#RSAC™ Conference Wraps 34th Annual Flagship Event with Many Voices, One Community. Read more: spr.ly/60102LUt2

We’re seeing a clear trend: attackers are bypassing the endpoint entirely. Not just avoiding traditional EDR-monitored systems by pivoting to embedded and edge devices, but now also operating purely in the cloud. No shell, no malware, no persistence on the endpoint. Just an OAuth token and full access to whatever’s in the victim’s Microsoft 365, Google Workspace, or AWS console. It’s a complete inversion of how things used to be. The endpoint, once the weakest link, is now usually the most monitored, most policy-enforced part of the infrastructure. You’ve got EDRs, SIEM integration, automation, threat hunting - the full stack. But attackers don’t need to touch it anymore. Instead, they go after the new soft spots: - Cloud platforms, where logging is limited, expensive, or off by default - Network devices and appliances, which are practically blind spots - obscure OSes, no EDRs, hard to monitor, hard to forensicate. - Embedded systems and IoT junk that no one really knows how to secure, but that sit in critical network paths. Cloud especially is a mess: - Logging tiers cost extra and the good stuff is behind paywalls. - Detection content is lacking, both from vendors and the community. - You don’t get memory dumps or full control like you do on endpoints. - You’re at the mercy of the provider when it comes to visibility and response. And that’s the shift: attackers aren’t hacking computers anymore. They’re hacking trust relationships, identities, and APIs. The whole idea of detection and response needs to evolve with that. Otherwise, we’re securing the hell out of endpoints while attackers happily fish through mailboxes and cloud shares from halfway across the planet.

Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more. Here's the email I got:

Barrenechea on integration: "With enterprise security you need to compose a solution. No company can do it all. All the (technology) partners in your ecosystem throw off security events, so you have to do it in a composable way, connecting disconnected islands." #OpenTextWorld

Barrenechea on @OpenText security strategy: "We’re here to make security as important as anything we do... We think it’s no longer human vs machine, it’s machine vs machine." #OpenTextWorld

It is notable that security is the dominant theme in the @OpenText multicloud integration strategy. #opentextworld

The full quote for accuracy (had to cut too much for the X word limit):

Barrenechea on AI: “Agents are going to make decisions on your behalf. This is going to make us uneasy... would you let a piece of software do that? I think you will, and we’ll give you the tools to do it.” #OpenTextWorld

Barrenechea: "We’re going to continue to extoll that security is job one… built all the way into the software, and it needs to work across multicloud." #OpenTextWorld

I really like how @OpenText CEO/CTO Mark Barrenechea highlights the value of #AI in the enterprise in his opening keynote: "Every organization has two proprietary gifts: talent and data... AI transforms the value of both of those gifts." #OpenTextWorld

Pleased to spend time with @OpenText & @OpenTextSec this week at #opentextworld Key Qs: Is this *really* a security company vs an information management co w/ security? Has the Micro Focus deal/integration been a force multiplier? @OmdiaCyber