoming a decryption threat, but they made it clear that nation-state actors are taking offensive action now.

Raluca Ada Popa, associate professor and senior staff research scientist at UC Berkeley and Google DeepMind, called the technique “harvest now, decrypt later.” She said, “Attackers can import encrypted, confidential data now, and decrypt them later when quantum computers are ready.”

Whitfield Diffie, a pioneer of public-key cryptography, chimed in to explain why harvesting matters even if quantum computing is decades away. “There are vast tape libraries at NSA and all the rest of those organizations running back decades,” Diffie said. “I am quite confident that the oldest thing in NSA’s tape libraries probably comes from World War I, and surely is no later than World War II. So, of course, people are going to be working on our current traffic through the rest of the century.”

MIT professor Vinod Vaikuntanathan recommended that organizations protect sensitive data by employing one of the newer post-quantum encryption algorithms on top of a current algorithm like RSA or Diffie-Hellman. “The pragmatic thing to do is be conservative and employ what’s called hybrid encryption.”

Security teams can stay relevant through AI skills and by doubling down on the benefits of diversity, according to a Microsoft Security expert. Even as organizations adopt more autonomous AI security agents to keep up with the evolving threat landscape.

Vasu Jakkal, corporate vice president, Microsoft Security, took to the RSAC Conference 2025 keynote stage to discuss how the security field will be changed by the rise of agentic AI, autonomous generative AI systems capable of adapting to changing context to achieve a pre-defined goal.

Jakkal painted a picture of a future in which every organization and individual has an interactive agent at their disposal, suggesting agents could be more ubiquitous than apps and will act as “digital colleagues” that act in tandem with human workers.

This could come in the form of research agents to draw together knowledge on a given subject, and analytics agents for sifting through raw data. Or what Jakkal dubbed a “chief of staff agent” which could work with one’s home agent to coordinate business and personal schedules.

Against the backdrop of the massive changes Microsoft is predicting AI can bring to the threat landscape, there is continuing disagreement over the extent to which the technology will improve individual cyber roles.

Jakkal said that cyber professionals can look forward to more of their time back, driven by innovation like AI agents, but that first leaders would need to consider how best to define, direct, and guide the tools to automate tasks in the best possible way.

“Perhaps one of the most critical aspects of our roles is going to be governance,” she said.

“Governance is an irreplaceable role we need to focus on, because it is critical as defenders that we make sure these AI agents do what they are intended to do and to help and serve humanity the way they’re intended to.”

Stressing the subject matter expertise of all those in attendance, Jakkal said the innovative, predictive, and creative thinking that is innate to humans will lose none of its value even as AI becomes more commonly used. Adding to this, she stressed that diverse perspectives and cognitive diversity as important as ever.

“One thing we know for sure is the attackers we face are very diverse, they come from all backgrounds and all facets, and the defenders need to make sure that we can think of all those facets.

“The AI that we build in security, that we use in security, needs to have this diversity at the heart of it.”

AI skills shortages continue to be a stumbling block for some organizations and regions, with some workers still only pretending to understand the technology even as prominent executives warn it’s a choice of upskill or be left behind.

Jakkal said that AI skills are a necessity, with cybersecurity leaders now required to become AI leaders as well.

“Developing AI, learning AI, is not going to be a nice-to-have – for us to thrive in this new world, it’s a must-have,” she said, adding that though the learning curve can be uncomfortable as with any new skill, it’s necessary to keep up with emerging AI-driven threats.

The AI threat landscape

Despite the benefits of AI for defenders in this future of ubiquitous, capable agents, Jakkal was clear that attacks will also increase as AI makes attacks easier to perform. She said it will therefore be critical for security teams to ensure that they can defend and respond to increasing threats.

“Last year when I was here with you all, we were facing 4,000 password attacks per second,” Jakkal said. “This year, it’s 7,000 password attacks per second – that’s 600 million attacks a day.

Microsoft is already seeing an uptick in sophisticated attacks linked to AI, Jakkal said, with attackers using the technology to get a leg up on traditional defenses.

“They’re using it to get more productive, they’re using it to launch new kinds of attacks, whether it’s new vulnerabilities that they can find, or malware and variants of malware, phishing and doing social engineering, intelligent password cracking, and then of course there’s deepfakes,” Jakkal said.

Jakkal also emphasized that agents raise their own complicated list of security considerations, for which organizations must prepare.

Identity controls, she said, will be needed to define the data agents are given access to as well as which users they can work alongside, will be key. She also invited the audience to consider how agents can be shielded from external or even internal users who could jailbreak them, noting that 20% of data breaches today are caused by insiders.

Organizations will have to ensure they observe and audit their own AI agents, Jakkal added, to prevent attackers from using prompt injection to jailbreak them for their own malicious gains.

“Identity is going to be a critical element of AI throughout its lifecycle. AI agents are going to need identities, they’re going to need to understand zero trust and how we verify them explicitly, manage least privilege access,” Jakkal added.

Above all, Jakkal stressed the need for cybersecurity teams to change with AI, to ensure AI implementation meets governance and compliance requirements. This will mean shifting from a static to a dynamic governance model, so that policies can keep up with shifting AI agent identities.

Of course, AI agents could be a core solution to these problems. Microsoft is already using AI agents for security, as part of its Security Copilot offering. In March, it announced 11 new agents covering areas such as phishing triage, threat intelligence, and gaps in identity policy.

In the future, Jakkal said that AI agents could be used to predict attacks and stop them before they happen, rather than simply respond to them, as well as to automate identity management and flag data that’s at risk.

Microsoft, she said, believes that in the next two years, AI will move from level zero autonomy – those systems that can simply automate repetitive tasks – to level three autonomy, in which it can set its own goals to achieve a more complicated outcome.

“Tomorrow, it’s going to be more autonomous, where it’s going to be able to create its own sub-goals, maybe change the models itself to achieve its goals and take these actions serendipitously and autonomously.”

Artificial intelligence dominated as an opening day theme of the RSAC Conference, commanding attention from established security vendors and startups alike.

"AI [has] changed everything," Hugh Thompson, the conference's executive chairman, said in opening remarks for the annual security event. "The way that attackers operate is changing dramatically – the pervasive use of AI, the rapid adoption of AI, the security implications of that, massive changes to what we do, and how we might do it."

Generative AI technologies like ChatGPT, DeepSeek, and Copilot, were the catalyst for the momentum around AI. But AI discussions highlighted at RSA have moved beyond generative AI to agentic AI; application of AI to traditional security domains, especially in the security operations center; AI-driven application security; defending against adversarial attacks on large language models (LLMs); and compliance and governance.

In a keynote, Vasu Jakkal, corporate vice president for security at Microsoft, called agentic AI one of the most exciting inventions of our time due to its ability to "help us achieve rapid competency in not just one domain, but across all."

With that said, Jakkal contended security is a key early adoption area for AI. "I do fundamentally believe AI has the best use case, or definitely the most serious use case, in security," Jakkal said.

In another keynote, Cisco Executive Vice President and Chief Product Officer Jeetu Patel also predicted that security would be a key driver for AI adoption, which he framed as ironic given security practitioners' tendency to put the brakes on new technologies.

"Security is actually getting to be one of the largest accelerators of AI adoption in the market today, and it's actually fascinating to see, because in the past, security used to be an inhibitor for adoption," said Patel, attributing that turn of events to the market need for assurances of safety when it comes to letting AI agents loose inside corporate environments.

To that end, Patel announced that Cisco was releasing its own open source AI model built specifically for security purposes on Monday. "We're using general models out there in the [security] market, and what the security community needs right now is its own AI model," he said. "If you want to solve hard security problems, you want to make sure that those models that are built for solving those problems are purpose-built for security. They aren't the same model that's also used to write poetry."

At the startup end of the market, the annual RSA Innovation Sandbox competition also delivered a heavy dose of AI. Of 10 finalists presenting their elevator pitches to a panel of VC and other industry luminaries Monday morning, seven of the companies had prominent AI components to their businesses.

"We all know agentic is the future," Benny Porat, co-founder and CEO of Twine Security, said in his pitch. Another participant, Eran Barak, co-founder and CEO of MIND, said, "We are currently living in the AI era, which is both inspiring and alarming."

While judges had selected the finalists out of 200 submissions, they also had tough questions for the startups that reflected some of the AI-related issues the security industry is wrestling with.

Of Twine's plan to deploy multiple AI agents for security purposes, Niloofar Razi, operating partner at Capitol Meridian Partners, had concerns. "They say controlling AI is like trying to keep Frankenstein's monster under control," she said. "It's built from a lot of parts and once it's alive it doesn't always do what its creator asked it to. So you guys are planning on launching a lot more agents. Are they going to be intelligent, are they going to learn from each other, and if they are, how do you control the chaos?"

Of a contestant planning to use AI to check on the validity of another AI process, independent researcher Paul Kocher worried about the resource demands that already have major AI providers looking to reopen shuttered nuclear power plants or build new, small reactors.

"If every AI query generates more queries to check whether the inputs and outputs are appropriate, then we just have this infinitely spiraling set of compute costs and power consumption," Kocher said. "Is this really scalable?"

Moinul Khan, co-founder and CEO of Aurascape AI, articulated the bullish attitude shared by many security executives at RSAC.

Asked how much an enterprise would spend on their AI-focused solution relative to their spending on more traditional security technology like firewalls, Khan expressed confidence in the trajectory of the market.

"We are only focusing on AI. But our theory is that in the next couple of years, when AI becomes mainstream, we are going to be much more relevant," Khan said.

Hello and welcome back to ITPro's live RSAC Conference 2025 coverage. It's the third day of the event, which has covered such a wide range of cybersecurity topics already.

This morning, attendees at the Moscone Center in San Francisco are due to hear from Kevin Mandia, founder at Ballistic Ventures and former CEO at Mandiant, as well as cybersecurity author Nicole Perlroth, in a conversation centered on the past year in cybersecurity. The conversation will shift to predictions for the year ahead – and we'll be bringing you all the latest.

Remember, if you've missed any of RSAC Conference 2025 so far, you can catch up below.

It's just a few hours to go until the first keynote, which begins with a session titled 'Cybersecurity Together', led by Thompson (as outlined in the introductory paragraph above).

In this session, we're expecting to hear about how cybersecurity collaboration can accelerate knowledge sharing, advance research, and expand the cyber industry.

While we're waiting for the keynote to begin, it's worth looking at some of the key themes for RSAC Conference 2025. I covered these in my pre-conference analysis piece here:

• What to look out for at RSAC Conference 2025

We've already had some RSAC news out today from Cisco and ServiceNow, in the form of a new AI security partnership. With the opening keynote centered around working together to improve the overall cybersecurity landscape, it's a timely announcement.

We're just a few minutes away now from the opening keynote, with Hugh Thompson set to take to the stage.

And we're off, with a montage showing the challenge facing security professionals and how cybersecurity professionals are brought together via RSAC.

As a surprise, the award-winning musician Common has taken to the stage.

"I know a lot of people don't know what exactly all you people do," he says, acknowledging the service that cybersecurity professionals provide to wider society.

Common says that great things, growth, and a step toward a better world is possible when people come together.

"I don't want to skip over the notion that community is a way of life," he says, paying a lyrical tribute to the RSAC cybersecurity community.

This has become a rap about the cybersecurity community, with Common saying the cyber professionals in the audience have been through "digital fires" to reach "gold" outcomes.

"As we go on and on, you know this conference is going to peak and change things," he says.

"Thank you for your cybersecurity, from your hearts I can feel the purity."

Common has left the stage – and we're back to regular programming with Hugh Thompson, executive charman & RSAC conference program committee chair at RSAC, taking to the stage.

"In these times, that's the message that we need: community. It's what makes us strong in cybersecurity. It's community," Thompson begins.

Thompson says the New York Times Stock Exchange flew its opening bell over to RSAC, so it could ring in the start of the conference at 6:30am.

Moving on, Thompson pays tribute to the range of companies and entrepreneurs who took part in its Innovation Sandbox competition. And that's all just day one, he says, with a packed schedule to look forward to in the week ahead.

"There has never been a more important time for us to come together as a community," Thompson says.

"So much is changing., The way that attackers operate is changing dramatically – the pervasive use of AI, the rapid adoption of AI, the security implications of that."

Thompson wants the community to consider how they can "operate with purpose", as well as how defenses can be maintained in the midst of great change.

It’s the 34th year of the conference, he says, with more than 44,000 attendees onsite at the Moscone Center.

“We convene because we need each other,” Thompson says.

“We convene because we need to learn from each other, we convene because we need to calibrate with each other.”

"It is incredible to see the power than can happen when you bring this group of human being together," he adds.

At this year's event, there will be more than 400 educational sessions – not to mention the enormous expo hall – and Thompson acknowledges that this can be difficult to navigate. To help the audience through it, he’s now leading us all on a tour through the “world of statisticians”.

The first kind of statistician that Thompson is focusing on is 'frequentists', those folks who really enjoy counting things, making a record of events over a long period of time.

To give a practical example, Thompson describes an experiment he conducted along with his children – to figure out the odds of pulling a green M&M out of any given packet. Frequentists would survey thousands of bags, he says, to get to the odds.

Bayesian statisticians, on the other hand, are willing to accept change and even the fact that their original hypothesis could be wrong, Thompson explains.

A bayesian looking for the odds of a green M&M, he says, would survey a few bags and then go around asking people if they remember the color of the first M&M they pulled out of the last packet they had.

The point of this, Thompson says, is to be open to change.

"Often, when they talk to somebody, they get changed in the exchange – and the other person gets changed too. And I think this is a fascinating mindset to approach RSAC conference, be open to change," he says.

Thompson wants attendees to approach the conference as a Bayesian. He urges audience members to interact and use the opportunity to meet peers from all walks of cyber, across various sub-disciplines and verticals.

To illustrate his point, Thompson gets audience members who have never attended this event before to stand, then those who are veterans – first those who have attended at least five, then at least fifteen, RSAC conferences.

RSAC has been on an evolutionary journey, Thompson adds, and has given a lot of thought to how the months in between each event can best be used.

"We have developed, based on what you told us, a first version of a community platform. Something we think can help you connect with others and learn all throughout the year," he says.

RSAC has also, Thompson says, worked with a team of data scientists to develop a tool called 'Cybersecurity Atlas'.

This shows the relative importance of any given trend to cybersecurity workers, with color-coding.

To show what means, Thompson gestures to a display with three blue circles representing AI in the years pre-LLMs. In contrast, the updated view for AI shows a cluster of circles, representing the technology's penetration throughout all areas of cybersecurity.

The number one term "by far" across all the data was agentic AI, Thompson says, with this and autonomous security systems set to be a major focus throughout the conference.

It's a topic ripe for discussion. Thompson says there will be sessions on agentic AI identity, governance, and traceability throughout the week.

The application of AI for traditional security domains – particularly how AI will integrate in the security operations center (SOC) – is also a major topic, Thompson adds.

Using Cybersecurity Atlas, RSAC has also been able to make a prediction for the biggest topics of 2026.

The first of these is primarily AI-driven application security, with "practical" adversarial attacks on LLMs also predicted to be a big worry for next year.

For his parting words, Thompson once again implores the audience to be more Bayesian.

"There is not one single person that you can't learn something new from," he says.

Emphasizing the bonds that form when people are open to exchange, he challenges the RSAC community to become even stronger.

"I ask you as you approach this week: what can you give to this community and how can you learn more from the incredibly dedicated folks that are in this room?"

And with that, Thompson takes his leave from the main stage.

We're now hearing from Jeetu Patel, EVP and chief product officer at Cisco,

"If you look at what's happening right now within the world, the body of work that each and every one of the security practitioners in this room and beyond are doing is so phenomenally important," Patel says, adding that cybersecurity organizations and are shorting up national security and helping human safety overall.

But cybersecurity is also getting more difficult because AI is changing the whole landscape, he says.

One of the biggest shifts in the coming years, Patel says, will be the "huge augmentation of robots, of AI agents, of humanoids, of AI apps".

Patel says that the world population of eight billion people will feel more like it has a throughput capacity of eighty billion as a result – bringing all kinds of challenges along with it.

"This is going to come with a whole new class of risks that we've never seen before, that we have to make sure we actually mitigate ourselves against," Patel says, adding that AI will be the hardest challenge in the past 30 years of cybersecurity.

Complexity is the main reason for this, Patel says. Infrastructure used to be three-tiered, with infrastructure, data, and application topped with a presentation layer, he explains, but AI has inserted a 'model layer'.

This AI model layer contains many models, which are "non-deterministic" meaning it can't be reliably predicted. Patel says this inherently opens organizations to risks, in the categories of AI safety and AI security.

On safety, Patel questions whether issues such as AI hallucinations and toxicity can affect our trust in AI-powered apps. On security, he suggests that external attacks on models could affect their behavior.

As a practical example of the latter, Patel points to a recent Cisco study that found DeepSeek could be jailbroken 100% of the time using malicious techniques, compared to just 26% of the time with OpenAI's models.

Enterprises have spent the past few years pursuing greater fine-tuning of foundation models to tailor them to their unique organizational data and style. But Patel says this makes models three times more susceptible to jailbreaks and 22 times more likely to output harmful responses.

He says leaders must focus on securing AI and using AI for security.

On the latter, Patel says human-scale defense activity will "no longer be sufficient when the attacks are happening at machine scale". But first we're honing in on securing AI itself.

To achieve this, Patel says organizations must focus on visibility, validation, and run-time enforcement. The first two focus on monitoring models and confirming that they're not operating in a risky manner.

The third, run-time enforcement, means establishing guardrails that can operate at the level of responsiveness necessary to rein in potentially risky AI.

Patel says validation has to happen at machine scale for AI models – explaining that human red-teaming just won't live up to the task. For example, a user can jailbreak models using abstract prompts but these are easier to discover at algorithmic scale.

AI model developers are already putting guardrails in place but each is inconsistent with the last, Patel says.

"You need to have a common substrate of security that goes across every model, every agent, every application, across every cloud," he says.

"It's going to be irresponsible in the future for application developers to not use something like this, so that they can make sure that they've consistently applied security and safety across every single one of these models."

All of this means security is accelerating, not inhibiting, AI adoption, as leaders demand sufficient controls are put in place for adopting AI safely. Patel explains that this is a massive shift, as security teams used to be regarded as blockers for adoption of new technologies – fuelling a false choice between productivity or security.

Going back to using AI for security, to adopt more autonomous defenses, Patel says there are still three key challenges,

The first of these is skill shortages.

"Very few security practitioners worry about AI taking their job," Patel says. "What they worry about is 'If I don't have AI, will I be able to do my job effectively at scale, given the volume of attacks which I'm expected to go out and deal with with the same level of spend?'"

The next is alert fatigue, which can overwhelm security teams and make finding the signal from the noise very difficult.

Finally, the complexity of the security landscape is a challenge in and of itself, Patel says.

"There's about 3,500 vendors in this market, no one owns more than ten to twelve percent of the market, on average people have between 50-70 products within theri cybersecurity stack – and the complexity is untenable."

Overall, Patel says, AI in security is slower than in other industries.

The first reason for this is that AI is still too general, Patel states, with more security specialization needed. He says Cisco's Foundation AI Research Lab is a step toward this and announces the release of a new Foundation AI Security Model.

The 8-billion-parameter model has been trained for efficiency and fine-tuning, with Patel adding that it can run on one or two Nvidia A100 GPUs. The model and its tooling will also be made open source, with the intention of empowering the cybersecurity community to band together against adversaries.

Patel describes an example situation in which a SOC operator receives a wave of cybersecurity alerts and the Foundation AI Security Model and associated agents are able to identify the attack methodology, produce a confidence and severity score, complete further investigation, and produce a compliance report.

In the future, Patel suggests agents will be able to work together to detect and prevent breaches, massively driving down the cost of sophisticated security.

Cisco believes the sector is headed toward what it calls 'Super Intelligent Security', in which human workers, AI models, and AI agents collaborate to massively improve defenses.

Cyber attacks don't just come from nowhere – they're launched by hacking groups and many are launched by nation states. Here to tell us more is John Fokker, head of threat intelligence at Trellix.

Fokker begins by explaining how he used to be an officer in the Dutch National High-Tech Crime Unit, with the audience just having seen footage he shot of a raid on CTB ransomware group threat actors.

In his current role, Fokker says his goal remains the same: "To give bad people a bad day."

While attendees will hear lots of new announcements surrounding products and services over the course of RSAC Conference 2025, Fokker also says the audience should remember what they're doing: protecting organizations.

"So often we forget these cybercriminals are real people and it's tempting to anonymize threats, give them elaborate names for research purposes, but really they're just bad people with regular names sitting behind a keyboard."

Fokker also says that while AI attacks are interesting to focus on, attackers always prefer easy attacks against poorly-defended victims. Ransomware, he says, is another name for the very old crime extortion.

We're moving into the meat of Fokker's talk now, as he explains the lines are blurring between hacktivists, cyber criminals, state-sponsored groups.

Nation states are using companies as proxies, he says, as in the recent case of Salt Typhoon.

To give an even more recent example, Fokker talks about a recent leak on Telegram that Trellix dubbed 'The Panama Papers of ransomware'. It concerned the Black Basta group, with chats demonstrating a clear link between the ransomware group and a government.

"They worked in a normal office building, they had an HR department, a vacation policy, scheduled work hours, entry-level employees, middle managers, C-suite," Fokker says. He adds that his team were even able to identify the location of the Black Basta cafeteria within the Moscow HQ: the first and third floors.

More notably, Fokker says they were able to identify 'GG', the group's leader, as an individual named Oleg who is wanted by the FBI. He adds that Oleg used to be a member of the Conti group under the alias 'Tramp'.

Leaked conversations showed Oleg had claimed he was able to escape law enforcement in Armenia due to close ties with a high-ranking government official, Fokker explains. He adds that this isn't an isolated incident, as Conti and EvilCorp have shown similarly strong connections between governments and cyber gangs.

Numerous companies, he says, offer intrusive services for nation states and this undermines the worldwide security landscape.

The motivation isn't just political, but financial, Fokker adds.

"If cybercrime were a legitimate industry, it would be the world's third-largest economy," he says, with cybercriminals set to generate more than $10 trillion this year.

The important thing to remember, Fokker says, is these groups are beatable at their own game because they're only human. He points to Black Basta's major attack on a US healthcare provider in 2024, which spiralled out of the group's control and left it unable to decrypt the data.

"A reliable decryption process is fundamental to their business model," Fokker explains, with Black Basta forced to resort to threatening to expose public data for profit – and failing.

Black Basta will rebrand down the line, Fokker says, but the cybersecurity community gets stronger every time it identifies their tactics, techniques, and procedures (TTPs).

"According to the pyramid of pain, TTPs sit at the top – it's the most difficult to change for a threat actor. Once we've mapped out their playbook, any code tweaks, quick rebrands, won't mask their underlying behavior.

"Once we know how they operate at the TTP level, we can spot them the moment they launch the next offensive – and that's where we hold the real power."

Fokker rounds his talk out by bringing it back to Thompson's theme of collaboration, describing how it takes a full community to form these maps. Together, he says, cybersecurity professionals can critically undermine these threat groups.

"When we know who's targeting us and how they operate, we gain the clarity to fight back," Fokker says, adding that by bringing adversaries into the light as a community, these criminals can be more effectively taken down.

"And winning is not that we're going to eradicate crime, but the win is by working together we become more robust and agile to withstand these kinds of attacks. Whether you're on the vendor side, or in the frontlines of your own organization, you are a part of that resilience."

Vasu Jakkal, corporate vice president, Microsoft Security, is now rounding the session off with a detailed look at how agentic AI will impact security – read more about that here.

For now, that's the day-one keynote over and RSAC Conference 2025 truly underway. Stay tuned throughout the week for the very latest from all the keynote sessions, as well as detailed analysis on the biggest announcement and what it all means for IT leaders.

Hello and welcome back to day two of RSAC Conference 2025. We're waiting for the imminent start of today's first keynote session: 'AI Safety: Where Do We Go From Here?'

While we wait, you can read some of my own insights into why this conversation will be especially interesting in my piece What to look out for at RSAC Conference 2025.

We're hearing now from Sandra Joyce, VP Google Threat Intelligence at Google Cloud, on the topic of using AI for data-driven insights "beyond speculation".

Joyce begins by noting three major AI patterns:

• Speculation: Talk on AI's value in the short and long term.
• Experimentation: Security teams trialling AI solutions to see how it can be implemented effectively.
• Anecdotal: Stories about AI, potentially based on one-off incidents, which add to a distorted perspective of the AI landscape.

To break through this chatter, Joyce recommends security teams focus more on the evidence.

"With so many different potential adversarial use cases related to AI, we need to prioritise the most prominent attack vectors," Joyce says.

On top of this, Joyce says that organizations need to better understand how AI can meaningfully improve their security outcomes in the next six to twelve months, as well as cut costs.

To give a practical example, Google Threat Intelligence investigated known threat actors and analyzed how they're using AI, particularly Google's own public model Gemini.

Google Threat Intelligence identified active persistent threat (APT) groups from 20 distinct countries, particularly Iran, China, and North Korea, and examined how they're using AI.

The results showed APTs are mainly using AI for common tasks, finding no evidence as yet that threat actors are coming up with new AI-driven attack vectors.

"Ultimately, attackers are using Gemini the way many of us are: as a productivity tool," Joyce says. "They help to brainstorm or refine their work, that type of thing."

Joyce adds that Gemini's built-in safety features were also found to prevent attackers from completing "explicitly malicious" using the model.

Common APT uses for Gemini were found to include:

• Reconnaissance on targets
• Researching vulnerabilities
• Assistance with malicious scripting
• Evasion techniques
• Delivery methodology

"Threat actors, use Gemini to gather information on target organizations and research topics of interest. For example, Iranian APT actors research specific defense systems including researching information about specific unmanned aerial vehicles, jamming F-35 fighter jets, anti-drone systems, and lsrael's missile defense systems," Joyce says.

"North Korean APT actors, meanwhile, research nuclear technology and power plants in South Korea. This included site locations, recent news articles, and the security status of the plants themselves."

Joyce adds a different North Korean threat actor used Gemini to help writing code in C++ to detect virtual machine (VM) environments and Hyper-V VMs, with the intention of sandbox evasion.

Many threat groups used Gemini to develop sophisticated text lures for phishing attacks, Joyce says, such as the Iran-based APT42. The same group used Gemini to translate text into specific outputs such as colloquial English.

With this threat picture well-sketched, Joyce turns to the defensive capabilities for AI.

"Gemini is helping security analysts do their job better and faster today, supporting things like vulnerability detection, incident workflows, and malware analysis," Joyce explains.

"These are use cases we recommend CISOs really lean into right now, to harness AI's potential, where we're already seeing value. For example, we see really exciting potential for Al to help discover vulnerabilities."

Google's 'Big Sleep' AI framework can be used to discover vulnerabilities, Joyce says, having found an exploitable stack buffer underflow in SQLite in October 2024.

"We believe that this is the first public example of an AI agent finding a previously unknown, exploitable memory safety issue in widely used real-world software," Joyce says, emphasizing the huge potential it shows for using AI to help defenders fix vulnerabilities before attackers discover them.

It isn't a silver bullet, Joyce adds, as attackers may one day use similar methods to identify exploitable flaws.

AI is also helping improve more traditional cybersecurity techniques such as fuzzing, in which security experts feed random inputs into systems to discover flaws or bugs. Joyce explains how Google has used LLMs to increase coverage for fuzzing by as much as 7,000% and reliably improve coverage from human-driven 30% to 60% within the platform OSS-Fuzz.

Google is also ringing the bell for using AI agents to enrich the tasks of security analysts – similar to the talk by Microsoft Security's Vasu Jakkal in last night's keynote.

Internally, Joyce says Google has used Gemini to write incident summaries 51% faster and improving their overall quality – verified by blind taste tests.

It's also using AI agents to summarize incidents, condensing hours' worth of work to a few seconds.

Organizations can also benefit from AI agents when it comes to malware analysis, Joyce says, with this being an area rife with skills shortages. Gemini, she says, can assess whether code is harmful even if it's never been seen before and can't be compared to samples in VirusTotal or similar databases. In tests, it was also able to do this in just 27 seconds.

The audience is told it's not just organizations that can benefit from this technology, but nation states. Here to explain more is Mohamed Al Kuwaiti, head o cyber security at the United Arab Emirates Government.

He says that the UAE has been using AI to meet AI-driven compliance, implementation of smart solutions, and data privacy and confidentiality.

"And the UAE intends to take this further in the future with Al-based initiatives such as establishing a cybersecurity center of excellence, advancing cybersecurity through Cyber Pulse, [and] hosting the Quantum Innovation Summit by 2025," says Al Kuwaiti.

Joyce is now back onstage, to remind the audience that as we embrace AI agents, cybersecurity professionals need to make sure they don't simply get swept up in the hype.

"Don't just believe all of the Al claims being made in our industry," she says. "Go and actually test them against robust metrics. Judge your systems so that as you progress on your Al journey, you're proving out the value of the technology. And we've only scratched the surface today of how Al is actively shaping the cybersecurity landscape right now."

With that, our coverage of the day-two keynote on the live blog has come to an end. But stay tuned for detailed coverage from two of this morning's talks on the ITPro site, covering both AI safety and what AI means for cryptography.

As RSAC Conference 2025 rolls into its third day, we've been covering some of yesterday's panel discussions in greater detail. Check out our articles below to get a deeper look at the event's biggest topics:

• "There needs to be an order of magnitude more effort": AI security experts call for focused evaluation of frontier models and agentic systems
• Cyber defenders need to remember their adversaries are human, says Trellix research head
• RSAC Conference day two: A focus on what attackers are doing

Cisco and ServiceNow have kicked off RSAC Conference 2025 in San Francisco by announcing a new aspect of their seven-year collaboration. It brings together the former’s AI Defense product with the latter’s SecOps, with the companies claiming the integration will provide “more holistic AI risk management and governance”.

Speaking ahead of the announcement, Cisco’s EVP and chief product officer Jeetu Patel told reporters: “We think the hardest thing in the history of security has been with AI – and the largest opportunity in the history of security has been with AI. And you will see as evidence of that right now is attackers are getting far more sophisticated.”

“We need to operate as an ecosystem and make sure that we’re leveraging each other’s strengths,” he added.

For mutual customers of Cisco and ServiceNow, this means an integration between Cisco AI Defense, which it launched in January 2025, and ServiceNow SecOps.

AI Defense will act as an enforcement layer, according to the companies, identifying threats and vulnerabilities specific to AI. SecOps, meanwhile, will bring workflows and automation to allow IT and security teams to respond to the potential issues surfaced by AI Defense.

Commenting on the partnership, Amit Zavery, chief product officer and chief operating officer at ServiceNow, said: “If customers are looking at ways Cisco is helping them and they want service now be part of that integrated solution, we wanted to make sure we do that properly and provide a much more seamless experience for our customers as well, so that we can solve the end to end problem instead of customers having to deal with all those things themselves.

“The work Cisco has been doing around AI security, as well as the broader security portfolio Cisco has, was very attractive to all of us here at ServiceNow, and we've been able to… work together to really create something unique for the customers.”

Patel, meanwhile, said that bringing the two services together “could have an exponential kind of return back to the customer”.

“Virtually every customer in the enterprise is a Cisco customer and a ServiceNow customer. So we already have the customers, they already had invested in both of us. They were interested in making sure that we could help them do a better job at harnessing the investment. So this seemed like a match made in heaven,” said Patel.

“We're going to be very methodical about getting something out, getting it validated in the market, making sure that there's success, and continue to keep innovating on it,” he added.

In terms of availability, organizations that are customers of both companies can expect to make use of this integration from the second half of 2025.

RSA Conference 2025 is just days away from kicking off, with attendees from around the world gathering to share information on cybersecurity trends, the latest attack methodologies, and collaborative efforts to protect organizations from hackers.

ITPro will be covering the four-day event, including live blogs from all three keynotes and detailed reports on expert-led panels.

As we count down the days to the conference itself, here are my top three predictions for notable topics at RSA Conference 2025.

AI agents take the spotlight

AI inevitably dominates the talking points at tech events these days, with every major vendor invested in the technology to some extent. While AI is being used for productivity gains by companies such as Microsoft, cybersecurity may be the area where it can deliver on its potential the most.

Automated threat responses have long been a cybersecurity mainstay, and generative AI and advanced machine learning models have turned this up a notch. In particular, AI agents can help cybersecurity workers automate tasks and continuously monitor enterprise networks for potential threats.

AI agents are sure to come up throughout RSAC Conference 2025, but the key session to watch out for here is ‘Security in the Age of Agentic AI’ led by Vasu Jakkal, Corporate Vice President, Microsoft Security.

Security AI agents can benefit greatly from access to detailed, real-time threat data, typically available via proper integration within one’s public cloud environment. Microsoft is already making good use of this with agents across its platforms, including Sentinel, Entra, and Intune, working to track endpoint and identity threats and prevent them from escalating.

Though there are many potential benefits of AI for security teams, recent research suggests that analysts aren’t as optimistic about it as executives. More detail on the use cases of AI agents for security teams, particularly features that can be purchased today, rather than anything theoretical, could help sway more cynical attendees.

AI regulation, risks, benefits

Despite regular AI Safety summits since the first in 2023, there’s still a great deal of regulatory uncertainty around AI, and this is holding some firms back.

Legislation such as the EU AI Act takes a ‘risk-based approach’ to AI models, with the security and trustworthiness of specific AI models central to the region’s approach to AI adoption.

This will be covered in detail in the day two keynote session ‘AI Safety: Where Do We Go From Here?’, in which experts from the UK AI Security Institute, Nvidia, Google DeepMind, and Microsoft will discuss how businesses can approach AI safety.

While the experts may well focus on tangible issues such as AI hallucinations, I’ll also be looking for broader guidance on responsible AI adoption and how AI model deployment can be done in a secure manner.

How to keep AI systems safe from would-be attackers is also likely to feature on the agenda and could prove valuable for leaders looking to reassure their security teams that AI adoption in 2025 can be done without compromising safety.

I’ll be listening closely to the views expressed by Jade Leung, CTO at the UK AI Security Institute. The government organization, which rebranded in February to shift its focus from the concept of AI safety to the most serious risks associated with AI, is now focused on tangible threats such as AI-powered cyber attacks rather than AI bias or ethical AI.

Of course, even in a system with perfect laws on AI, attackers will still try to circumvent the technology or harness it for their own aims. To find out how the technology is being used for both good and bad, we can turn to the day three keynote session, ‘Cybersecurity Year-in-Review and The Future Ahead’.

Here, audiences are set to hear from Kevin Mandia, general partner at Ballistic Ventures and former CEO and founder at Mandiant. He’ll be joined by cybersecurity author and former cyber reporter Nicole Perlroth to discuss the overall cybersecurity landscape.

We can expect some harsh truths here and a likely focus on the need for resilient AI adoption to stay ahead of the latest attack types.

In February, Mandiant appeared on the ITPro Podcast, Mandia was clear that defense teams still have the advantage when it comes to using AI, rather than hackers using it for malicious purposes. That said, this is a changing field, and Mandia said hackers will continue to innovate.

“If you create a web application, you can make an assumption there's going to be an artificial intelligence coming at your web app just looking for any way to exploit it, which just means you're going to have to have some kind of automated way to secure it,” Mandia said.

In his keynote conversation, we’re also sure to hear some specific examples of attacks that took place throughout 2024 and get more detail on where Mandia thinks AI cybersecurity is headed.

Novel threats and a call for collaboration

Though AI for security will be front and center at RSAC Conference 2025, it can’t be the only topic of discussion.

On a daily basis, cybersecurity teams are still plagued by rising ransomware attacks, novel threats such as malware-free attacks, which have been adopted by most threat actors, and pre-positioning attacks. While for-profit threat groups take advantage of these methods and more to compromise businesses, state-sponsored cyber attacks also continue to bite.

Against this fearsome backdrop, speakers throughout RSAC Conference 2025 will call for everyone in the industry to keep working hard and make improvements where necessary We’ll hear where organizations are making the most mistakes, what CISOs and others can do to better shore up their defenses, and to show the immense efforts of security professionals behind the scenes to stop attacks before they ever reach businesses.

We’re also likely to hear more calls for collaboration, similar to a recent plea by the former director of GCHQ. Events like RSAC Conference 2025 are a rare opportunity to bring some of the best minds in cybersecurity together to share information with peers and business leaders that can collectively improve the global cybersecurity landscape.

From the first moment of the event, attendees will be shown the best and worst of the tech world, from the defenders keeping the lights on and customer data safe to the hackers looking to steal, extort, and destroy around the clock. The technologies and techniques we take away from RSAC Conference 2025 will paint a clear picture for the coming year of cybersecurity.

ITPro's Rory Bathgate will be providing live coverage of the RSAC Conference throughout the event. Keep tabs on all the latest news, updates, and announcements via our live blog.

The world is facing an AI hurricane, and organizations must batten down the hatches by securing their data vaults and deploying "bots" to combat rogue AI. 

So warns, Matt Radolec, vice president of Incident Response and Cloud Operations at Varonis, who said that AI poses an existential threat to their organizations if they fail to control data access and police AI prompts.

"AI is the biggest opportunity and biggest threat to your organization," Radolec declared, setting the tone for his RSA Conference 2024 talk "Reducing AI's Blast Radius: How to Prevent Your First AI Breach."

Radolec, who has spent over 15 years safeguarding sensitive data from state secrets to corporate jewels, argued that the obsession with malware, threat actors, and CVEs has distracted organizations from the real prize: data. "Data is where the damage happens. Data is where you'll feel the pain of AI," he cautioned.

Drawing on real-world examples from Varonis' incident response investigations, Radolec highlighted the grave consequences of data breaches and corruption,. These were wide-ranging and included disrupting Alzheimer's research, crippling a city's utilities, all the way through to causing a literal "sh*tstorm" by compromising sewer systems.

"We all know an AI superstar when we see one, and Jensen Huang nailed it. AI is a data problem," Radolec said, quoting the Nvidia CEO. "Your data is your company's source code. It's intellectual property. It's worth a lot."

To combat the AI tempest, Radolec urged organizations to shift their focus from endpoints to data vaults, monitoring every transaction, detecting anomalies, and policing every AI prompt. He stressed the importance of granular access control, noting that the average organization has 17 million files open to all employees and over 40 million unique access control lists to manage.

"You have to police your prompts. Think about it. Has anyone ever gotten a speeding ticket or another type of moving violation? I know I have a few. Does the fear of getting one of those stops you from driving like a maniac? You have to issue tickets and take reckless drivers off the road even more so when people abuse their co-pilots," Radolec advised. “Because having weak access controls and not policing your prompts would be akin to giving every employee a Ferrari and letting them loose to race on residential streets.”

Perhaps his most provocative suggestion was the need for organizations to deploy AI and automation to combat rogue AI. "If you want to survive AI, you will need your own bots on your side. Automation and AI is the only way to combat AI. Trust me," he said, leaving the audience to ponder the impending bot wars.

Radolec concluded his talk by urging attendees to embrace their role as data protectors, reminding them: "Data is looking up at you and it's saying 'Help me RSA conference attendees. You're my only hope.'"

In a rallying cry to security professionals, CrowdStrike CEO George Kurtz warned that those who fail to embrace AI in their security operations will be left behind by relentless cybercriminals already leveraging the technology to break into networks at unprecedented speeds.

Speaking at the RSA Conference 2024 in San Francisco, Kurtz painted a stark picture of the challenges facing defenders in today's threat landscape. He revealed that CrowdStrike has observed adversaries breaking out of compromised systems and moving laterally within just two minutes and seven seconds – the fastest time recorded by the company in the past year.

"It took an adversary just 31 seconds to download their toolkit and start running reconnaissance tools, trying to exploit that system," Kurtz told the audience. "We know one of the real challenges in security is time. And we're going to talk a little bit about how we try to bend time in security."

Kurtz argued that traditional security information and event management (SIEM) solutions are no longer up to the task, bogged down by the sheer volume of data and, therefore, unable to keep pace with modern threats. He urged organizations to adopt "next-gen SIEM" solutions that integrate with security platforms, fuse data and AI automation, and provide advanced threat detection and automated response capabilities.

"The only SOC analysts that are going to be out of business are the ones that don't actually embrace AI," Kurtz warned. "Because AI is not going to do all of this, you're still going to need people to fly the planes. We're not there yet. But what I would say is, think about it, embrace it."

Highlighting the potential of AI to revolutionize security operations, Kurtz described how next-gen SIEM could automate log management, break the cost-productivity curve, and provide contextual security intelligence – giving analysts deeper insights into threats and their potential impact.

"If you haven't seen some of this stuff, and you haven't actually played with it, it's incredibly powerful," he said. "I've been doing this for a long time. And I really think it has the ability to revolutionize security, but more importantly, the operations of security."

In his concluding remarks, Kurtz emphasized the urgency of adopting AI-driven security solutions, stating: "Every time we come to an RSA, we talk about threats, and attacks and how things get worse. And I think finally, we've got some good news in terms of helping the SOC have a little bit more fun and putting some rigor and process into stopping breaches. And that is the outcome that ultimately we're here for – stop the breach."

The rapid, mainstream adoption of generative AI is increasing security risks, resulting in “one of the most complex threat landscapes ever.” 

So claims Microsoft's corporate vice president of security Vasu Jakkal, during her keynote speech at the RSA Conference in San Francisco this week. 

"Identity-related attacks have increased by 10x just year over year. Cybercrime is both a nation-state and ransomware is a gig economy. If cybercrime was an economy, [or] a country it would be the third largest GDP in the world," Jakkal said. 

Jakkal painted a grim picture of AI being a potent tool for attackers to "proliferate malware rapidly and quickly and create new variants, to password cracking more intelligently with more context." 

What’s more, she warned that bad actors could abuse AI to "prey on what makes us human - our curiosity using phishing and new techniques there."

The security boss highlighted voice imitation attacks, noting "just a three-second voice sample can train a GenAI model to sound like anyone." She also flagged emerging threats like AI model poisoning, prompt injection attacks, and risks around AI training data.

Despite the dangers, Jakkal struck an optimistic tone about AI's potential benefits if secured properly, from healthcare breakthroughs to personalized education. "Imagine if we could use AI to reach the millions and billions around the world in rural corners in education," she posited.

To better protect AI systems, Microsoft recommends a three-pillar strategy, according to Jakkal:

• Discover all AI usages and map risks
• Protect by mitigating risks through measures like zero trust and data controls
• Govern AI through risk-based policies, compliance tracking, and user education

"Governance is about human agency. It’s making sure we put ethics, [and] we put humans at the front and at the heart of technology to understand how we should build this safely, deploy this safely, and use this safely," Jakkal stated. "We need to be really thoughtful about this."

The security leader issued a call to arms for defenders to rise to the AI security challenge: "You are the heart of trust in the heart of an organization's trust in AI. You're the ones who provide a safe and secure space for exploration. You are the Yes for AI," she said. 

"I invite you to join me fearlessly, bravely, keeping security at the heart, and with care together. I invite you to freely dream big, to make our world safer, and to work together because I think it's going to be a beautiful world."

In a hard-hitting keynote at this year’s RSA Conference, Boaz Gelbord, senior vice president and CSO at Akamai, sounded the alarm over the rising tide of attacks targeting applications and their underlying infrastructure. 

Threat actors are increasingly leveraging legitimate tools and components within organizations to carry out their nefarious activities, a tactic known as "living off the land," Gelbord warned. 

Citing Akamai's latest threat intelligence data, Gelbord revealed a staggering 48% year-on-year increase in web attacks, with 29% targeting APIs. Even more alarming was the 109% surge in API attacks, a trend Gelbord attributed to the challenges of inventorying and securing these critical interfaces.

"It's hard to inventory APIs. You kind of know what your public-facing websites are, and probably have processes internally for setting those up. You know, they're customer-facing or they're user-facing,” he said. 

“It's harder for an organization to even know what all of its APIs are that are out there. And it's harder to secure them."

Gelbord also highlighted the risk posed by compromised open source components, citing the recent XZ utils vulnerability as a turning point. In this case, a widely used open source utility had been hijacked by a malicious entity, enabling remote code execution.

"This is probably the most stunning example of how those types of utilities can pose risks," Gelbord warned. 

"Luckily, there was an eagle-eyed engineer over, I think, at Microsoft who spotted this and saw some performance differences and how this utility was performing and managed to kind of alert folks before this got out into general distribution, but we don't know how many more of those are out there lurking in the wild."

Gelbord emphasized the importance of organizations adopting a risk-based approach to secure their applications, advocating for a strong understanding of how their threat models align with the various components of their applications, from code to infrastructure. 

He also underscored the criticality of multivendor interoperability and the integration of compliance efforts with technical security programs.

Concluding his keynote, Gelbord stressed the transformative potential of AI in reshaping security models, particularly in areas like identity, user authorization, security operations, and monitoring.

"AI is going to fundamentally change a lot of pieces of our overall security model,” he said. 

“The most obvious spaces, which we mentioned earlier, are identity and user authorization. This is moving very fast, but also in different places like how we do our security operations and how we do our security monitoring.”

Cyber security has reached a fundamental inflection point thanks to AI and the industry is on the cusp of massive change that is very different from what we’ve seen in the past. 

So says Jeetu Patel, executive vice president and general manager, of security and collaboration at Cisco, who used his keynote speech at the RSA Conference in San Francisco to highlight that we are quickly moving away from a world of “complete scarcity” into the opposite when it comes to resources. 

“The cyber security industry is about to have a pretty seismic change in the way that it’s going to operate…. In practical terms, all of us in the IT industry each have a certain contained set of budget every year and are expected to do a little bit more with just a little bit less,” Patel said. 

“This is the first time in the history of humanity that I think you can start to see that there might actually be us entering into a state of abundance… The ability for us to augment capacity to humans is going to be so profound and grow at such different scales and proportions to what we’ve seen before that if you had, suppose, 20 developers on your team expanding that to 100 through digital workers is not going to be hard to do and is going to be very plausible.” 

That said, with the rapid evolution of threats moving laterally across networks and AI enhancing attackers' sophistication, the need for a big shift in defense strategies is urgent, according to Patel and fellow keynote speaker Tom Gillis, senior vice president and general manager of security for Cisco. 

Patel and Gillis revealed that AI is no longer just a buzzword but a transformative tool, enabling organizations to anticipate, detect, and respond to threats with unparalleled speed and precision.

During their engaging discussion, Patel and Gillis elaborated on how Cisco is harnessing these AI advancements to forge new paths in cyber security. Patel highlighted the shift from traditional security methods towards a more integrated AI-driven approach. 

He pointed out that the infrastructures and applications requiring protection are rapidly evolving, making traditional methods less effective. The increased complexity and connectivity of modern networks demand a smarter and more responsive security strategy.

"AI isn't just an enhancement; it's becoming a necessity," Patel asserted. He described how AI can proactively address the challenges of real-time threat detection and system vulnerabilities. 

By implementing AI at the core of cyber security strategies, organizations can shift from reactive to pre-emptive security postures.

Gillis expanded on this by discussing the application of AI in network segmentation and vulnerability management, two critical areas that have traditionally been labor-intensive and prone to human error. With AI, these processes can become more dynamic and accurate, adapting to new threats as they emerge.

"Imagine a system that not only detects and reacts to threats but also predicts and prevents them before they can do harm," Gillis explained. He introduced the concept of 'autonomous security', where AI-driven systems continuously learn and adapt, ensuring that security measures evolve at the pace of new threats.

The keynote also addressed the potential risks and ethical considerations of AI in cyber security, emphasizing the importance of responsible AI use. Both speakers highlighted the need for stringent governance and transparency in AI operations to prevent biases and ensure data privacy.

The keynote presentation concluded with a call to action for all cyber security professionals: to embrace AI not as a tool but as an integral part of their security strategy. As threats become more sophisticated, so too must the defenses against them.

By integrating AI into their cyber security frameworks, organizations can enhance their ability to protect against and mitigate cyber threats, ensuring a more secure future in an increasingly digital world.

Collective defense will play an essential role in advancing cyber security and the fight against current and future threats, according to Hugh Thompson, executive chairman of this year’s RSA Conference (RSAC) in San Francisco. 

In a keynote speech to delegates, he underscored how the unprecedented pace of technological advancements demands a united front among cyber security professionals.

By sharing threat intelligence, best practices, and innovative strategies, the global community can collectively bolster defenses against rapidly evolving cyber threats, he stressed. Thompson also urged attendees to embrace a culture of openness, collaboration, and shared responsibility, emphasizing that collective efforts are pivotal to safeguarding digital ecosystems in an interconnected world.

Thompson illustrated his points by invoking the metaphor of lighthouse keepers from his native Bahamas, who historically played a crucial role in navigating ships safely through treacherous waters. He drew a parallel between the vigilant duty of lighthouse keepers and the role of cyber security professionals today. 

"The way they thought about their job was a call, a mission," Thompson explained, highlighting the continuous and essential need to 'shine a light in dark places' - a philosophy he believes should guide the cyber security community.

Further expanding on the theme of collaboration and proactive defense, Thompson said that community was critical when it comes to tackling complex cyber security challenges. "Individuals may be smart, but as a community, we are wise," he said. 

This wisdom, he argued, comes from the collective experience and shared knowledge that empowers professionals to anticipate and mitigate emerging cyber threats more effectively.

In addition to fostering community engagement, Thompson stressed the importance of embracing new technologies and trends. He pointed out the significant rise in discussions and submissions around AI at the conference, demonstrating the cyber security community's intent to integrate AI into their strategies. 

"AI is everywhere. It's present in every single sub-discipline no matter where you go," he stated, in a nod to the community's eagerness to leverage new technologies to strengthen the collective security posture. 

Thompson's call to action was very clear - cyber security professionals can better protect and secure our digital world by coming together and harnessing collective intelligence and technological advancements.

"We are formidable as a community. It is important to remember that as you're doing your jobs every day. We have such a terrific community here, and this conference would not be possible without it,” he added. 

Cryptography is at the heart of most of the modern world's defences against hackers and other cyber criminals, but the future may bring dramatic changes to encryption technology and the security tools that are built on it. Tune in to this Q&A session to find out what impact developments like quantum computing and AI could have on the future of encryption - and what that means for both attacks and defenders.

Dr. Zulfikar Ramzan

CTO, RSA Security

As chief technology officer (CTO), Dr. Zulfikar Ramzan leads the development of RSA’s technology strategy and is responsible for bringing to market innovations that protect customers from advanced cyber threats. He joined RSA in 2015 from Elastica, where he was CTO. Previously, he was Sourcefire’s chief scientist, and before that, technical director of Symantec’s Security Technology Response division. Ramzan holds more than 50 patents and a Ph.D. in electrical engineering and computer science from MIT. His doctoral advisor was Professor Ronald L. Rivest, co-founder of RSA Data Security.

Dale Walker

Deputy Editor, IT Pro

Having secured a masters degree in magazine journalism from the University of Sheffield in 2016, Dale has spent the past three years working on Dennis Publishing’s B2B technology websites, first as a staff writer, then acting features editor, and now deputy editor. A big fan of music and art, Dale often spends his weekends going to live events and exhibits across London. He's also an avid gamer and climber, and occasionally dabbles with cycling.

While you may not be familiar with the tech industry’s latest acronym, DARQ, you’ve probably heard of its constituent components: distributed ledger, artificial intelligence, extended reality and quantum computing technology. Three of those four could be set to have a significant impact on the future of security, with possibilities including unbreakable encryption algorithms, AI-enhanced cyber attacks and much more.

In this week’s episode of the IT Pro Podcast, we’re joined by RSA CTO Dr. Zulfikar Ramzan to dig into the future of these technologies, and the effect they could have on cyber safety. We discuss why blockchain is the Betamax of distributed ledgers, the cost of a quantum attack, and why your next compliance officer might just be a robot.

Footnotes

• IT Pro Live: The future of encryption
• Why humans and machines work better together
• The IT Pro Podcast: Is AI the snake oil of the 21st century?
• Quantum security: The end of security as we know it?
• What is quantum computing?
• IBM hits new quantum computing milestone
• Transforming training with virtual reality
• Is IT regulation in the DARQ?
• Quantum security: The end of security as we know it?
• Do we need an algorithm police?
• What’s next for e-commerce?
• The IT Pro Podcast: Attack of the AI hackers

Subscribe

• Subscribe to The IT Pro Podcast on Apple Podcasts
• Subscribe to The IT Pro Podcast on Google Podcasts
• Subscribe to The IT Pro Podcast on Spotify
• Subscribe to the IT Pro newsletter
• Subscribe to IT Pro 20/20
• Get in touch with the podcast

Dell Technologies has sold its RSA security business unit to a consortium led by private equity firm Symphony Technology Group (STG).

The $2.075 billion (£1.6 billion) all cash deal is expected to close by the end of the year.

Rumours that Dell Technologies was selling off RSA – which it absorbed as part of its 2015 merger with the EMC Federation – began swirling yesterday, with the definitive agreement being announced overnight.

In a statement, William Chisholm, Managing Partner at Symphony Technology Group, said in a statement: “As one of the world’s elite security brands, RSA represents a great opportunity for solving some of the rapidly developing customer challenges that go along with digital transformation.

“We are excited and fully committed to maximising the power of RSA’s talent, expertise and tremendous growth potential and continuing RSA’s strategy to serve customers with a holistic approach to managing their digital risk.”

Jeff Clarke, Chief Operating Officer and Vice Chairman of Dell Technologies, added: “This is the right long-term strategy for Dell, RSA and our collective customers and partners. The transaction will further simplify our business and product portfolio.

“It also allows Dell Technologies to focus on our strategy to build automated and intelligent security into infrastructure, platforms and devices to keep data safe, protected and resilient.

18/02/2020: Dell to sell RSA security business – reports

Dell Technologies is on the brink of selling its RSA security business, according to reports.

The organisation, which was founded in 1982, came under the Dell Technologies umbrella as part of Dell’s merger with the EMC Federation back in 2015.

Since then, it has continued to operate under its own brand, although unlike VMware it’s wholly owned by its parent company.

According to The Wall Street Journal, a $2 billion (£1.5 billion) deal with private equity firm STG Partners is on the table and could be finalised as early as today. According to Dell Technologies, RSA boasts 30,000 customers in industries ranging from financial services to consumer goods.

The news comes just six days before RSA’s annual security mega conference kicks off in San Francisco. The event typically draws thousands upon thousands of security professionals from around the world.

IT Pro contacted Dell Technologies for comment but hadn’t received a response at the time of publication.

This wouldn’t be the first time Dell sold off one of its business units to a private equity firm. In June 2016 a deal of a similar size saw the company’s software division – including another security asset, SonicWall, spun off to Francisco Partners and Elliott Management.

The move also comes just two years after details of a reverse merger of VMware leaked into the public sphere. That deal was finalised in December 2018, returning Dell Technologies to being a publicly traded company.

Rumours of the sale of RSA will overshadow the company’s first big enterprise product announcement of the year. Earlier today, the company released details of a new two new Dell EMC products, the PowerEdge XE2420 server and Modular Data Center Micro 415, as well as the Dell EMC Streaming Data Platform for analysing data streams from edge computing, and Dell EMC iDRAC9 Datacenter software for data centre management.

Pure Storage is set to invest in more tools and support resources for its channel partners as it attempts to increase its European market share, the company told partners at its annual Accelerate conference in Austin, Texas.

The company, which is entirely channel-driven, is just over a year into its new channel partner programme after introducing it at Accelerate 2018. The programme is based on a two-tier model: the entry-level 'Preferred' partners, and the invite-only 'Elite' tier, which includes minimum criteria such as a certain number of customers, technical competencies and certifications.

According to IDC reports shared with reporters, Pure is ranked fourth in the enterprise storage market in regions including the UK, France, Germany and Italy. The company is looking to increase this market share, however, and has a number of key strategies for how to do so.

One of them is increasing Pure's brand awareness within EMEA - as Pure's VP of international James Petter said, "One of the things we do find across EMEA and other regions is [potential customers saying] 'Who are you?'". Another element that Pure hopes will draw in more customers is its growing support for multi-cloud deployments, but the biggest driver - according to Petter - is increasing the productivity of its channel.

"The third area is clearly, and probably most importantly, get partners to not just sell once but to do repeat purchases. So our partner class and those selling on our behalf, we've got to build them."

In the interests of this, Pure is investing in more technical support resources that partners can draw on when building solutions for customers, and Matthieu Brignone, Pure's area VP of partners for EMEA, explained how much progress the company has made in this regard.

"At the last Global Partner Forum, we had questions about partner support; we had no one dedicated to the channel in Europe. We were leveraging the system engineers organisation to basically support the partners. As the company grew, we created a team, a technical team, that we called CTM - channel technical managers - whose goal is only to look after partners and partners enablement," Brignone said, "and we are going to grow a bit more in the next few months."

Partners will also benefit from access to actual systems, allowing them to accurately gauge the suitability of various configurations for their customers, Pure's VP of partners and alliances Michael Sotnick revealed.

"So what we announced yesterday at the Global Partner Forum is the availability later this quarter - so for us that ends 31 October - of the performance sizing and capacity sizing configuration for the FlashArray X10 and X20 for the partners," Sotnick said. "We're going to put systems into the hands of the partner technical community, so that they can size for performance and capacity, the right solution for their customers. And then have the sales teams of the partners and the distributors be able to price and quote that independently."

One of the other announcements to come out of the Global Partner Forum was the news that over 700 members of Pure's partner community have achieved certification since the programme was launched last August. Not only that, but the programme requirements themselves have also been freshly updated.

Among the changes is the fact that Pure's Elite partners are now required to have two architects - although Shawn Rosemarin, VP of worldwide systems engineering has now mandated that all Pure systems engineers now have to achieve the same level of certification as partners.

For Computacentre chief technologist Bill McGloin, although Pure still has some work to do around communication and transparency, the company is moving in the right direction with its channel strategy.

"We had several asks of them," he said, "just to have more visibility of them and more visibility within our professional services and education. The same argument applies to several other vendors, however. NetApp has done it well, I think. Because Pure came to market as a real disruptive vendor, and they've become a mainstream vendor now and they're a target for disruption, I think there was an element of growing pains for them, because they grew really rapidly. I think they're coming through that now."

From Pure's channel chiefs, the outlook for the future is bullish too, and Sotnick took a firm stand on the potential of the company's channel as a pace-setter for the industry.

"What we announced last year, we're coming good on this year," he said, "and that is the ability for our Elite partners, on an invitation-only basis, to take the strong front-end margin and brand promise that Pure delivers, and also have a very structured back-end incentive. And we've deployed that across many partners in EMEA and globally."

"I think we can define enterprise multi-cloud infrastructure to the market. You look at Evergreen, when you look at the Cloud Block Store, unified subscription across Cloud Block Store and Pure as-a-service, there's really nothing matching it in the market. And I truly believe we have the opportunity with our partners to define enterprise-class multi-cloud."

An undercover security unit which infiltrates groups of cyber criminals has unearthed an alarming rise in fraudulent transactions carried out via mobile apps.

The findings, published in RSA's latest global fraud report for Q2 2018, found that from 1 April to 30 June, the fraudulent activity carried out via mobile browsers and applications made up 71% of overall fraud transactions, an increase of 16% on the previous year.

The report also highlighted the rise in rogue mobile apps, identifying 9,185 that have become the most common vehicle for attacks, with fraudsters using burner devices and throwaway accounts to carry out their endeavours.

These burner devices or fake accounts used by hackers also contributed 27% of the total value of fraudulent payments despite just 0.4% of legitimate payment transactions being attempted from a new account or device.

A burner device is usually an affordable mobile phone that can be used temporarily until it is deemed 'burned' meaning it is too risky to use. These devices can be purchased with prepaid minutes and without any contracts, allowing the user/users to easily mask their identity. This method of theft is particularly lucrative, with the report stating the average fraud transaction is now valued at $355.

During the undercover operation, the unit also recovered nearly 5.1 million unique compromised cards and card previews from reliable online fraud stores and other sources - a 60% increase in the volume of cards recovered by RSA in the previous quarter.

The report also warned of "human-not-present" fraud, highlighting how autonomous machine purchases will result in new authentication challenges for consumers, banks and merchants who will have to change their behaviour to better manage the risk.

"The modern techno-philosophy seems to be moving rapidly toward increased frequency and depth of automation directed toward tasks that traditionally required human participation, thus giving rise to a new age, one consisting of 'Human-not-present' transactions," the report stated.

Hackers are real and they're going to kill you - apparently.

How are they going to kill you? Well, the possibilities are endless they could take down your entire country's critical infrastructure with malware. They could take control of connected cars and turn them into missiles. If you're in hospital, they could maybe turn of your dialysis machine or life support. Maybe they could explode entire city blocks (in some ill-defined way).

That we should all be very afraid was very much the message delivered in the first 20 minutes of the opening session of RSA Conference 2017. If you weren't familiar with the sales tactics of the information security industry, you may well have fled the auditorium to dig a bunker.

Underneath the hyperbole, though, there were some solid themes and grounded, realistic arguments.

As expected, IoT security and ransomware were flagship topics of conversation. Unsecured IoT devices were recruited into a massive botnet last year Mirai and it would have been remiss not to talk about that.

Similarly, ransomware is on the rise, thanks to its low-risk, high-reward nature and it was refreshing to hear people openly discussing the fact that, actually, sometimes it's easier and even cheaper for businesses to pay the ransom than not, even if they have other options. Negotiation is as valid an option (for businesses at least) as any other.

I was also pleasantly surprised to see the issue of nation state hacking tackled head-on. While this has been discussed before in more nebulous terms, normally in relation to alleged IP theft by China or ad-hoc attacks by North Korea, to hear Russia repeatedly called out for undermining the US democratic process was new.

Of course, the scenario is new in the US at least but with domestic political tensions as heightened as they are I suspected that speakers would be more circumspect in their allegations. Not so even chairman of the House Homeland Security Committee in the US spoke openly about it.

Aside from the keynotes and big ideas, I also managed to catch a bit of time on the show floor and fringes chatting to vendors and others in the community about the lay of the land within the industry right now.

What I heard, as I heard last year, was a lot of disgruntlement. In 2016 I was told of a coming "shakedown" to counter companies effectively just taking the Virus Total database and selling it on to customers. Apparently this has happened, but a number of vendors are still not happy.

The object of their ire now is something that was bubbling under last year too: decades-old tech being positioned as cutting edge. A true problem or jealousy amid vendors? Maybe a bit of both, but the impartial observers I spoke to seemed to lean towards this indeed being a problem of some significance.

So what can IT professionals and businesses take away from all of this? Well, despite the cataclysmic tone the security industry adopts for every new hack, there's actually a lot of hope.

Organisations mustn't be defeatist about their security operations preparing for the eventuality of a breach doesn't mean accepting it's inevitable - and businesses must still erect strong cyber security defences. But they must also be realistic: any cyber incident plan must incorporate both line of business and IT departments (or, at least, managers), with buy-in among all. And if there's a ransomware incident, make sure you know who will make the decision to pay or not. Trying to work that out on the day is not a good plan.

Finally, quantum computing and (more immediately) blockchain look like they will be able to offer new and more rigorous forms of secure data transfer and storage than the binary-based cryptographic systems we use now.

Security is a fast-moving sector and there's a lot to be excited about. But let's all calm down about the cyberpocalypse, for now at least.

Image credit: IT Pro/Jane McCallion

Eric Schmidt, chairman of Google's parent company Alphabet, has admitted he got off on the wrong foot with AI.

Speaking at RSA Conference in San Francisco, Schmidt explained he had reservations about the technology, saying he didn't think it would scale or be general purpose enough to be useful. But, he said he "was proven completely wrong", according to Fortune.

With Alphabet having made an incredible amount of progress in the field, however, with the triumph of AlphaGo being one of its most recent public successes, Schmidt has changed his tune.

While stating that the technology is still in its infancy, he said he now understands its potential to fundamentally change the world.

AI now is able to emulate very complex processes, he said something that he had underestimated but acknowledged that we are still many decades from anything like human intelligence.

Nevertheless, AI has the potential to significantly improve our lives even in its current state.

"Things that bedevil us like traffic accidents and bad diagnoses in the medical system are going to get much better," he said, according to CNBC. "I will stake my reputation that that's going to be the real narrative over the next five years."

As for the development of AI and machine learning, Schmidt said it must be done out in the open, and not left to the military to develop.

Sounding a similar tone to Brad Smith earlier in the week, Schmidt argued that there needs to be some kind of multilateral international agreement not to use AI to weaponise the internet.

Image Credit: LeWeb on Flickr

Everyone knows the mantra: if you're infected with ransomware, don't pay up as it just encourages more attacks.

By paying the attacker, the theory goes, you're proving that their method of extortion works that they will make money (potentially a lot of it) by holding data hostage.

However, at this year's RSA Conference, there's been a shift in tone within the security community. While nobody is outright advising businesses, or individuals, to pay up, they are acknowledging that many companies that fall victim to a ransomware attack do just that. Indeed, a survey by IBM towards the end of 2016 showed around 70% of companies affected by ransomware have paid to get data back, with payouts reaching the $1 billion mark that year.

Why businesses pay

There's one strong business imperative to pay ransomware: it's less expensive to cough up than it is to hold out against the attackers.

"You may say 'look, we have a business principle here, we're not going to pay the bad guys'. But if you're confronted with the business reality of paying the bad guys a few Bitcoins versus being offline or losing millions of dollars worth of data, your business principle might give way to the business reality of having to pay the ransom," said Ed Skoudis, an instructor at the SANS Institute, during a panel titled The Seven Most Dangerous New Attack Techniques.

Marcin Kleczynski, CEO of Malwarebytes, gave the example not of crypto ransomware, but of a DDoS-based ransom attack, where a business is taken offline until a ransom is paid.

Speaking to IT Pro, he said: "Imagine a botnet being pointed at an airline's ticketing website, which produces tens-of-millions of dollars in revenue per hour. I [as the botnet controller] say 'this will continue unless you pay me $1 million now."

"$1 million is much less than the $10 million it makes per hour, so why not extort that kind of money?"

Indeed, having a backup and recovery system in place is no guarantee that a company won't pay the ransom, even though in theory it should negate the need to do so.

Jeremiah Grossman, chief of security strategy at SentinelOne, told IT Pro: "What we find in [our] research, of those who pay the ransom around 50% actually have backups. So the backups aren't a panacea.

"What happens is, say you have the backups but the bad guys have encrypted 1,000 of your machines. IT says 'yeah, we'll recover, no problem in a week'."

If the ransom is only $50,000, Grossman said, then they "write the cheque", as it's more expedient and quite possibly cheaper.

Ransomware, consumers and the IoT

For businesses that do end up hit by ransomware, there is at least some consolation in the form of cyber insurance an industry that's currently raking in an estimated $3 billion in the US alone as well as access to sophisticated defensive tools and backup and recovery.

For consumers, the situation is a little more bleak.

"[They're] going to get left out for a while," said Grossman. "There's nothing out there for the consumer yet. It's going to be unfortunate while the enterprise can leverage cyber insurance, crisis management teams to negotiate, high-end, really next-gen antivirus, there's no equivalent for the home user. They're really going to be on their own and that's really going to be pretty nasty."

As well as being nasty, it could also be a very expensive experience. While now it may be a consumer's computer or phone held to ransom, with the IoT the potential targets will expand dramatically. What's more, consumers may be left with no option but to give into the cyber criminals' demands.

"If ransomware were to reconfigure or encrypt the control architecture of Internet of Things devices, we have a big problem," said Skoudis.

"What would you pay to turn your lights back on? What would you pay to turn your heat back on? Or your car you want to drive your car to work today? You're going to have to pay ransomware for that."

CEOs are worried that complexity may be undermining their companies' security postures, according to Michael Dell.

Speaking alongside RSA CTO Zulfikar Razman on stage for the opening keynote of RSA Conference, Dell told the audience that security is the number one issue for businesses today.

"When I talk to CEOs and boards, this is an issue that's of high concern for them," said Dell. "They're concerned about complexity of their security posture and how they can manage the risks. They need to bridge this 'gap of grief' that you talked about.

"CEOs aren't talking about cross-site scripting or malware injection, they're talking about the business risks and for them it's really a business issue and they want to know how it can be addressed and how they can secure their environment."

Dell also said IT is "breaking out" and becoming business technology, rather than information technology, with the IoT, Big Data and AI-driven analytics playing significant roles.

"When you think about what's going on in the world today with the cost of making something intelligent approaching zero ... and this digital transformation, with all the computer science overlaid on top of that data ... that's a tremendous opportunity," said Dell. "[But] at the same time it has to be done securely."

Dell added that from conversations he's had with both political and business figures, the global economy is no longer their main area of focus. Instead, it's digital transformation, which is radically changing all areas of business life.

"We really feel like we're enabling this next wave of human progress and for me that's a really exciting place to be," he concluded.

Razman said this year's conference was "truly special", as it was the first since Dell acquired EMC, of which RSA was a part, becoming Dell Technologies.

Features editor Jane McCallion is on the ground at RSA Conference 2017 in San Francisco all week. Follow her on Twitter for live updates and bookmark our dedicated page for more coverage from the business security conference.

Image credit: Jane McCallion

Security professionals need to come together with business decision makers in order to find solutions that can serve the needs of both. That's according to Zulfikar Razman, CTO of RSA.

In his opening keynote at RSA Conference 2017, Ramzan talked up the need for "business-driven security", which brings the needs of both together through collaboration.

"Security isn't just a technology problem, it's a business problem," Razman told the several thousand delegates in attendance.

"The inability to draw connections between security details and business metrics is what I call the gap of grief. Corporate executives don't care if an incident involved SQL injection or cross-site scripting. They'd like to understand the business implications."

There are three key elements to making business-driven security work, said Razman. First, risk should be treated as a science, not a dark art, using consistent and rigorous methods for analysis. Second, businesses should simplify what they control for example, the number of different security solutions they use.

"I spoke to one chief information security officer recently who has 84 different security vendors. Eighty-four! How do you manage that many vendors? How do you justify to your board and executive suite the return on investment from these vendors? You can't," said Razman, urging companies to only use those that truly bring value to their business.

Finally, organisations must plan for "chaos they can't control", said Ramzan, which means an incident response plan that has the 'ABCs' availability, budget and collaboration.

On availability, Razman said an incident response plan shouldn't be a wishlist; it needs to be solid. "It sounds obvious, but it's such a common mistake," said Razman, giving the idea of putting "empty fire extinguishers in every hall" as an example of good intentions that will in fact be useless in a real emergency.

Budget, he added, is absolutely vital, because there will be unexpected costs.

"An incident response plan without budget authority is a fairytale," he said.

The final element collaboration is important because every department, from finance to legal to marketing and others all have important roles to play when an incident takes place. Therefore, these teams must be working together beforehand, during the planning phase.

"People will be working 24/7, camping out at the office. That's not the time for introductions," said Razman.

Features editor Jane McCallion is on the ground at RSA Conference 2017 in San Francisco all week. Follow her on Twitter for live updates and bookmark our dedicated page for more coverage from the business security conference.

Image credit: Jane McCallion

Russian-speaking criminal gangs are responsible for over 75% of crypto ransomware, new research announced at RSA Conference 2017 claims.

A total 47 of the 62 new crypto ransomware families discovered by Kaspersky Lab in 2016 can be tied to Russian-speaking groups or individuals. This conclusion is reportedly based on "observation of underground forums, command and control infrastructure, and other artefacts".

"It is hard to draw strong conclusions on why so many of the ransomware families out there have a Russian origin," wrote senior malware analyst Anton Ivanov in a SecureList blog, "but it is safe to say that this is because there are a lot of well-educated and skilled code writers in Russia and its neighboring countries."

Ivanov also cited the fact that Russia has a strong history of ransomware, linking the current epidemic to a wave of attacks from 2009 to 2011, which blocked access to browsers and operating systems in exchange for a fee. "The epidemic withered for a number of reasons," he said, "but it seems that experienced ransomware criminals haven't disappeared".

Other statistics revealed as part of the research include the fact that in Q3 2016, an individual was hit with a ransomware attack every ten seconds while a business was attacked every 40 seconds. Furthermore, one in five SMBs who ponied up the cash for the ransom still did not get their data decrypted.

The news comes at a time when fears of Russian hackers are at an all-time high. Debate still rages over whether or not Putin ordered state-sponsored hacks during the US election, and President Donald Trump's top national security advisor, Michael Flynn, resigned just this morning over leaks showing he had held discussions with the Russian ambassador over sanctions, before allegedly trying to cover the discussions up, though Flynn said he had accidentally misinformed the president over the nature of his talks.

Although 2016 was my first year at RSA Conference, it was easy to predict what would be the main topic for the keynotes and many of the sideshows.

The San Bernardino iPhone case was burning red hot and was one of the most controversial issues to hit the security scene in a long time. It demonstrated the delicate balance between security and privacy, and how vendors aim to maintain that equilibrium.

To say this year is be more unpredictable is an understatement. First, there's not one issue to focus on, there are dozens. The big political news has, of course, been the hacking of the Democratic National Committee servers, allegedly by Russia.

The issue of one country accessing data stored in other jurisdictions has once again raised its head in a US court, with Google this time being the target of the suit (the similar Microsoft case was ongoing this time last year, but Microsoft won the case last month).

Next, the political situation across the US and Europe is in such a state of flux, that there's not even a policy aspect that can definitely be pinned down as the hot topic of the day, with one possible exception the searching of electronic devices in US airports.

Stories now abound of security services holding people until they unlock their smartphones. Even a NASA scientist has reportedly been caught up in the furore, according to the Verge, prompting the space agency to issue him with a new device and phone number.

I also have it on good authority that there will be discussions around the behaviour of the NSA at the fringes of the conference, even if they're not a topic for the main keynotes.

There are also, of course, less controversial topics to discuss. Ransomware is a word on every vendor's lips at the moment, so it's unlikely to go unmentioned. Similarly, one of the biggest incidents of the past 12 months the rise of the IoT-powered botnets, specifically Mirai surely won't be overlooked.

Even if it's hard to predict the topics of discussion this year, RSA Conference 2017 will nevertheless prove informative and interesting (it always is). Be sure to check back here from Tuesday onwards for the latest updates from the event, and follow me on Twitter for live updates from the keynotes, the fringes and the showfloor.

Image credit: Jane McCallion

Third-party relationships can pose a significant security challenge for businesses, with a clear delineation of responsibility needed to help avoid pitfalls, IT Pro has been told.

Speaking at EMC World 2016, Rob Sadowski, director of market insight at RSA, told IT Pro that while the supply chain has always been a potential vector of attack for businesses, the number of connected devices in use in any organisation is making it more complex to deal with.

"I think that fortunately this is an area where people are starting to at least recognise that this is a challenge, so it's not that they are completely blind to this idea. But, how do they really wrap their heads around it?" said Sadowski. "What third party relationships do they have? Just cataloguing that is a tremendous challenge."

Even once the number and nature of each third party relationship is established, however, there can still be confusion over who is responsible for certain areas. Indeed, this is something that could go unnoticed for years until one party suffers a breach and each believes it was the other's responsibility to ensure it didn't happen.

"I think that's often the most challenging part - who are the third parties I work with, what are they supposed to be doing, and are they actually doing it?" said Sadowski.

"It becomes a very difficult task and one that, especially as things get more reliant on service providers, really requires a bit of automation and a good process, because third-party risk is really growing significantly as part of the organisation's overall risk profile," he said.

Help is at hand, however, and this issue is being increasingly recognised by standards bodies, which are beginning to incorporate it into their guidelines.

"I think you see in some of the more progressive standards that are out there," said Sadowski. "Take, for example, the PCI Data Security Standard -- in the most recent revisions of the standard, there haven't been a lot of changes to core control objectives and things like that.

"Where some of the evolution has been is in how covered organisations deal with third parties [such as] clearly asking them ... [to] define who is responsible for what requirement and get acknowledgement from them that they are responsible."

Tech leaders have hit out at government snooping and attempts to break encryption on the first day of RSA Conference 2016.

On the same day that Apple once again came face-to-face with the FBI in a court hearing in LA, down the coast in San Francisco, Amit Yoran, president of RSA, used his opening keynote to criticise governments for allowing intelligence and law enforcement agencies to dominate the security conversation.

"We need governments to enact policies that help, rather than hinder security, providing opportunities for talent development," he told delegates.

Yoran said that the aims and perspectives of such agencies are "radically different" to those of people trying to defend networks, and said policy proposals such as weakening encryption "boggle the mind".

"In an era when cybersecurity is consistently cited as the single greatest threat to our way of life - above terrorism and all else - how can we possible justify a policy that would catastrophically weaken our infrastructures?" asked Yoran.

"Weakening encryption is solely for the ease and convenience of law enforcement when they are pursuing petty criminals. No credible terrorist or nation state actor would ever use technology that is knowingly weakened. However, if you weaken our encryption you can sure bet that the bad guys will use that and exploit it against us," he added.

These thoughts were echoed by Brad Smith, general legal counsel at Microsoft, who took to the stage after Yoran for his own keynote.

Smith reflected on not just the big hacks of the past few years but also the terrorist attacks that hit Paris and San Bernardino in late 2015.

"People went to work [the day after these attacks] debating whether this meant new steps needed to be taken for technology, for surveillance, for encryption," said Smith. "We live in a world where every week there is a pendulum and the question is, which way will the pendulum swing on these issues that affect us?"

Smith argued that it was impossible to ensure people's security in real life if their security cannot be ensured online.

"The internet started out two decades ago as something people talked about as a different space - cyberspace, as if it were disconnected from real space and the real world. Well, what we've learnt today is that if people want to shape and impact what happens in the real world, they go to the internet," said Smith.

"This has affected everybody - governments around the world studied the Sony case and they realised that there is no such thing as national security in this decade without cyber security. We've realised that hence we need to keep information secure. One thing is clear above all else - people will not use technology they do not trust and hence trust is the absolute foundation for our entire industry and it needs to remain that way," Smith concluded.

Smith and Yoran's comments also come on the same day Theresa May introduced a new draft of the Investigatory Powers Bill to Parliament. The new text still contains a controversial provision that would oblige companies, including RSA, Microsoft and Apple, to remove encryption at the request of law enforcement agencies.

IT security can often focus on patching software flaws and ensuring that network hardware is as fortified as possible, but is that the best solution?

We sat down with Drew McAdam, a keynote speaker at last week's RSA security summit in London, who says that one of the biggest security flaws could be right under our noses.

"It's all very well looking at the computer side of it," he says, "but an expression I heard once was PEBKAC", referring to the infamously snarky error code used by long-suffering IT departments. It is used to highlight issues caused by user incompetence, and stands for Problem Exists Between Keyboard and Chair'.

"It's the human side of things that I'm interested in I know that it comes down to individuals the psychology behind them". According to McAdam, that behaviour is the same worldwide: "That's where there's a weakness, which is probably often missed out".

His interest is perhaps not that surprising; McAdam is a mentalist, a quasi-magician who uses psychology, observation and behavioural analysis to deduce information about people. However, while the worlds of stage entertainment and infosecurity may seem quite different, they have more in common than they appear.

McAdam claims that the techniques he employs as part of his act can also be used by potential intruders to gain sensitive information, including passwords and other credentials. He demonstrated just how easy this was, deducing our writer's childhood house number in around a minute.

The reason he can do this so efficiently, he says, is that "only 27 per cent of all communication is verbal; the rest uses non-verbal cues." This includes things like body language and involuntary micro-expressions, and as a result, "you're giving out information all the time."

"The vulnerability is one that I use all the time on stage," McAdam says. This kind of cold reading' is one of the key components in a hacker's arsenal: the way you choose your passwords and PIN codes is based on your personal psychology, so "by getting inside your head I can work out the best way to attack."

Phishing is a good example of this phenomenon in action. Phishermen try to entice victims into clicking malicious links by examining targets and thinking "what is that person interested in, what's going to hit their hot button?"

On a basic and uninspired level, this is what the 419 scammers behind the Nigerian Prince' emails in your spam folder are trying to do, by using the broad appeal of money to lure in unsuspecting marks.

However, these attacks can often be highly sophisticated. The more information they have about you, the more convincingly these fraudsters can bait their hooks and, according to McAdam, getting this information has become frighteningly easy.

"Most of what mentalists do is based on what fake spiritualists and mediums and talkers to the dead were doing 150 years ago. They obviously didn't have a social network, but they could get information by other methods," McAdam says.

This used to be done through a combination of shrewd observation and guesswork. Now, however, McAdam suggests people are giving away pieces of the security jigsaw puzzle through social media - whether that be Facebook, Instagram, Twitter or another platform.

This willingness to publish reams of information has made fraudsters jobs exponentially easier. And much detail can be gleaned as a result of just a little research.

This often lo-tech method of exploiting not the systems themselves, but the people operating them is known as social engineering'. It's not a new technique by any means in the late 1990s, Kevin Mitnick used it to become the world's most famous hacker,' allegedly gaining access to dozens of systems.

However, what worries McAdam is the increasing prevalence and prowess of this form of attack. "As far as I can see, people are becoming more skilled at that now," he observes, stating that the best method of entry is to "get somebody to open the door for you. It's that simple."

The numerous security flaws caused by the squishy bit in the middle' aren't just low-level risks, either. According to Verizon's Data Breach Investigation Report 2015, 95 per cent of attacks on web applications involved intruders simply walking in with stolen credentials.

McAdam sees the logic of this approach. He elaborates on the reasoning behind taking this method as opposed to other options like brute-force attacks by quoting Houdini: "Why pick the lock, when you can get the key?"

The famous escapist is an apt comparison, as McAdam explains. "[When it comes to] the guys that are trying to get into these things, a lot of people would think it was ego... But what it really comes down to is people, very like myself, like solving puzzles."

Although increasing links have been found between hackers and organised crime, McAdam believes that the principal drive behind their activities is not financial but psychological.

Rather than breaking into systems for greed, the mentalist thinks they are instead motivated by the challenge of thinking "Can I do this, how can I do this, is there a better way? Now they've put that in place, can I get round it, can I get under it, can I get over it?"

This theory is lent credence by the large amount of legitimate hacker conferences such as Black Hat and GrrCon. At these events, security experts and hackers come together from all walks of life; not only those that exploit network vulnerabilities for profit, but also white hat hackers, who use their powers for good.

McAdam, however, thinks that these conventions represent a source of untapped potential. "I think you need to know your enemy. Forewarned is forearmed."

He suggests using such gatherings t to identify potential troublemakers before they act. "I would be using social engineering," he says. "[It's about] watching these people, watching the body language to work out who the guys we want to be talking to on a personal level round the back of the building [are]."

He also brings up the fact that so much is carried out remotely, with threats treated as abstract concepts. "These are human beings, therefore they have human weaknesses. So we need to know who they are, what they're doing, what it is that motivates them," he says.

Although security breaches caused by these accidental leakages are an ongoing problem, McAdam believes that there are steps that can be taken to fix it. He suggests that simple training should be implemented, including just getting people to take a step back and think about the subject.

"Everybody's concentrating on, for example, emails coming in, phishing; should I click on that, what's the URL. That's fine, we've all been trained in that." But, he says, people need to be more aware of the malicious ways that the smallest scraps of data can be used.

He aims to change that via his appearances at events such as the RSA conference "Hopefully," he says, "people will go away thinking 'it's much easier to get information than I thought it was.'"

Though he readily admits that he's no expert when it comes to the nuts and bolts of IT security, McAdam feels that too much importance is sometimes placed on fixing the software problems rather than the human errors that cause them. "That's the [real] weakness. It's people. It all comes down to people," he concludes.

The market place is busy, it always is. Buyers and sellers in large numbers congregate to discuss transactions.

CCp7: "Hello, what's up?"

Ghoira: "I need New York, full info!"

CCp7: "Do you have CC for sale?"

Ghoira: "I have CC from UK and USA. I want to buy USA full info."

CCp7: "Cool, maybe we can trade!"

Ghoira: "You got full info from NY state?"

CCp7: "How much do you want for USA credit cards?"

Ghoira: "I want only from NY!"

CCp7: "Yes, I have few. Oh so I need to look for NY!"

Ghoira: "Yes, the only ones U need. And I don't want money. I want to exchange."

CCp7: "OK, can you provide samples? I need proof that you have them."

Ghoira sends over details of what he is offering. CCp7 knows this is the real deal.

CCp7 continues the conversation but he's not buying. He doesn't intend to buy. Ever. He never wants to purchase what's on offer in the marketplace.

He is, in fact, one of several intelligence analysts working for IT security company RSA. What the seller (Ghoira) is offering are credit card details. Thousands of them. Hacked from some unsuspecting business.

There are hundreds of such sellers in this online marketplace, with such conversations and transactions carried out in anonymous chatrooms. The business is very lucrative.

These analysts work in a non-descript building in Herzliya, north of Tel Aviv, Israel. We are not allowed to film, take photos or identify these people in any way. The work they do here means they are subject to very real death threats from the cyber criminal fraternity. This is a serious business on both sides of the fence.

"They are tracking the underground, they are in the underground. [They are] looking at forums, looking at what the bad guys are doing," says Oren Karmi, head of cyber intelligence at RSA as he shows us into a room where the analysts sit behind displays full of IRC chat windows.

"These are the good guys. They are responsible for making quite a few fraudsters upset and they can hold a grudge."

Where the money is

Karmi explains why the criminals do what they do. "The most basic thing is their need to make money," he says.

One the most popular ways for fraudsters to publicise their wares is through using IRC, according to Karmi. Analysts stop by these to listen in.

"Fraudsters use it to talk with each other and present their goods. This can be compared to a market. People shout; try to sell their wares. It is a great place to find someone to talk to, to get a bit of info," says Karmi.

An analyst shows us a chatroom. He explains a criminal has infected computers he can access remotely. The fraudster can install malware on these machines or enable access to it for a willing buyer of his services.

"I have fresh USA dumps without PIN for shopping", says one fraudster in a chatroom. A dump' is a slang word for stolen credit card information and usually contains among other things; name and address of the cardholder, account number, expiration date, verification/CVV code.

Daniel Cohen, head of Knowledge Delivery at RSA, explains that fresh dumps means the fraudster has stolen relatively new credit card information in the last couple of days. These dumps are much more valuable as the victims may not have had the time or the knowledge to cancel the cards.

In much the same way that police officers go undercover to find out more about criminals, the analysts go into private chat rooms with fraudsters to ask for samples to extract as much information and intelligence from the bad guys.

In these chat rooms, the business of crime is conducted. As with any business, it has its sales patter. "Super-fresh dumps" usually means credit card details stolen within the last hour.

It takes a lot of time to build up trust with these criminal. Analysts have spent years in the chat rooms gaining the confidence of the fraudsters. But it is not an easy task. The trouble with IRC is that aliases are not persistent. A criminal can have one name one day and the next a totally different one. The analyst can piece together enough information to spot the regulars, even if the names change.

Karmi says that criminals try to buy from people they trust or build up a good reputation. But, because nicknames can be changed at will on these channels, building that reputation or gaining trust is more difficult.

As the internet has grown up, so have the criminals. IRC is used by criminals as a basic way of connecting and talking to each other. Eventually though, they find more efficient ways of doing business. Forums have sprung up to host these communities. These forums hide in the darknet, using the TOR network - something that is not easily accessible by normal internet users.

The forums benefit the fraudsters. According to Karmi, they act as a platform to enable the sharing of knowledge between other fraudsters about specific methods as well as helping them solve each other's problems.

"This is a much more convenient place to sell your ware because here they just shout and there you can have a much more convenient way to publicise yourself," he says.

"The first thing you can see on a forum is that they [the fraudsters] have banners, they advertise." Karmi adds that on the forums criminals can maintain a single identity that they can build up to gain a good reputation. This helps them sell their wares.

While criminals consult with each other on how to commit crime, they are not the only ones to benefit. Karmi says the people hosting these forums also get a piece of the action.

"They offer escrow services and other ways to get a nice percentage of everyone's fraud," he adds.

"Just organising this service for fraudsters can be very beneficial even if you don't commit the crime yourself," he says of the people running criminal forums.

The criminal community organisers and their escrow services also combat a problem for criminals, mainly rippers. These are criminals that scam other criminals.

The people that run forums will hold onto money while a transaction goes through to prevent rippers from making off with money and leaving the criminal out of pocket. The people running the escrow service take their percentage.

These communities must realise that firms such as RSA are infiltrating them. Karmi warns that the communities themselves are more and more closing themselves off from the outside world to protect themselves. Gaining entry to them means having someone vouch for you, having recommendations from other people or having people responsible for you.

Getting in

Once on the inside, the analysts can start carrying out their work. Usually this involves getting a criminal to share some information on stolen cards. This helps in identifying a breach.

"We ask for a sample to see if they are the real deal. He'll send us a batch. If we can get a number of cards from a single batch, in most cases we can identify the single point of compromise, because we are trying to help identify the compromised merchant," says Karmi.

"Even if we get two cards from this single batch, then we can identify that both cards were used in, say a particular chain of shops. We then know that business is the common point of compromise," Cohen adds.

"Oren [Karmi] will then work with either our customers or different issuing banks to try help identify that common point of compromise. Then we can share intelligence about the merchant that has been compromised."

He adds: "Oran and his team try to get as deep as possible and close as possible to the root [of the compromise] and expose the root."

"We have to be as close as possible to stop that [fraud]."

RSA researchers have uncovered a global malware operation targeting several dozen retailers in 11 countries that relies on a private, key-logging Trojan called ChewBacca.

The discovery was announced in a blog post late last week by Yotam Gottesman, senior security researcher at RSA Firstwatch, where he confirmed payment and personal data may have been compromised by the scam.

"RSA researchers uncovered the server infrastructure used in a global Point-of-Sale (PoS) malware operation responsible for the electronic theft of payment car and personal data from several dozen retailers, mostly based in the US," he wrote.

"Infection activity has also been detected in 10 other countries including Russia, Canada and Australia."

The malware used to power the scheme is a Tor-based example known as ChewBacca. Its existence was first flagged in December by a Kaspersky Lab researcher and it allows key strokes to be recorded and memory scanning to take place.

The Tor-based element of the malware conceals the IP addresses of the command and control severs ChewBacca's data is sent back to.

"RSA researchers discovered that, beginning October 25, it had logged track one and two data of payment cards it had scraped from infected PoS systems," the RSA blog post continued.

"RSA anti-fraud researchers have been in contact with victim companies at the centre of this operation, sharing key forensics information gathered in this investigation."

The malware is a "simple" construct, the researchers said, that belies its ability to steal payment data, and retailers need to be on their guard against it.

"Retailers have few choices against these attackers. They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers," the blog post states.

"They can encrypt or tokenise data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors."

IT security firm RSA was forced to deny reports that it was secretly paid $10 million by the US National Security Agency (NSA) to allow a backdoor in its encryption software.

Accord to reports by Reuters, the company took payment from the NSA to use a flawed random number generator in its products, known as the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRGB). The technology has been part of some RSA products since 2004.

The Reuters' report alleged that the deal was part of a greater effort by the NSA to enhance surveillance by systematically eroding the effectiveness of security tools.

The sum of money represented around a third of its revenue for that year, according to the report. EMC acquired RSA in 2006 for $2.1 billion.

In a blogpost. RSA "categorically" denied all allegations. The firm said that is has "never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential backdoors' into our products for anyone's use."

The vendor said that it included Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. "At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption," the firm stated.

RSA added that the algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been "free to choose whichever one best suits their needs."

It said it only when the US National Institute of Standards and Technology (NIST) recommended no further use of this algorithm in September 2013, did it tell customers to stop using the encryption technology.

"We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicised it. Our explicit goal has always been to strengthen commercial and government security," the company added.

Former RSA exec Shawn Pearson has been recruited by Websense to lead its worldwide channel sales.

Websense says Pearson, who was until recently RSA’s senior director of Americas inside sales and channels, will be responsible for designing and implementing channel strategies that transform its channel “from a transactional-based to a value-add operation” to support an expanded solution portfolio.

Pearson (pictured) is also committed to building a partner ecosystem across multiple verticals, says the firm.

“Websense has a strategic focus on empowering the success of its channel partners,” says Pearson. “My channel philosophy and experience is the perfect match for Websense’s vision and success in delivering the most robust security solutions available on the market. I look forward to driving Websense’s global channel sales and enhancing the adoption of the Websense TRITON platform.”

“Shawn is a well-respected, visionary leader with deep experience in security channel operations,” comments John McCormack, Websense CEO. “His proven track record of channel transformation and partner success makes him a valuable asset to our growing channel team. I look forward to working with him to expand our global partner base across verticals and drive incremental revenue throughout the channel.”

Enterprises are on the back foot when it comes to protecting themselves against the threats posed by cloud and mobile devices, according to Art Coviello, executive chairman of EMC-owned RSA.

During the opening keynote at this year's EMC World conference in Las Vegas, Coviello called on enterprises to rethink how they address IT security in the cloud and mobile era.

"[All these trends] represent an expansion of the attack surface...and mobility, web-based apps and cloud all create new openings to our infrastructure and more risks," he warned.

"We are [behind the curve when it comes to security] and we have to change models...[because] we've had a model where we've been reactive and tried to protect the perimeter, but that doesn't exist anymore."

To achieve this, he said organisations need to take a more "intelligence-driven" approach to security that draws on another industry megatrend, big data.

"We need more big data-orientated controls that can detect and respond to attacks, opposed to trying to prevent them from the outset, which is increasingly becoming a fool's errand," he added.

However, the vast amounts of unstructured data enterprises are holding on to for big data analytics purposes will also put them at risk of attack, he warned.

"These big data stores and the application that are used to mine them will [offer] a treasure trove of opportunities for attackers," he said.

The push to connect increasing numbers of household devices to the internet is another area he urged delegates to be on their guard against.

"The internet of things is going to create a host of issues, because [it means] you're going to be able to be attacked in ways that we've just never heard of before," he added.

"[We need a] new model for security that allows us to spot anomalies in [user] data, because that is the only way we're going to stay ahead of these attacks."

Security, along with cloud and big data, is one of the main themes of this year's EMC World, the first day of which saw the firm wax lyrical about the appeal of hybrid clouds and the new era of applications.

EMC also took the wraps of its new ViPR storage management product, which it claims will help enterprises with heterogeneous storage environments deploy cloud-based applications.

Privacy advocates are slowing the progress of the security industry and preventing people from being fully protected online, according to RSA chairman Art Coviello.

Coviello claimed that the "cries of Big Brother" from privacy groups over more stringent security measures were doing the industry no favours. However, he did praise the efforts of the UK government to work with businesses to strengthen infrastructure defences.

"Privacy advocates think we should be able to endure reasonable danger to protect privacy," he said during a keynote speech at the RSA Europe conference.

"[This is] dangerous reasoning [and the] true depth of the problem remains hidden."

The chairman said that this reasoning was "a knee-jerk reaction without understanding the scope of the situation". He added that activists did not understand safeguards could be implemented and accused activists o believing a reasonable danger to protect our freedoms was "acceptable".

Coviello called for an overhaul to privacy laws and new cybersecurity model that "doesn't focus its efforts on an increasingly porous defense of the perimeter." He claimed that CIOs, boards of directors and others agree that a new model of cybersecurity makes sense.

He said that organisations should build intelligence-based security system comprising of a number of components, including risk-mitigation strategies and more enhanced use of data analysis.

Coviello also said another hindrance to the industry was a lack of skilled professionals. He said the industry needed around 4.25 million security professionals by 2015, but at present this was at just 2.25 million in 2010. He said that the industry may not be able to fulfill this requirement.

"There is a severe skills shortage, we have a need for the right level of people with the right level of expertise. Where will they come from? There is a need for more understanding," he said.

Ask any IT helpdesk for their list of the most annoying and most frequent requests, and resetting users' passwords is very likely to be in the top five.

Users lose passwords. Or they forget to change them, they write them down on sticky notes, or store them in Excel files. Or else they just stick to simple ones they can remember, like Admin and Password.

A few years ago, Gartner, the IT research firm, looked at the cost of resetting passwords. A password reset call cost between 7 and 25 per incident, and they accounted for 30 per cent of helpdesk work. Other analysts have put the amount of time IT teams spend resetting passwords even higher.

So IT directors might be interested to learn that, apparently, cracking a password is child's play. Literally. SecurEnvoy, an IT security vendor, reckons that kids can use information stored on adults' social networking profiles to uncover enough personal information to hack passwords.

Security questions such as a user's mother's maiden name are especially easy to uncover, according to Andy Kemshall, SecurEnvoy's CTO. This, coupled with workplace information, such as email addresses, from sites such as LinkedIn, is more than enough to breach security. All a hacker needs to do is pose as a legitimate user, call up the helpdesk, and receive a new set of credentials.

Whether the "average kid" is going to go to such lengths is open to question. But another survey, this time from Experian, suggests that few of us take suffient precautions with either our personal information, or our passwords. The average Briton has 26 online accounts younger adults as many as 40 yet we use just five passwords to secure them. Experian didn't specifically ask whether people use the same passwords for work and personal accounts, but the odds are that many of us do.

Unfortunately, this is a problem that is still in search of a practical solution. Biometric security fingerprints, iris scans, or even voice prints has potential. But all biometrics are expensive to deploy: there is the cost of the equipment and softwarae, and the cost of verifying and enrolling users. And, with the exception of voice, all biometric IDs need new hardware. Then there is the problem that many of us find biometrics too intrusive for day to day use.

Strong, two-factor authentication, such as a token or smart card, is another option. But again, these are not cheap, and confidence in tokens has been undermined by the RSA hack. As with any system that relies on a single gateway, there is also a single point of failure. Move to single sign on with tokens, and if your token system is hacked or circumvented, your systems are wide open.

Until industry comes up with a better, cheaper alternative to passwords, the best measures CIOs can take are to educate staff to use strong passwords, and to change them often.

And if all else fails, the schools break up soon. So there will be plenty of sixth-formers around who will be happy to take a summer job in the IT security department.

Stephen Pritchard is a contributing editor at IT Pro.

Either RSA is very thorough in being disingenuous, or it really has averted disaster.

When last year's breach hit, resulting in customers' SecurID data going missing, some gazed into the crystal ball and saw the dawning of a dark age for RSA. There was little doubt the embarrassment and subsequent cost of the compromise was going to hurt the company, at least in the short term.

The security division of EMC, which supplies authentication products to some of the world's biggest public and private organisations, did not just suffer financial wounds, but was also lambasted for not coming clean about the breach sooner. It also took some flak when it emerged how the attack took place. A seemingly simple spear phishing attack duped a low level employee into opening a file which exploited a vulnerability in Adobe Flash. It was fairly routine stuff as far as hacks go.

Yet at this year's RSA 2012 conference, the company has been in pugnacious mood, claiming the breach was all dealt with and the overall impact almost non-existent. Art Coviello and Co have come out fighting this week. At the minute, it looks like they're winning.

Emerging from the ashes

Data breaches have two particularly pejorative consequences: financial loss and reputational damage resulting in customer level depletion. RSA has suffered both, as anyone would expect, but on the face of it the impact has been minimal.

The time it took from the moment that we thought customers could be compromised to announcing it was 21 hours.

Lesser companies have fallen as a result of hacks on their infrastructure. DigiNotar, the Dutch certificate authority, went bankrupt after it was hit by cyber criminals seeking to implement clever man in the middle attacks. Fortunately for RSA, it has the large pockets of EMC to support it. From that respect, it is no surprise RSA has suffered little.

Yet the company has shown resilience in recovering from the devastation of March 2011. It would be easy to just brand RSA's comeback as all talk, but the vendor has backed its claims with some impressive figures.

Let's start with reputation. Since the breach, just four customers have been lost. That's out of tens of thousands. From studies the company has done amongst clients, the firm's standing has recovered in their eyes too. From a vicious initial backlash from customers, RSA said it had managed to regain their trust.

"We do a lot of data gathering on customers, like customer satisfaction surveys, and we got crushed for the first two to three months," Thomas Heiser, president of RSA, told IT Pro.

"Go back to those same customers in November/December and they said you stood by us, you opened up communication, you remediated if we wanted to.' We turned lemon into lemonades."

Despite the criticism RSA faced for not being quicker to come clean about the breach, Heiser claimed as soon as the company knew customers would be affected, it moved to let them know.

"The time it took from the moment that we thought customers could be compromised to announcing it was 21 hours," the company president said. "It was all hands on deck, it was just rapid."

Indeed, RSA had to work hard to ensure its reputation was not irrevocably tarnished. Following disclosure, RSA offered customers SecurID replacement tokens. Its sales team was plagued with calls from companies wanting to take advantage. "They were remediating customers up from 10 per cent of their time to 90 per cent of their time," Heiser added.

Financially, things are looking rosey too. Even though reports last year indicated the breach had cost the company $66 million, EMC's most recent results showed RSA grew its business 16 per cent in the last quarter. Then there was RSA chairman Art Coviello's telling comment at the start of this week's conference: "We are no longer dealing with the breach." That means no more payouts or costly remedial changes will be required.

It's CISO time

Customers will also want RSA to prove its infrastructure is safe and trustworthy. One of the biggest changes over the last year has been in employing a chief security officer. Some would say a little too late, but at least Eddie Schwartz, who was initially brought in during the NetWitness acquisition a month after the breach, stepped up to the CSO plate in June 2011.

"One big area for us was looking at everything that is external facing and what types of examination should that have in terms of our attack surface. Another area we looked at is how we're doing authentication, have we implemented risk-based authentication across the board and where can we infuse that further into the process?"

He also sought to aggressively enforce segmentation, deciding which data could be lumped together and which should be kept separate. "This has been a great thing for us in terms of looking at how to quickly implement areas of control," Schwartz added.

Another successful attack would be nothing short of catastrophic.

Training has been key. The 2011 breach started when an employee opened an Excel document in an email, not realising it would open up their machine to infection. Worker training has now gone much deeper, according to the CSO, with more innovative methods tested out.

"There are techniques that are more invasive, more aggressive, where if you do well I'll reward you, but if you don't I'll make a public spectacle of you in some way," Schwartz said. "The point is, is that there are innovative ways to do that."

RSA will want to keep a close eye on its supply chain too. The hackers behind the 2011 hit did not want saleable data from the security firm, but was after the keys to others' infrastructure, most notably that of US government contractor Lockheed Martin. RSA won't want to fall thanks to partner insecurities and Schwartz said the company was reviewing what best practices should be in relation to supply chain.

"We're talking to others that are doing it as well and asking what else can we do to get even deeper visibility in the process," he said. "When you're a global entity like EMC, there are certain places where you do things where it is very easy to gain visibility, but there are other parts of the world where it becomes tougher to get that level of assurance.

"We're looking at where the risk is, where we have a lot of assurance and visibility and where maybe we need to deal with things either at the contractual level, the surveillance level or testing level."

Here's hoping Schwartz can help RSA avoid any further embarrassment. Another successful attack would be nothing short of catastrophic.

There may be trouble ahead

Despite its successful damage limitation exercise, it would be naive to agree the breach is fully behind RSA. There remain unanswered questions. Questions that the company is refusing to answer.

It is still unclear who was behind the attacks, even though RSA claimed last year a nation state was to blame, or whether law enforcement is hoping to apprehend the perpetrators. "We're not providing any attribution on it," Heiser said, adding that RSA was not investing in capturing the crooks and did not know whether the FBI or others were investigating.

RSA may benefit from a lack of police activity. If arrests are made, it will only refresh customers' and potential clients' memories. RSA does not want people to continually associate it with the events of last year.

Instead, the company would benefit from the power of forgetting' - to borrow a term from security guru Bruce Schneier. RSA knows it will continue to face questions over the compromise, but by placating people with a positive, ostensibly open strategy and having data to support that, the company will continue to do a good job at curbing negative opinion. In terms of acquiring new customers, rather than just appease current ones, that will be vital.

The company will have its fingers crossed nothing dirty emerges from the thin cracks that remain open. If nothing does seep out, and that currently looks likely, the hack, not RSA, will have successfully been buried six feet under.