Why “DSPM” Was the Acronym to Watch at This Year’s RSA Conference
AI needs data and data draws attackers, which makes data security posture management worth doing. Plus: CISA’s Secure By Design pledge and a new MSP badge program offer cause for hope.
Editor’s note: I came home from this year’s RSA Conference in San Francisco with way more news and observations than I can write up in a single post, so I’m covering the observations here and will have a bonus post about the news on Monday.
Some people obsess over the song of the summer. Channelholics obsess over the acronym of the RSA Conference.
Remember when you couldn’t go ten feet down a crowded Moscone Center show floor without encountering the letters “XDR”? That’s practically a golden oldie these days.
I can’t say it cleared the same bar, but I have a candidate for this year’s RSAC acronym chart topper. It’s DSPM, as in data security posture management, and while it’s hardly a brand-new discipline, it’s a newly relevant one thanks to our good (albeit slightly less good lately) friend generative AI.
GenAI, famously, feeds on data. Mountains and mountains of rich, tasty data laden with vulnerabilities so new that in many cases all we know for sure about them is they’re worth fearing. Indeed, over two thirds of organizations call data risks their top AI concern, according to recent research from data security vendor BigID.
Properly equipped DSPM solutions can help mitigate those risks, which is why more than a fifth of organizations worldwide will deploy DSPM solutions by 2026, according to probably outdated research from Gartner a year ago. It’s also why so much of the news announced during RSAC and in the days leading up to that conference had a DSPM angle, and why you couldn’t board an elevator at the hotel I stayed at during the show without seeing “DSPM” either.
If you think clueless end users dropping text-based trade secrets and PII into public LLMs like GPT-4 is what’s driving that activity, you’re not thinking big enough. “By the end of the year, we’ll probably have more graphics as well where you snap a picture of a document and say, ‘please explain this,’” predicts Candid Wuest, vice president of cyber protection research at Acronis. That’s a harder use case for many old-school data security solutions to handle, he adds.
Private LLMs aren’t necessarily any safer than public ones either, warns Lawrence Cruciana, president of Charlotte N.C.-based solution provider Corporate Information Technologies and one of my longtime go-tos on all things cyber. “The inadvertent disclosure or discoverability or inclusion of restricted data by something like [Microsoft] Copilot inside of a Teams context is very real,” he says. “Outsiders have been able to abuse private data sets of other organizations.”
Insiders can theoretically use chatbots to get at data they shouldn’t see too. Data compliance and governance vendor Egnyte includes robust file-based permissions functionality in its software, notes Kris Lahiri (pictured), Egnyte’s co-founder and chief security officer.
“In the AI world, there is no such thing,” he adds. There are only “guardrails,” the rules LLM coders rely on to stop users from generating hate speech, researching bomb design, or mining LLM data for confidential data. Researchers, moreover, have repeatedly shown that guardrails can be easily defeated. It’s a fact disturbing enough to Lahiri that part of his team regularly red teams the sophisticated guardrails erected by the rest of his team.
“Can an analyst ask questions of the data set that gives them elevated privileges?” he worries. Not yet, but that doesn’t mean the danger isn’t real.
Elevated privileges, moreover, could be a problem not just with LLM data but with the LLMs containing that data, notes Joy Belinda Beland, vice president of partner strategy and cybersecurity education at Summit 7, a cybersecurity and compliance solution provider for defense contractors.
“You can change who’s allowed to see what,” she says. Or who’s allowed to alter what. Imagine, for example, an attacker making a miniscule change to the welding tolerances in an aircraft manufacturer’s private model.
“Now all of the plans that you’re working off of are slightly off what has actually been agreed to and you don’t know it,” Beland says. “It could create spectacular safety issues and a default on contracts, and the business closes down because you’ve been delivering goods that now aren’t up to spec.”
Security pros call it “data poisoning,” and it’s a tempting hack in this case for a business rival or nation-state adversary trying to sabotage development of a new weapon system. Good old-fashioned extortion can be a strong motivator too, according to Tony Anscombe, chief security evangelist at ESET.
“If somebody comes in and manipulates that data in some way and suddenly it creates garbage in the data, you’re going to get garbage out,” he observes. “You can hold a company to ransom based on whatever it was you inserted.”
Of course, attackers have to break into an LLM before they can poison its contents, and even in the realm of AI it’s predictable mistakes by ordinary users that usually make those breaches possible. The ordinary users know it too. Over 90% of them say organizations should update their training to keep pace with AI-related cyber threats, but only 62% say their employer actually makes AI education a priority, according to research this week from EY.
That has Kyle Hanslovan, CEO of Huntress, bullish on something complementary to DSPM but distinct from it, “human risk management” products from vendors like CultureAI and Hoxhunt that augment awareness training with other mechanisms to prevent end users from committing the 101-level errors that make DSPM solutions necessary in the first place.
“It’s not enough to just do awareness,” he says. “You actually have to do the enforcement and the detection and response.”
No one has perfected that formula yet, Hanslovan adds, but the first company to do so will reap the biggest financial rewards since XDR took the RSA Conference expo hall by storm.
“I think you’re going to see something that could have and be a multi-billion-dollar valuation,” he says.
The Secure By Design pledge has a shot
Sad but true: I rarely play close attention when the federal government weighs in on cybersecurity. The NIST Cybersecurity Framework, which has undeniably done good in the world, feels like the exception to a rule in which policy papers get distributed, executive orders get issued, and little to nothing changes.
Many others apparently feel the same way. Secretary of State Antony Blinken’s official rollout of a new International Cyberspace and Digital Policy Strategy at the RSA Conference on Monday got some media coverage, but how much have you read about version 2 of the National Cybersecurity Strategy Implementation Plan, which the Biden administration published the next day?
So I doubt I’m the only one who’s initial response to the Secure By Design pledge that CISA got several dozen RSAC exhibitors to sign this week was a shoulder shrug. Here comes another photo op, I cynically predicted, followed by very little more.
Having discussed the matter with a number of RSAC attendees, though, I’m starting to think—or rather, hope—I was wrong. The Secure By Design pledge just might make a small but meaningful difference in prodding tech vendors to embrace some extremely basic best practices they should have been following all along.
Cruciana is among the people who has me thinking that way.
“I’m usually the person that’s like, ‘yeah, right, this is never going to take off,’” he says. But the Secure By Design pledge feels different. CISA director Jen Easterly didn’t just swoop into San Francisco, smile for the cameras, and swoop back out. She brought a team of people responsible for managing the pledge with her and spent face time discussing the initiative with current and potential signatories.
“This has legs,” Cruciana says. “This actually might be a thing.”
It helps that CISA set the bar for itself and the industry very low. Vendors that take the pledge commit to implementing just seven measures, some of which are embarrassingly simple. Signers must promise to drive greater (not mandatory) use of MFA, for example, promote increased (not automated) patching, and eliminate default (not weak) passwords within a year.
“It’s raising the lowest common denominator,” says Chester Wisniewski, director of global field CTO at pledge signatory Sophos.
But just because everyone should have been doing this stuff a long time ago doesn’t mean it isn’t progress if they start doing it now. And Wisniewski thinks they just might. If CISA can build awareness of the pledge among IT providers, he notes, it could become part of how they evaluate current and potential vendors.
“It’s a measuring stick for the channel,” Wisniewski says. “You’ll be able to look at this list of seven basic things your vendors should be doing and have an idea of who’s doing them well and who isn’t.”
Even if partners don’t reference the pledge much, he continues, vendors undoubtedly will for competitive marketing purposes. “I’m optimistic there will be a bit of peer pressure,” Wisniewski says. “When a few security companies get on board, I think the other ones are going to feel that they should also be on board.”
Indeed, Hanslovan (pictured), of Huntress, is applying a little well-intentioned pressure already. Review the list of inaugural pledge-takers, he encourages partners, and take note both of who’s on it and who isn’t.
“I want to know who’s making the commitment and I want to know who’s not even in tune enough to know this was happening,” Hanslovan says. “To me that’s a big, at least, yellow flag.”
Remarks like that may be having an impact already. No confirmation from CISA, but I’m told anecdotally by an informed source that 10 vendors not among the initial signatories took the pledge within 24 hours of its unveiling, perhaps to avoid appearing out of the cybersecurity loop.
Hanslovan considers all this a step in the right direction. But just a step. At present, most pledge signers are security specialists already doing the right things most of the time. Real momentum toward cyber safety will come when the government starts incentivizing all the other vendors out there to climb onboard and penalizing those who don’t.
“They need both a carrot and a stick,” Hanslovan says.
The carrot could be something like limited indemnification from liability for anyone honoring Secure By Design principles, he adds. The stick should be fines. CISA has no authority to enforce security best practices, but other parts of the executive branch do.
“I’d like to see the SEC step the fuck up,” Hanslovan says, “and if you go and look at the FCC, they have a lot and a very broad ability to handle these things.”
If regulators don’t take action, he continues, media types like yours truly can at least partially fill that gap.
“Some of what may be happening here, whether intentional or not, is weaponizing public accountability,” Hanslovan says. “If one of these people signs that pledge and it gets discovered that they were not following that pledge, that’s newsworthy.” And newsworthy in a way that can damage stock prices, brand equity, and retention rates.
Is it crazy to believe all of that might just be enough, at long last, to bring a critical mass of hardware and software makers in line with the most basic security guidelines? I don’t think so, and if it is then Cruciana’s even crazier than I am. “I think we’re going to see that,” he says. “I really think we’re going to see that.”
Wisniewski is hopeful too, especially if people like Cruciana get involved.
“I’m probably never going to get every small business in America to care or even know what the known exploited vulnerabilities list is, but if we can get the channel partners to be doing that on their behalf, especially the MSPs and the MSSPs out there, that’s how we’re going to raise security standards up for those people,” he says.
Wear them with pride: new badges for truly professional MSPs
Let’s take a detour from security, if only a minor one. Regular readers may recall a post from earlier this year about the woeful lack of professional standards in managed services at present, and the yeoman’s work being done to fix that problem by the National Society of IT Service Providers. This week, the NSITSP introduced badges designed to recognize participants in that effort, and ensure everyone else does too.
I said this is a minor detour moments ago because taking security seriously factors heavily in the NSITSP’s mission. Professional MSPs protect end user data. Fly-by-night “trunk slammers” don’t, and give legitimate MSPs a bad name in the process.
Just as the world will be a safer place to do business in if every technology vendor signs CISA’s Secure By Design pledge, so too will everyone be safer if MSPs invest the effort required to earn an NSITSP badge. Here’s hoping lots of them do.
Also worth noting from RSA
In the latest manifestation of an ongoing campaign, Liongard is delivering a new managed attack surface solution through its MSP partners.
Proofpoint introduced pre-delivery email security based on tech it acquired along with Tessian a few months ago and new post-delivery defenses based on behavioral AI.
Speaking of acquired security functionality, SentinelOne has added cloud security capabilities based on tech it got along with PingSafe in January, plus integrated threat intelligence from Mandiant.
Sumo Logic has new threat intel and cloud security functionality too.
OpenText has a new threat intelligence tool as well, called cyDNA.
I sense a trend: Google also unveiled a threat intelligence offering during RSAC, along with an AI-powered security ops service.
CrowdStrike’s Falcon platform now integrates with that new Google security ops service.
1Password’s flagship password management solution, in turn, now integrates with CrowdStrike’s Falcon Next-Gen SIEM.
More CrowdStrike: it’s now NinjaOne’s XDR partner of choice. More on this coming Monday.
More NinjaOne: the vendor has new endpoint management, patch management, and backup capabilities in addition to XDR via CrowdStrike.
Passwordless access and temporary elevated device privileges are among the newest features from JumpCloud.
ManageEngine now offers integrated supply chain risk management functionality from Constella Intelligence.
What was AT&T Cybersecurity is now LevelBlue, a standalone managed cybersecurity services business jointly owned by AT&T and PE firm WillJam Ventures.
Neal Bradbury, who you’ve read about before in these parts, is Barracuda’s new chief product officer.
Manoj Srivastava is the new chief technology and product officer at BlackPoint Cyber.
Also worth noting elsewhere
ServiceNow held a conference this week too, where it announced a new bring your own genAI model for playbook and app generation, among other things, an expanded AI alliance with Microsoft, and a whole lot more.
IT By Design has a added a bunch of extra outsourced labor capacity via a brand-new HQ in the Philippines.
Wasabi Technologies is offering hybrid cloud/on-prem storage solutions with Dell.
The Cloudli Connect communications platform is now available through partners in the U.S. and Canada.