RSA Conference 2024: A Journey of Insights and Innovations into the Art of Possible

Written By Steve Fink

As an Executive Leader and Information Security Architect, I have had the privilege of attending numerous industry conferences over the years, but RSA Conference 2024 was a particularly noteworthy experience. Once again, this year, I had the pleasure of working with a great team in our Security Operations Center (SOC) along with my partner, Jessica Bair Oppenheimer from Cisco.

Event Highlights

RSA Conference (RSAC) is one of the most significant gatherings in the information security field, bringing together professionals from around the world to share knowledge, discuss emerging threats, and gives companies an opportunity to showcase their innovative solutions. This year’s conference theme was Art of Possible, featuring a plethora of insightful keynotes and technical sessions. I was particularly impressed by the opening keynote, “The Power of Community” delivered by Hugh Thompson, which set the tone for the event with discussions on the evolving threat landscape and the importance of resilience.

EXPOSURE The 5th Annual RSAC SOC Report

Presenting at RSA Conference 2024 was a remarkable opportunity to share the latest findings from our SOC. Our session focused on the extensive data we collected, including 19 billion packets captured, 39.9 million logs, and 17.24 TB of packet data. We highlighted key statistics such as the increase in encrypted traffic and the reduction in cleartext passwords detected over the years. Our analysis underscored the importance of robust encryption practices and the continuous monitoring of network traffic to identify potential threats.

One of the standout aspects of our presentation was the detailed discussion on our infrastructure. We demonstrated how these tools integrate to provide a comprehensive security solution, capable of detecting and responding to threats in real-time. If you missed our session you can watch it here

SOC Life

Our SOC team comprised of five NetWitness Analysts, ten Cisco/Splunk Analysts, one IBM Threat Hunter, and three SOC Managers. Everyone worked diligently not only to set up all these tools onsite prior to the conference beginning but then to monitor the Moscone Center WiFi every day the conference was in session. Since RSAC 2017, we have conducted daily public tours, multiple press interviews, and we produce our annual findings report which should be out shortly and I will link to it here when it’s available.

SOC Analysts and Integration Specialists discuss the integrations between the different components in the SOC.

This year, our setup included NetWitness Platform XDR various Cisco security solutions like Cisco Secure Cloud Analytics, Cisco XDR, Splunk ES, and FMC. Our open XDR platform allowed for full packet capture, log decoding, and integration with threat intelligence from alphaMountain.ai, Pulsedive, Recorded Future, IBM X-Force Exchange, and Cisco Talos, among others to work together.

SOC Statistics and Trends

As I noted previously, our SOC captured a total of 19 billion packets and 39.9 million logs, with a peak bandwidth usage of only 2.2 Gbps. This is a significant decrease from years past which slightly skews our year-over-year trend reporting.

Notably, the percentage of encrypted traffic increased from 70% in 2023 to 80% in 2024. This shift underscores the growing adoption of encryption in network traffic, enhancing security but also posing challenges for traffic analysis and threat detection. Organizations cannot just ignore the encrypted traffic but must alter their security monitoring architecture to compensate by capturing the network traffic in a decrypted state prior to being encrypted or provide the encryption keys to their monitoring tools to decrypt the traffic. There are multiple factors to consider depending on the organization including data encryption in transit and at rest.

Although we observed a significant decrease in the number of cleartext passwords detected, from 96,361 in 2020 to just 20,916 in 2024, this reduction reflects improved security practices and awareness around the importance of encrypted communication protocols. We did see an increase in the usage of POP3, which boggles my mind. If you’re a mail server administrator, make sure this is turned off. End users can’t use it if it’s not there!

Incident Correlation and Analysis

One of the key highlights of the SOC was the demonstration of Cisco XDR Analytics in action. Cisco provided examples of how complex series of discrete events were correlated into single patterns of activity, which were then summarized by AI into human-readable descriptions.

Utilizing the copious amount of meta-data generated by NetWitness Platform XDR from both the network traffic and the logs being generated by all the other Cisco tools, AI was able to quickly provide insights into not only what happened but how to remediate the issue. This capability significantly enhances the efficiency and effectiveness of incident response within the SOC. 

Threat Hunting

Threat Hunting through large amounts of data is often about looking for the really bad within the bad. I’ve said this for years, quite often it’s just the curious SOC analyst who looks at something and thinks to themselves “That looks weird” and begins to investigate further, sifting through the packets and the protocols to find the threat hidden amongst the benign. I often speak about a curious SOC analyst intern who had been working in our SOC for less than six months, one morning she saw a spike in network traffic that was recorded overnight, she turned to the rest of the more senior SOC analysts and asked what that spike was. In unison the rest of the SOC responded, “That’s the backups”. Being new and curious the SOC analyst intern chose to dig a little deeper and found a second spike hidden within the spike of backup traffic that turned out to be data exfiltration. Always stay curious!

Interactions and Networking

RSA Conference is not just about the presentations; it’s also a fantastic opportunity to connect with other professionals in the field. I had the pleasure of meeting several industry leaders and engaging in thought-provoking discussions on the future of information security. These interactions provided valuable insights and sparked ideas for future projects and collaborations. The rise of AI and machine learning as key trends in information security reaffirmed the need for continuous innovation and adaptability in our field.

Trends and Takeaways

A few key trends stood out during the conference. The rise of AI and machine learning in information security was a recurring theme, highlighting their potential in enhancing threat detection and incident response. Additionally, there was a strong focus on cloud security, with many sessions dedicated to strategies for securing cloud environments and managing multi-cloud infrastructures.

From my perspective, as threat actors evolve, we as an industry need to stay ahead of them which requires ongoing learning and collaboration amongst teams. The collaboration within the SOC has led to many advancements in our technologies which our customers benefit from. As AI advances we can leverage it to analyze large amounts of data and provide a result, but we always need to ensure that we foster a security mindset in every individual throughout our entire organizations.

Conclusion

Overall, RSA Conference 2024 was an enriching experience that reinforced the importance of our work in information security. One of the most gratifying aspects was presenting our findings from the SOC, where we highlighted significant trends such as the substantial increase in encrypted traffic and the reduction in cleartext passwords detected. These improvements underscore the effectiveness of our ongoing efforts to enhance network security and promote better encryption practices.

The detailed insights into our infrastructure, including the integration of tools from companies that would have been closed off to each other in the past, showcased our comprehensive approach to threat detection and incident response. It was particularly rewarding to have conference attendees share how seeing our collaboration over the years foster collaboration and better security in their organizations as they take the knowledge back and apply it.

RSA Conference 2024 was not just an event, but a reaffirmation of the critical role we play in securing our digital world. It was inspiring to see the dedication and ingenuity of professionals across the industry, all working towards a common goal. I look forward to applying the insights gained from this conference to my work and continuing to contribute to the advancement of information security and risk management.

Thank you to everyone who attended our tours, our session and engaged in meaningful discussions. Let’s stay connected and keep pushing the boundaries of what we can achieve in InfoSec!

RSAC 2024 SOC Team:

Front row right to left Andrew Jackman, Alessandro Contini, Steve Fink, Neil “Grifter” Wyler, Justin Murphy, Dinkar Sharma, Alessandro Zatti, Jack “Wes” Riley

Back row right to left Adam Kilgore, Jessica Bair Oppenheimer, Steve Nowell, Shawn Wallis, Ryan Maclennan, Christian Clasen, Marco Faggian

Thanks to:

Jack “Wes”Riley

Andrew Jackman

Alessandro Zatti

Alessandro Contini

Marco Faggian

Shawn Wallis

Christian Clasen

Ryan Maclennan

Aditya Sankar

Adam Kilgore

Justin Murphy

Ben Greenbaum

Dinkar Sharma

Steve Nowell

Seyed Khadem-Djahaghi

Neil ‘Grifter’ Wyler

The RSA Conference staff

The Moscone Network Operations Center

And, the entire Cisco and NetWitness team members that supported us behind the scenes

Steve Fink