About this time every year, the cybersecurity industry heads to “summer camp” in Las Vegas, heading to BSides, Black Hat, and/or DefCon. I attended Black Hat last week along with many members of the ESG cybersecurity team. Here are a few of my takeaways:
- The “vibe” has changed. There used to be a clear difference between Black Hat and its larger cousin, the RSA Conference. RSA has become an industry show where you talk about business relationships, M&A activities, and VC investments. Alternatively, Black Hat was always a practitioners’ show where the buzz centered on exploits, IoCs, and defensive tactics. Alas, billions of security dollars are taking its toll on poor Black Hat – there was a definite “hurray for the industry” vibe, fraught with banal cocktail parties, Merlot-drinking VCs, and ambulance-chasing vendors. The industry needs a cold shower to remember that its job is protecting critical digital assets, not celebrating 10-baggers.
- The scary factor. In a recent ESG research project, 76% of organizations claim that threat detection and response is more difficult today than it was 2 years ago. More than one-third (34%) say the volume and sophistication of attacks has increased while 16% claim that the attack surface has grown. Both issues were front-and-center at Black Hat. For example, we are seeing attacks on cloud infrastructure like the theft of developer passwords on GitHub, break-ins on Amazon S3 buckets, and exploitation of IoT device vulnerabilities. None of the adversary tactics, techniques, and procedures (TTPs) are new but the cybersecurity diaspora is being asked to safeguard more new stuff all the time. This imbalance is a recipe for disaster and all CISOs should have a formal plan for bridging this gap.
- Everything is in play. Cybersecurity technology is installed everywhere – on hosts, networks, virtual infrastructure, in the cloud, etc. A lot of this infrastructure has been in place for years, but much has reached a point of obsolescence. Old AV software is being replaced by endpoint security suites instrumented with machine learning algorithms and EDR capabilities. Network security devices are giving way to virtual network security services that span physical, virtual, and cloud-based infrastructure with central management and distributed enforcement. Individual security analytics tools are coming together in security operations and analytics platform architectures (SOAPA). All these changes are muddying messages and confusing the industry at large. Rather than a security technology flea market, we need some clarity on new types of security technology architectures for the 2020s at next-year’s shows (i.e., RSA and Black Hat)
While there is a lot of work ahead, all is not doom and gloom. Here are a few positive observations from Black Hat 2019:
- Application security is getting the attention it deserves. Agile development, DevOps, and cloud computing have finally forced the industry to confront a historical weakness – for the past 20 years or so, we’ve tended to bolt security on rather than bake it in. I’m seeing profound changes here with security moving rapidly into the CI/CD pipeline. It’s still early and application development is moving much faster than security knowledge, but at least we are heading in the right direction.
- The industry is making progress on security operations automation. Security operations has long suffered from too many point tools, a reliance on manual processes, and a shortage of skilled personnel. To address these problems, many CISOs have slowly moved beyond the basics of security operations automation. For example, there is a trend toward continuous red teaming combined with automated remediation actions. I even talked to one CISO who hired an “automation person” with no security skills. His job is to work with the sec ops team to discover and automate manual processes. I’m encouraged by stories like these that I heard at Black Hat.
- The MITRE ATT&CK Framework (MAF) has gained a lot of traction. For all the talk about artificial intelligence and machine learning technologies, the MITRE ATT&CK Framework is becoming ubiquitous in the enterprise. This can be extremely beneficial as it forces security professionals to think in terms of pervasive attacks and kill chains rather than individual events.
I’m a “glass half full” guy so I’ll continue to attend Black Hat despite its growing superficiality. I guess I’ll attend Defcon in 2020 to experience some of the hacker culture again.