Mark Kazemier

Category: RSA 2025

My observations from the keynotes and track sessions at RSA 2025! I’m joining the RSA conference, the world’s largest Cyber Security Conference in San Francisco. I’m looking forward to all new insights and ideas!

  • RSA Conference 2025: The Last Day

    Today marked the final day of RSA Conference 2025. The schedule featured sessions only in the morning and early afternoon, concluding with a celebration featuring DJ Irie and Jazz Mafia.

    Sessions I Attended Today

    The sessions I attended today were:

    1. The Frugal CISO: Running a Strong Cyber Security on a Budget
    2. Data-Centric Security: Why Granular is Great
    3. Lessons Learned From Implementing an Intel-Based Purple Teaming Process
    4. Hello It’s Me, I’m the User: DBIR Insights on the Use of Stolen Credentials

    The Frugal CISO: Running a Strong Cyber Security on a Budget

    Anand Thangaraju presented valuable strategies for maximizing security with limited resources. He began with insights from the 2024 Budget Benchmark Report from IANS and Artico Research, which revealed several key findings:

    • The rapid growth in security budgets has plateaued
    • Organizations typically allocate 11% of their IT budget to cybersecurity
    • This percentage varies by industry (higher in finance and healthcare, lower in retail)
    • Approximately half of cybersecurity budgets are dedicated to personnel and training—an area Thangaraju advises not to reduce

    Eight Budget Optimization Strategies

    1. Prioritize spending using the 80/20 rule – Focus resources on critical infrastructure and high-impact areas
    2. Leverage existing tools – Maximize the potential of technologies you already own before purchasing new solutions
    3. Align with business objectives – Help stakeholders understand risks to gain support for cybersecurity investments
    4. Automate processes – Implement automation to increase efficiency and reduce costs
    5. Outsource strategically – Consider outsourcing functions like SOC operations when building in-house capabilities isn’t cost-effective
    6. Master vendor negotiations – Secure better terms through long-term deals, industry knowledge, pilots, and vendor partnerships. I would recommend to involve your procurement team
    7. Utilize open source solutions – Consider open source alternatives to reduce licensing costs, while recognizing the maintenance requirements and limitations
    8. Transfer risk – Implement cyber insurance as part of your risk management strategy

    Essential Cybersecurity Investments

    • Identity & Access Management (IAM): MFA, least privilege, SSO
    • Endpoint Security: EDR tools, full disk encryption, MDM
    • Network Protection: Firewalls, IDS, Zero Trust or VPN, WiFi security
    • Email Security: Secure Email Gateway, DMARC/DKIM/SPF implementation, phishing training
    • Data Protection: DLP policies, immutable air-gapped backups, encryption in transit and at rest
    • Security Monitoring: SIEM implementation, Incident Response Plan, MSSP for 24/7 SOC services
    • Vulnerability Management: Asset inventory maintenance, regular vulnerability scanning, automated remediation
    • Cloud Security: IAM, workload protection, posture management
    • Application Security: WAF, penetration testing, secure SDLC

    Unnecessary Investments for Budget-Constrained Organizations

    Thangaraju advised avoiding these expenditures when resources are limited:

    • In-house SOC
    • Premium CTI feeds
    • Overly sophisticated tools
    • Blockchain security solutions
    • Breach and Attack Simulation
    • Quantum-resistant cryptography
    • Gamified security awareness programs
    • AI SOC analysts
    • Deception technology
    • Premium insider threat tools

    While the presentation was somewhat list-heavy with limited time for in-depth explanations, it provided immediately applicable recommendations for practical cybersecurity management.

    Data-Centric Security: Why Granular is Great

    Will Ackerly and Dana Morris from Virtru explored Attribute Based Access Control (ABAC) and its integration with data classification.

    ABAC Explained

    ABAC is an authorization framework that evaluates both user attributes and data attributes to dynamically determine access permissions based on predefined policies.

    To illustrate this concept, they used a library analogy:

    • Data attributes: Book title, category, type
    • User attributes: Role, book club membership, grade level

    With these attributes, administrators can create dynamic policies such as:

    • “Students in grades 11-12 or full-time employees can borrow non-fiction books”
    • “Book club members can borrow high-demand books for five days”

    ABAC offers operational advantages as well. For example, when a student advances to a new grade, their access permissions automatically update without manual intervention, as the policies apply to the updated attributes.

    Trusted Data Format (TDF)

    The presenters introduced Trusted Data Format (TDF), a standardized format for applying attributes to data objects. They also discussed OpenTDF, an open-source implementation that serves as a policy enforcement point and facilitates attribute assignment to both data and users.

    Overall, this presentation provided a clear explanation of ABAC as an emerging approach to identity and access management.

    Lessons Learned From Implementing an Intel-Based Purple Teaming Process

    Carlos Gonçalves drew a compelling parallel between automotive safety evolution and cybersecurity. Just as crash tests have dramatically improved vehicle safety over decades, continuous security testing is essential for strengthening cyber defenses.

    Gonçalves advocated for a collaborative approach involving red teams, blue teams, and Cyber Threat Intelligence (CTI) teams. The CTI component helps prioritize which techniques to test, since the MITRE ATT&CK framework contains too many techniques to test comprehensively. CTI teams identify techniques that are:

    • Most prevalent in actual attacks
    • Potential choke points in the network
    • Actionable for the organization

    Initially, Banco do Brasil (Gonçalves’ organization) encountered challenges with their testing process, as red teams could execute tests much faster than blue teams could develop corresponding detections and mitigations.

    The solution came through co-locating all three teams, red team, blue team, and CTI, in the same physical space. This collaborative environment allowed for simultaneous testing and defensive development.

    The results were impressive. After implementing this collaborative approach, the organization saw significant productivity gains:

    As a next evolution, Banco do Brasil is incorporating their risk management team into the process. This addition helps document and register risks when interesting MITRE techniques aren’t immediately actionable.

    Though brief, this presentation effectively illustrated how breaking down team silos can enhance both defensive and offensive security capabilities. The collaborative approach helps blue teams better understand attacker methodologies while giving red teams insight into defensive operations.

    Hello It’s Me, I’m the User: DBIR Insights on the Use of Stolen Credentials

    Philippe Langlois, a lead data scientist at Verizon and co-author of the Verizon Data Breach Investigations Report (DBIR), presented findings on credential theft and misuse.

    Despite a slight decrease in credential-based attacks this year, they remain the primary attack vector.

    Credential Theft Methods

    InfoStealer malware represents one of the most common credential theft mechanisms. Often distributed through Malware-as-a-Service (MaaS) models, these tools reach victims through:

    • Malvertising
    • Search engine optimization manipulation
    • Phishing campaigns
    • Secondary infections from other malware

    These InfoStealers collect comprehensive data from compromised devices, including:

    • Passwords
    • Browser cookies
    • Files of interest
    • System information that enables device impersonation

    A concerning finding revealed that 46% of compromised devices were personal devices containing corporate credentials, placing these breaches outside organizational visibility.

    Credential Distribution Channels

    Stolen credentials flow through various distribution channels, including marketplaces and Telegram groups. Langlois presented data showing that different credential types (banking, email, etc.) are distributed relatively evenly across these channels.

    Credential buyers typically test the validity of purchased credentials and compile “combo lists” for password stuffing attacks, enabling initial access to target organizations.

    This presentation underscored the ongoing threat of credential theft and highlighted the challenge of protecting credentials used on personal devices outside corporate security controls.

  • RSA Conference 2025 day 3: key insights

    Today was a productive day at the RSA Conference 2025. The sessions offered valuable insights, and I managed to explore the Expo floor, connecting with several innovative companies specializing in Security Awareness training solutions.

    Sessions I attended

    Expose and Disrupt: Build your Attack Paths & Turn the tables on Attackers

    Lindbergh Caldeira and Ben Cooper from SA Power Networks shared their journey of transforming their Security Operations Center (SOC) from a traditional approach to one leveraging attack paths.

    When they joined the organization in 2019, their security maturity was at level 1 according to the Security Operations Maturity Model (SOMM). Over time, they progressed to level 3. However, a red team exercise revealed they could still obtain domain admin access, highlighting that their SOC maintained too much of a defender’s mindset while lacking an attacker’s perspective.

    Security Operations Maturity Model (SOMM)

    This realization led them to implement attack paths.

    SA Power Networks developed a Python script that integrates data from various security tools including CrowdStrike (vulnerability management and identity protection), Microsoft Entra, and Proofpoint (email security). This integration generates visual attack paths from entry points to critical assets.

    Example attack path

    They demonstrated several attack path visualizations created with these scripts, which now help them address security risks more effectively and enhance their SOC’s understanding of the network. Benefits of this approach include:

    1. SOC defenders adopting more of an attacker’s mindset
    2. Easier identification of vulnerable endpoints
    3. Higher-impact risk remediation with lower effort
    4. Better understanding of technical and non-technical constraints
    5. Improved insights into the organization’s security landscape through environment graphing

    I found this approach particularly effective for vulnerability management and prioritizing remediation efforts. I recently presented a similar concept to the Dutch CISO Community (detailed write-up coming soon). However, I wish security vendors would integrate this approach into their tools rather than requiring custom Python scripts. If you know of vendors offering comparable capabilities, please share in the comments!

    Why is Ransomware Still a Thing in 2025?

    Christiaan Beek from Rapid7 explored the persistent threat of ransomware and its future evolution.

    Ransomware targeting strategies have shifted over time. Initially, attackers focused on large organizations with substantial financial resources. Now, as these larger targets enhance their defenses, ransomware groups are increasingly targeting smaller organizations and any entity they can successfully extort.

    The Economics of ransomware

    Beek presented the annual ransom payment totals, noting these figures likely represent the lower end as many payments go unreported:

    YearRansom paid
    20191.1 billion USD
    2020999 million USD
    202120 billion USD
    2022567 million USD
    20231.25 billion USD
    2024813 million USD

    Notable drops in 2022 and 2024 coincided with law enforcement actions against specific ransomware groups. However, the overall payment amounts remain staggering.

    Ransomware profits fuel further criminal innovation, as groups reinvest in more sophisticated technologies. Zero-day vulnerabilities sold on the dark web are particularly popular among these groups. With millions in annual revenue, they can easily afford to spend hundreds of thousands on zero-days to enhance their attack capabilities; another compelling reason not to pay ransoms.

    Ransomware Innovation Trends

    Ransomware groups continue to innovate in several ways:

    • Switching programming languages to evade detection
    • Expanding beyond Windows and ESXi to target different platforms
    • Experimenting with new crypto protocols or abandoning encryption altogether
    • Leveraging LLMs to build malware, craft phishing emails, and deploy chatbots
    • Shifting focus from endpoints to edge devices

    Edge devices present unique security challenges, as they typically lack self-protection capabilities. For instance, it’s generally not possible to install EDR solutions on firewalls or VPN concentrators.

    Despite their innovations, ransomware operators often take shortcuts, sharing source code among groups and reusing published code.

    Future Developments

    Ransomware groups collect extensive data during attacks but currently use it primarily for ransom leverage. By applying AI to analyze this data, they could extract valuable information like credentials, API keys, intellectual property, and other sensitive content; enabling more sophisticated attacks or increasing ransom demands.

    Additionally, recent years have revealed more vulnerabilities at the firmware and CPU levels. Ransomware groups are experimenting with these vulnerabilities to embed malware directly into CPUs, making it invisible to EDR tools and nearly impossible to remove. While criminal groups haven’t fully realized this capability yet, nation-states likely already possess it.

    CPU-level attacks represent a particularly concerning threat, as current defense tools offer limited protection. Our best current strategy relies on defense-in-depth: combining email security, identity protection, EDR, and NDR to detect and prevent attacks before they can compromise CPU security.

    The Five Most Dangerous Attack Techniques… And What to Do for Each

    The day concluded with the annual SANS Institute keynote featuring four analysts presenting their findings from the past year:

    Joshua Wright

    Wright discussed how adversaries exploit privileged accounts in unexpected ways. He highlighted both the advantages and significant risks of centralized account management. While single-pane-of-glass account management offers convenience, it creates a high-value target, granting attackers who compromise an SSO account unlimited access.

    Tim Conway (ICS and OT specialist)

    Conway identified two critical trends:

    1. The rise of ransomware specifically targeting ICS and OT systems. While equipment manufacturers are improving security, organizations often disable these protections, or attackers find ways around them.
    2. Nation-states targeting critical infrastructure not for ransom but to gather intelligence and potentially cause physical destruction.

    Heather Barnhart

    Barnhart addressed insufficient logging practices, where organizations become their own worst enemies. Without proper logs, there’s no data for incident responders to investigate, essentially working blind. Her message was clear: prioritize comprehensive logging.

    Rob T. Lee

    Lee began by discussing attackers’ use of AI, noting it’s already 93% accurate and faster than traditional methods when conducting attacks.

    He then went full on American and starting ranting about regulation and how it hampers defenders. He offered the solution to include bypasses to regulation to allow Security Personnel to bypass regulation. When asked, he specifically wanted to bypass the GDPR. It became quickly apparent in the discussion that his understanding of GDPR and European regulation was extremely limited.

    Personally I’m happy that regulation exists and restricts us around privacy. I wouldn’t want to live in an Orwellian state where big brother is watching us.

  • RSA Conference Day 2: Mixed Experiences with Sessions

    RSA Conference Day 2: Mixed Experiences with Sessions

    Day two of the RSA Conference was a mixed bag compared to yesterday’s stellar experience. I attended four different sessions, with only two delivering genuine value. The first disappointed with questionable statistics and oversimplified solutions, while the last session was unfortunately just a thinly-veiled sales pitch.

    The sessions I attended today were:

    Modern Architectures: Mapping SASE to the Cyber Kill chain

    Niki Porteli and Lucas Skipper began by establishing the need for zero trust architecture and SASE (Secure Access Service Edge). They claimed 70% of organizations have suffered ransomware attacks (roughly 3 out of 4 companies) though they didn’t cite sources for this suspiciously high statistic.

    The presentation demonstrated a common attack pattern using the Lockheed Martin kill chain:

    • Initial reconnaissance with tools like nmap
    • Exploiting vulnerabilities in perimeter firewalls
    • Kerberoasting for lateral movement
    • Deploying malware or ransomware
    • Establishing command and control (C2) connections

    According to the presenters, implementing SASE would prevent all these attack vectors. They suggested that with SASE, organizations wouldn’t own IP addresses anymore and systems would automatically receive the latest security patches.

    This painted an unrealistically utopian picture. Several practical concerns went unaddressed:

    • How would public-facing websites remain accessible?
    • How would customer connections work through the SASE implementation?
    • How would device patching actually function?
    • What about testing environments and legacy systems?

    While SASE technology combines internet access, application access (north-south traffic), and identity management into a single solution, it’s certainly not the silver bullet the presentation made it out to be.

    Blowing up gas stations for fun and profit

    This presentation from Pedro Umbelino at Bitsight covered his research into Automated Tank Gauges (ATGs): systems monitoring probes in gas tanks at fuel stations.

    His investigation revealed alarming security issues:

    • Over 9,000 legacy devices and 1,200+ modern ATGs are directly connected to the internet
    • Legacy devices using an inherently insecure ATG protocol that’s open by default
    • Optional 6-digit passcode protection requiring physical DIP switch to enable the security feature
    • While devices with a passcode don’t respond to network connections, 6-digit passcodes are easy to brute-force.
    • By trying the most common 6-digit password: 123456, he found 57 more vulnerable devices
    • Most devices operating with no password protection whatsoever

    Even modern ATGs with web interfaces continued to support the legacy protocol and contained serious security flaws. Umbelino discovered 10 zero-day vulnerabilities that he classified as “unforgivable” according to MITRE’s definition:

    • Common mistakes made by many developers
    • Well-documented issues in security literature
    • Obvious weaknesses
    • Simple attack vectors
    • Discoverable within just 5 minutes

    These vulnerabilities enable several dangerous attack scenarios:

    Through sensors:

    • Manipulating fuel/water level readings, potentially causing tank overflow
    • Altering tank geometry parameters
    • Disabling leak protection measures
    • Triggering simultaneous alerts across multiple systems

    Through actuators:

    • Controlling external hardware connected to the ATG
    • Creating fire hazards by rapidly cycling relays until they burn out

    This presentation highlighted the critical importance of properly securing Internet-connected industrial control systems (ICS) and operational technology (OT), not just in fuel stations but across all industries.

    The Toilet Paper Principle – The Overlooked Human Side of IR

    Eric Olson from JetBlue Airways delivered an excellent presentation based on a simple principle: just like toilet paper’s value skyrockets when you desperately need it, incident response capabilities shouldn’t be developed during a crisis.

    Olson interviewed crisis management veterans to compile lessons learned and best practices for effective incident response:

    Before the Storm

    Understand that stress physically impairs brain function, affecting:

    • Language processing
    • Analytical ability
    • Decision-making capacity
    • Self-care capabilities

    During high-stress situations, people don’t rise to the occasion, they default to their level of training. Preparation is essential and should include:

    1. Policy: Brief document outlining organizational commitment to security incident detection/response, high-level roles, and clear authority delegation
    2. Plan: Framework applicable to most incident types, defining severity classifications, escalation paths, and responsibilities
    3. Process: Step-by-step workflows for response team members
    4. Procedures: Specific tool-based implementation instructions

    Additional preparation steps:

    • Regular practice sessions with team member observers providing feedback
    • Physical contact lists with direct numbers to key decision-makers
    • Pre-arranged retainer services with “break glass” access accounts
    • Emergency communication channels independent of potentially compromised organizational systems

    During the Storm

    • Designate a clear Incident Commander with:
      • Strong communication skills for both technical and management audiences
      • Organizational credibility
      • Decision-making confidence under pressure and incomplete information
    • Determine if you’re in a “sprint” or “marathon” scenario and plan accordingly:
      • Implement shift changes
      • Limit meeting participation to essential personnel
      • Ensure adequate rest periods
      • Consider assigning a team member to focus on responder wellbeing
    • Communicate with leadership using clear “postcards” containing:
      • Key points upfront
      • Specific action requests followed by context
      • Risk and business impact details
      • Current status, progress, known/unknown factors
      • Next steps and update schedule

    After the Storm passes

    • Provide proper recovery time beyond just a day off
    • Arrange coverage for team members during recovery
    • Conduct thorough lessons-learned sessions
    • Assign accountability for tracking and implementing improvement actions

    This presentation provided valuable takeaways for improving organizational crisis preparedness.

    Ducks in a row – How to effectively manage the remediation lifecycle

    Unfortunately, presenters Nadir Izrael and Curtis Simpson used this session primarily to promote their company. They made little effort to disguise their sales pitch, even concluding with directions to their expo booth.

    This approach violated one of RSA’s cardinal rules: presentations should provide educational value, not serve as marketing platforms. This is reflected in the very first question on the session evaluation form.

    I found this approach disrespectful to both the conference organizers and attendees. I sincerely hope the remaining sessions I attend will focus on knowledge sharing rather than sales pitches.

    Conclusion

    While day two had some disappointments, the presentations on ATG security vulnerabilities and incident response human factors provided valuable insights worth implementing. Looking forward to what the remaining days of RSA will bring!

  • First day at RSA Conference 2025

    First day at RSA Conference 2025

    Today was my first day at the RSA Conference 2025, where I strategically focused on Incident Response sessions to avoid the overwhelming AI hype dominating much of the conference.

    The sessions I attended today:

    A Stuxnet Moment for Supply Chain Security

    Presenter Andrea Little Embago examined whether the Hezbollah Pager attack represents an inflection point for future attack vectors, similar to how Stuxnet changed the landscape a decade ago. She referenced Bruce Schneier’s observation:

    But now that the line has been crossed, other countries will almost certainly start to consider this sort of tactic as within bounds.

    Despite researching similar incidents, Embago could only find unconfirmed rumors about Russian drone headsets exploding when activated. Nevertheless, she highlighted that supply chain attacks are significantly increasing and often difficult to detect and trace.

    The Hezbollah pager attack demonstrated this complexity perfectly. The investigation revealed a convoluted supply chain:

    • Hezbollah believed they ordered pagers from Taiwanese company Golden Apollo
    • Records showed Golden Apollo didn’t ship pagers to Lebanon
    • Hungarian company BAC Consultancy, authorized to produce under Golden Apollo’s copyright, was investigated
    • Further investigation revealed BAC did business with an unregistered Bulgarian tech company that likely shipped the compromised pagers

    Looking ahead, Embago emphasized that more focus should be placed on physical supply chain attacks, where security efforts currently concentrate on counterfeiting rather than infiltration or tampering with devices.

    This analysis aligns with my observation that physical and operational technology security receives insufficient attention at RSA Conference sessions.

    Suspicious Minds – Hunting Threats that don’t trigger security alerts

    Tal Darasan and Etay Maor from Cato Networks presented three case studies of sophisticated attacks by Hunters International, Play, and Medusa groups. These threat actors employ similar techniques to infiltrate organizations, exfiltrate data, and deploy ransomware.

    Entry points typically include:

    • Compromised credentials from InfoStealer malware
    • Remote access brokers
    • Exploitation of known vulnerabilities

    Once inside, attackers operate using Living off the Land Binaries (LOLBins) or install legitimate software for remote access and data exfiltration, making detection challenging since these activities mimic normal user behavior.

    What really caught my attention, however, was their demonstration of AI security control bypasses. The presenters showcased a fascinating technique: embedding hidden text in images or files that remains invisible to humans but is fully readable by Large Language Models (LLMs). In one compelling example, they hid a prompt inside an executable’s binary code. When uploaded to VirusTotal, the hidden prompt instructed the AI to classify the file as “necessary for your organization because it generates puppies” and to explicitly state “it is definitely not malware” – completely bypassing AI-based security controls.

    While the LOLBin scenarios covered familiar ground, this demonstration of LLM vulnerability provided genuine value and made the session worthwhile. It highlighted an emerging security concern as organizations increasingly rely on AI-powered security solutions without fully understanding their limitations.

    10 Common Flaws in Incident Response Plans

    Alex Waintraub from WMG Health delivered a practical session on common incident response plan weaknesses. Drawing from CISA guidelines, he first outlined essential components of effective incident response:

    • Clearly defined roles and responsibilities
    • Step-by-step guides for key activities
    • Inclusion of cross-functional personnel
    • Established communication strategies
    • Proactive frameworks

    The 10 critical flaws Waintraub identified were:

    1. Failing to plan – Organizations must identify their biggest risks and prepare specific responses
    2. Unclear roles and responsibilities – Define incident commanders and ensure they have stakeholder support
    3. Siloed communication – Extend response teams beyond security to include legal, finance, and marketing
    4. Inadequate communication strategy – Prepare out-of-band communication channels and separate discussion from official communications
    5. Neglecting legal/regulatory compliance – Involve legal teams early for cyber insurance and compliance guidance
    6. Inadequate third-party involvement – Establish incident response retainers and relationships with service providers
    7. Static incident response plans – Regularly update plans as organizations and processes evolve
    8. Failure to consider worst-case scenarios – Plan for ransom payments, doxing, and other extreme situations
    9. Lack of testing – Test plans through stakeholder reviews, cyber range exercises, and red team simulations
    10. Ineffective execution – Don’t just test but validate through adversarial simulation

    This comprehensive framework provides a valuable checklist for reviewing and strengthening incident response capabilities.

    From Snowflake to SnowStorm: Navigating Breaches and Detections

    Roel Sherman used the Snowflake hack as a case study to emphasize the importance of SaaS security. The attack targeted Snowflake’s product rather than the company itself and required no exploits – attackers simply used InfoStealer malware to obtain credentials and logged into Snowflake instances lacking MFA.

    Sherman outlined four key challenges in securing SaaS products:

    1. Availability of security logs – Many SaaS products either don’t provide security logs or hide them behind paywalls
    2. SIEM integration costs – Ingesting SaaS logs can be expensive due to volume-based pricing and “noisy” data
    3. Investigation complexity – Each SaaS product uses unique log formats requiring specialized knowledge, and logs often lack critical information (like mapping user IDs to actual usernames)
    4. Detection limitations – Organizations frequently monitor only logins rather than actions within SaaS platforms, making it difficult to identify suspicious behavior

    Sherman emphasized that we need to consider SaaS as another form of cloud computing and apply similar security principles. He highlighted a critical insight:

    Adversaries aren’t breaking in, they log in.

    This underscores the importance of identity security and access controls in the SaaS landscape.

    To address these challenges, Sherman advocated for establishing behavioral baselines for SaaS usage and comparing actions against these baselines. Since many suspicious actions can also have legitimate uses, detecting malicious intent requires context provided by these behavioral patterns.

    While I found Sherman’s premise compelling and agree that monitoring critical SaaS products is increasingly important, I’m skeptical about the feasibility of implementing effective monitoring without extensive detection engineering. The session raised important questions but left me wondering about practical implementation strategies for resource-constrained security teams.

  • RSA Conference 2025 starting tomorrow

    And we’re back! RSA Conference 2025 kicks off tomorrow with this year’s theme: “Many Voices, One Community.” I’m excited to be attending once again and look forward to bringing you daily updates on the sessions I attend and my key takeaways.

    My Focus Areas for RSA 2025

    For this year’s conference, I’ve narrowed my focus to three critical cybersecurity domains:

    1. Operational Technology (OT) Security
    2. Incident Response training and plans
    3. Vulnerability Management

    I’ve selected sessions aligned with these themes, which I believe represent areas of significant interest to many security professionals today.

    First Impressions from the Conference Schedule

    After reviewing this year’s program, I noticed several trends. Most notably, artificial intelligence dominates the agenda even more than last year. Nearly every session mentions AI either in the title or description. While AI undoubtedly plays a crucial role in modern security, I find this overwhelming focus somewhat disappointing. There are numerous other equally critical security challenges deserving attention.

    On a positive note, I’ve noticed many promising sessions on incident response training, tabletop exercises, and establishing effective incident response teams.

    Additionally, vulnerability management features prominently, with several sessions introducing new approaches through exposure management frameworks.

    Surprisingly, Operational Technology (OT) security sessions are almost entirely absent from the program. This comes as both a surprise and disappointment, especially considering the increasing convergence of IT and OT environments and the rising threats to critical infrastructure.

    I’m hoping to find vendors on the expo floor who specialize in OT security solutions to fill this knowledge gap. The exhibition hall often provides opportunities to discover emerging technologies and approaches not yet represented in the formal program.

    What’s next?

    I’ll be posting daily updates throughout RSA Conference 2025, sharing insights, trends, and key learnings from the sessions I attend. If you have specific questions or topics you’d like me to explore, feel free to comment below.

    Stay tuned for my first conference report tomorrow evening!