Community Blog Five Insights on Network Security | RSA Conference 2017

Five Insights on Network Security | RSA Conference 2017

Alibaba Group chief security expert Xiao Li shares his insights on the trends of network security in the one, five, or even ten years may have profoun.


Alibaba Cloud, the largest cloud computing platform in China, serves data and applications for many companies. For enterprises in the tech industry, cloud computing has become a backbone infrastructure for these enterprises. Cloud providers need to provide highly reliable and highly available services to these enterprises, while maintaining the integrity of data and infrastructure.

For Alibaba Cloud, security is the cornerstone of a huge cloud city. Xiao Li, the first security engineer to join Alibaba in 2005, is the founder of Alibaba Cloud security team and shoulders the responsibility for overall protection.

Xiao Li is one of the few people standing at the crossroads of technology and strategy, he is always looking for the most advanced tools and talents all over the world to safeguard Alibaba Cloud from all threats. His insights on the trends of network security in the one, five, or even ten years may have profound implications for the development of Internet security in China.

Xiao Li frequently appears in top security conferences all over the world, to stay on top of the latest changes in security technology. The RSA Conference, an annual meeting of global security vendors, is seen as a benchmark for the global security industry. The top 500 security vendors around the world will actively participate in sharing technology at RSA every year, and take the opportunity to find potential applications for their own latest technology.

Objectively speaking, global security technology is still centered on the United States. Countless US companies in RSA piece together a clear-cut and bright example of the security community. This picture is an important reference for China, which is on the wrong end of a "generation gap" with the United States in terms of security.

Xiao Li, who just returned from RSA in San Francisco, brought back the latest trends drawn from the "land of Internet security". Recently, China's tech blog leiphone.com has interviewed Xiao Li for the first time, asking him to share the latest "operational map" of Alibaba Cloud security.


<Image of Xiao Li>

Below is the transcript of Xiao Li's insights on network security.

I. In a country without a giant in the security industry, cooperation is key

Before describing the technology trends in this year's RSA, I would like to share a key word for the year, "cooperation." This word is not new or special, but it is the current overall trend in the security industry.

1. Security is "fragmented"

Security is a little different from other tech fields. In other fields of the Internet industry, it is common for one company to dominate 70% to 80% of the market share.

But I think that the field of security will not likely be occupied by giants. Why? Security is a ubiquitous concept since it applies to all fields in the internet industry. These fields are too broad, so it is impossible for a giant to say: my product is the best in all fields.

Even for security giants such as McAfee, Symantec, and Kaspersky, their revenue across the entire security market is still relatively small. What I see is that there is a "top company" in each segment of security industry.

Security for a company needs to "fragmented" meaning that if the company wants to solve potential security issues on all fronts, then it will certainly have to implement different security products in different fields. According to my observations, each company needs security products in 5-10 different fields. For example:

• Intranet security: Security for PCs and mobile devices belonging to company employees.
• Data center security: Enterprise data reliability security for core business applications.
• System security: Enterprise office system (OA, CRM) security.
• Web security: External service network security.

As the saying goes, "a small leak will sink a great ship." Any vulnerability in the facet of a company's business compromises its overall security. Under these circumstances, a company needs to apply products on every security front for coordinated, comprehensive protection.

2. Interconnecting logs and APIs is an important step for cooperation

As mentioned previously, "cooperation" is the buzzword in the 2017 RSA Conference. This shows that the security industry has also realized that cooperation is crucial.

Cooperation across security vendors, however, is frankly still quite lacking.

Taking data logs as an example, the networks, systems, and hosts all generate data logs, and summarizing and analyzing of these logs can be used to attain overall security. However, current log formats and standards for different security companies are different. The security field has even developed a special segment: horizontal management and analysis of security logs. Thus a big data security product, SIEM, has appeared. SIEM's first core competence is to translate the logs for various security products.

Due to the fragmentation and inconsistency of the logs, translating logs is inferior to using logs that are in the same format from the outset. Cloud computing is a very good opportunity to eliminate the gaps between different logs. The combination of security products can be made easier on the foundation of this unified API.

As a cloud computing service provider, we want to see that major security products can achieve unification of data, logs, and interfaces on our platform. In this way, users on our platform are nearly invulnerable.

II. Security products are fully turning into public cloud SaaS services

1. The first year of SaaS security service

The developmental trends of the security industry become apparent when you observe the main products released by major vendors in the RSA.

In the past, security vendors all over the world were selling static "boxes" for security. In the beginning of last year, vendors have introduced customizable cloud services based on APIs. This year has seen most security vendors offering cloud security SaaS services based on the cloud.

This makes it apparent that SaaS security service has become an irreversible trend. Two examples:

• Fastly is a CDN vendor, they began to provide cloud security products this year.
• QUANTIL is also a CDN vendor that also released cloud security products this year.

From this point of view, I can see the biggest difference between security development in the United States and China. According to my observations, the development of cloud computing in the United States is two years ahead of that in China.

The reason is the maturity of SaaS services. In the United States, public cloud-based SaaS services have become the main form of enterprise services, while SaaS services in China are not yet established and SaaS security services are also immature.

However, I strongly believe that public cloud computing services are the future trend of the Internet. I can give a personal example on this matter:

Two years ago I spoke with a Gartner analyst and asked him what he thought about the ratio of "public cloud" to "private cloud" in the future cloud computing market. In his estimation, half will be public cloud and half private cloud based on Spark or Hadoop.

This year, when I asked my peers in the security industry, all of them gave an estimate of 80% public cloud and 20% private cloud. Cloud solutions from the vendors also confirmed this view. Vendors who previously were strong proponents of private cloud are also moving to the public cloud.

Although some vendors are still developing the private cloud, I think the trend of public cloud has become very obvious in the United States. Boeing, the world's leading large aircraft manufacturer, has all of their core systems running on Microsoft's cloud computing platform.

When high-level security needs for large enterprises, banks, and government systems are on the public cloud, they undergo a rigorous assessment, where acceptance is based on the security of the "logical isolation zone" in the public cloud. Good, demonstrable results will enable other industries to quickly follow up and embrace the public cloud.

2. The "natural advantages" of public cloud security products are becoming more apparent

From my perspective, public cloud has at least three advantages:

1.Elastic Scaling
Public cloud can provide unlimited computing capacity and storage space.

2.Fast Iteration
Public cloud can be updated daily and quickly iterated. If a big company chooses a private cloud, there is no way to take advantage of the latest technologies and there is a risk of being left behind.

3.Data Interaction
Data intelligence is the trend of the future, as companies all process their own data in early stage, while more companies will need data sharing analysis in the future. However, it is difficult for private cloud to interact externally. For example, Alibaba Cloud is developing its City Brain solutions that need to analyze more than 10 data sources simultaneously, which is only possible on public cloud.

The purpose of me stressing on the advantages of public cloud is not simply because our core business is in public cloud computing. It is also because public-cloud-based security products will be both accepted and preferred in the near future for their technological and usability advantages.

According to my observations, a lot of large security companies in China have migrated their products to the cloud, indicating that they are not only aware of but also accepting this trend.

III. People are talking about "data intelligence" everywhere

Data Intelligence is one of the clearest trends I saw at RSA this year. Data intelligence already has already found a large number of applications in industries like transportation, finance and so on. Secure data intelligence has also become a high ground for everyone.

Data intelligence, as I understand it, includes data-based machine learning and artificial intelligence. In the past, vendors were calling their products "Next Generation Firewall" and "Next Generation Terminal Security" This year, vendors are also claiming that their products are based on big data and artificial intelligence.

For example:

• Logtrust can collect data in all aspects of the enterprise in real time, and then use intelligent data analysis to give the security situation reports in real time.
• Splunk can index data from any application, server, or network device in real time for retrieval by the company.
• LogRhythm helps the enterprise monitor, analyze and resist network threats through data intelligence analysis.
• Cloudera helps users protect their core assets through data analysis.

Objectively speaking, data intelligence is also an inevitable result of technological development. When a company is fielding hundreds of millions of access requests, it is obviously impossible to determine whether or not each individual request is safe. Most people were using the rules established by experiences in the past, to filter illegal requests. However, as attackers have more and more advanced tricks up their sleeves, traditional filtering methods can be easily bypassed, so security researchers must find a new and automated way to recognize risks and attackers.

This must be achieved through data intelligence.

For example, Splunk, a well-known data intelligence company, has uniformly brought users' data (including hosts, systems, Web logs, etc.) into a big data platform to create engines that can analyze threats, and has became the best practice package for the industry.

UnifyID, another data intelligence company, won this year's RSA's start-up competition "Innovation Sandbox". The core of their business is to upload massive amounts of data from IoT devices to the cloud and use machine learning to determine which devices are credible to identify the person behind the device, and protect the system and data security.

The current trend across the industry is: the higher the sophistication of the security company, the more emphasis is placed on the application of data intelligence for security.

IV. The border and future of security

In addition to the direction that everyone is propagating at RSA, there are other directions for security that currently only involve a few prospective companies. On the one hand, their developmental directions may be the new trends for security in the future. On the other hand, these directions may not be correct or have no proven model. I am trying to provide my own judgment on these technology trends.

1. IoT security has huge potential

There is an obvious trend that supports this idea. In the past, the terminals people were interfacing with were mostly PCs. Nowadays, people are interfacing with new terminals: our mobile phones and other smart devices. In the future, people will interface with all IoT and IoE devices.

While everyone is optimistic about the security market in the IoT industry, few have considered themselves IoT-based security vendors at RSA. This is because IoT itself is only at the early stages of development and adoption. So I think the market for IoT security is not yet mature because IoT's own market has not been well established.

But I firmly believe this: the IoT market is similar to the security market, in that they are both fragmented fields. No single vendor's security solution can deal with all IoT security problems.

For example, automobiles are one of the largest and most complex terminals in the IoT market. Therefore, there may only be a handful of dedicated security vendors who can provide security solutions for automobiles. Furthermore, because of the uniqueness of the problems facing different fields, it can be difficult to apply these solutions to other fields. Smart home security, IPC security, and medical equipment security may not pose the same challenges as those of automobile security.

These fields are segmented, all solutions are not universal, and there may be different types of security demands even for the same IoT device. Enterprises are aware of this; some are even taking a proactive approach to unify these solutions. Take some of the more advanced companies for example:

• Covisint Corporation provides a security information exchange platform for multiple IoT devices.
• CyberOwl provides early warning and threat intelligence systems for IoT devices.

2. The mobile security market is lacking

The mobile security market refers to the mobile phone security market based on Android phones and iPhones. Although mobile terminals are already very popular, I think this market, in contrast to the IoT market, does not pose significant security requirements.

There were very few companies involved in mobile security among this year's RSA exhibitors, with less than 10 mobile security companies out of a total of 500 enterprises. This also supports my judgment.

I believe that 99% of the iPhones are not equipped with security software, and the anti-virus software on Android phones is also declining in importance and popularity. There is a reason behind this phenomenon.

The reason PC anti-virus software and security software is so developed is that PCs are fairly insecure and fall victim to a wide variety of viruses. Mobile terminals, however, are much less sophisticated than PCs. In terms of software, mobile phones are a step ahead in maturity as compared to PCs.

The iPhone is highly secure. After several years of evolution, security on Android phones is also relatively well developed. Mobile applications are also well regulated before being put on official app stores. Mobile phones typically have multi-factor authentication (MFA) enabled by default as well. Therefore, despite its importance, mobile security is less popular and the market is quite small.

The mobile security market was once rife with companies ready to innovate and take the lead, but now it appears that many of them are already "dead". In my opinion, there is little room for innovation or development in this field.

3. Cloud Access Security Broker (CASB) will expand the market

CASB refers to a field that has only just emerged over the past two years, specifically it refers to data security for SaaS services on the cloud. Simply put, enterprises may encounter data and privacy problems when accessing the SaaS service.

SaaS is ubiquitous. For example, Salesforce is the world's largest SaaS provider of CRM (Customer Relationship Management) and many companies around the world access its systems to manage customer resources. There are also many SaaS service providers in manpower management, such as Workday, which was listed in the United States before. Microsoft manages hundreds of thousands of people through SaaS services, and personal work will also require access to SaaS services like as Office 365.

In the past, enterprises around the world only used local software. Now that they have access to cloud SaaS, new kinds of threats have emerged from the process of accessing them. This includes, but are not limited to, SaaS service security, cross-border uploads of sensitive information, and legal access.

Some security vendors have taken it upon themselves to solve these threats, for example:

• CipherCloud provides a full set of cloud encryption, monitoring, and private key management services.
• Skyhigh provides security protection for well-known SaaS systems such as Office 365, Salesforece, etc.
• CloudLock protects all purchased and independently developed cloud applications.

There will be a broad market for CASB, but according to my observation, the market for SaaS services in China will not exceed RMB 1 billion. Many companies are still not using SaaS services yet. Therefore, it may be too early to introduce CASB products at this stage in China.

CASB is also developing in the global market. One thing that's for sure is that the forms of CASB products are still changing.

A large number of CASB products are currently based on the APIs provided by SaaS providers (finance, customers and offices). According to the SaaS providers' data, this method relies heavily on the maturity and integrity of the APIs. If the data provided by the SaaS providers is incomplete, then CASB products' monitoring capabilities will suffer.

Based on this, some security vendors have chosen to use the traffic analysis method to obtain data this year. Because employees access the Internet through network interfaces, in fact, traffic at the interfaces is comparatively more comprehensive, so the latest trend is for CASB vendors to perform threat analysis based on network interface traffic.

4. Threat intelligence, UBA, security O&M automation

There are even more fields in addition to the clear technological trends above. But in my opinion, these fields are not final products, but more like technology facing security vendors.

1) Threat intelligence

Threat intelligence should face the security vendor rather than the end user. I don't think that end users are typically capable of using threat intelligence data effectively. Instead, the data should be analyzed by specialized security service vendors and implemented in their products.

For example, threat intelligence can be used on big data analytics platforms, WAFs, endpoint security, data security and more. As a result, I think threat intelligence that is directly facing end users may not work.

2) UBA

UBA (User Behavior Analytics) is used to analyze the user's general behavior from the perspective of enterprise users, and define the user's security level. Warnings can then be issued once abnormal behavior is detected. Such technology can also be applied to security products.

3) Security O&M automation

Security O&M automation is a more radical form of security management. As the name implies, this technology, still in its infancy, intends to achieve automatic, unattended security O&M. Similarly, this is not a form of final product. Some O&M automation solutions have already been released, but they may be combined with other products later on.

V. Grim performance by Chinese vendors at RSA

There were 30 security vendors from China in the RSA this year, including large vendors and many small vendors. But the general impression is that exhibition stands for Chinese vendors were generally barren.

I think the reason is that China's security industry is still not global. In short, the security products are not sold to foreign users.

This also reflects the differences between the security vendors in China and the United States.

For security vendors in US, a company usually only concentrates on products in one field. For example, the American vendor Rapid 7 only concentrates on one service, "Vulnerability Management", which is very specific. Palo Alto Networks focuses on firewalls, with its core capacity being "Traffic Resolution. Security vendors in China, on the other hand, generally cover multiple security fields. A top security vendor generally has 20-30 products.

One of the main reasons is that the market in China has not yet developed to the point where it can properly support a range of specialized security companies. Due to the scale, the current security market in China is still "sales dominated." That is to say, there are limited customers, but enterprises have to make more money, so they have to develop more products. Therefore, most companies only focus on quantity rather than quality.

Of course, the market depends on capabilities rather than sales. If a vendor wants to be a ten billion dollar security company in the future, it should be "the best in the world" in at least one aspect. However, being the best in one field means that the company typically does not have the resources to develop products for other fields.

Taking Alibaba Cloud Security as an example, our core task is to achieve the best platform stability possible, so the thing we need the most is "anti-DDoS". Accordingly, we must be the best in the world in anti-DDoS.

As for other services, we cooperate with the best IoT security companies, the best data security companies, the best Docker security companies, and the best threat intelligence companies in the world.

For security enterprises in China, there is a long way to go to be the best in the world at one thing. To see the day when exhibition stands for Chinese vendors are no longer deserted, we need to work hard.

Interviewer's notes

While China's top security companies are trying to expand business abroad, Xiao Li calmly points out the deficiencies. This calmness can be interpreted as the professional instinct of a security researcher; recognizing our strengths and weaknesses is good for expanding our businesses.

Public cloud SaaS security services, security data intelligence, IoT security, CASB, are four fields that Xiao Li holds in high regard. One thing these fields have in common is that the cyberspace elements (services, data, terminals) are frequently and securely connected.


1 1 1
Share on

Alibaba Clouder

2,600 posts | 750 followers

You may also like


Raja_KT February 10, 2019 at 1:03 pm

Good one. CASB should be taken solemnly as it sits between an organization's on-premises infras and a CSP's infra.