Like many others in the cybersecurity community, I attended Black Hat in Las Vegas last week. Here are my thoughts on the show:
- This was the 20th edition of Black Hat and it was absolutely packed. I’ve heard that attendance was up from last year, and I know that 2016 attendance set a record. Not to be crass, but you had to wait 10 minutes just to use the bathrooms between meetings.
- Congratulations to Alex Stamos, CSO at Facebook for his insightful keynote presentation. Alex’s main point was that the cybersecurity community at large (i.e., professionals and the cybersecurity technology industry) must expand its role in several areas. First, he talked about having more empathy for users. Second, he talked about focusing on harm rather than technical complexity of security. Good idea as most people care how security impacts them rather than the details behind the scenes. He also encouraged the community to become more diverse, adding different perspectives to the cybersecurity mix. Too much to go through in this blog, but I found his overall messages to be spot on.
- Allow me to paraphrase from Alex’s keynote and add my own thoughts: The industry has become far too obsessed on the 0-day problem (i.e., 0-day exploits) and is not paying enough attention to eliminating all the manual tasks and busy work we do as cybersecurity professionals. Oh, I agree that 0-days are a problem, but these attacks are the exception. We need to get better at bread-and-butter cybersecurity operations with improved processes, automation, and orchestration. In other words, people remain the weakest link of the cybersecurity chain. Addressing this problem should be a high priority for all CISOs.
- In the 15 years I’ve worked in cybersecurity, there was never a time when just about every cybersecurity technology was in play. New types of endpoint security tools are usurping traditional AV. New security analytics tools are expanding and challenging SIEM platforms. Software-defined tools are pushing out tried-and-try network security controls. All this innovation is ultimately good news but it makes security engineering and strategy especially challenging. CISOs should make sure that security engineers are keeping an eye on innovation and maintain an open mind on vendors, form factors, and layered defense elements moving forward.
- Similarly, software-defined network security is taking over at a gradual but steady pace. This doesn’t obviate the need for firewalls, IDS/IPS, and gateway appliances, but it does mean that volumes of these devices will shrink steadily over time. I’m especially bullish on workload/application segmentation technologies as well as the movement toward a software-defined perimeter (SDP).
- Cybersecurity professionals beware: Startup hype is out of control. It’s not an exaggeration to say that Sand Hill Rd. has its own PR machine, sock puppets, and fake news outlets all to get you to buy stuff so they make even more money. When dealing with highly funded startups, strong due diligence and caveat emptor should be followed with extreme care.
- Kudos to a security analytics company named ProtectWise for its innovative 3-D VR user interface. Its goal? Change the security analytics model and use virtual reality technology to attract gamers and millennials into cybersecurity careers. A unique approach that's worth checking out.
- Threat intelligence is making a big comeback but not just in areas like IoCs. The superset issue here is digital risk—tracking threats associated with employees, business partners, brand reputation, executives, infrastructure, etc. across threat actors, the dark web, social media, chat groups, etc. Given the advanced skills needed to do threat intelligence analysis well, I believe that at least 80% of organizations will look to service providers to help them address requirements here. This goes for threat hunting as well.
- Enough about machine learning and artificial intelligence! Note to cybersecurity technology vendors: CISOs care about what they need and why, and delegate the how to technicians much further down in the organization. We need to do a better job of explaining why machine learning helps and in what areas. In other words, talk use cases rather than supervised modeling.
- I’m surprised there isn’t more IAM discussion at Black Hat but I’ll bet there will be in the future. Today’s IT is all about connecting mobile users/devices to applications, data, and services in multiple locations. Identity must play a bigger role here.
- IBM’s John Burnham is the tannest man in the cybersecurity industry. He also held this title in the networking and telecommunications industries previously in his career.
- It was great sharing Mandalay Bay with SuperZoo, a trade show for pet suppliers. I believe the shows don’t align next year, so I’ll miss the dog and cat presence at Black Hat.
Finally, as it stands today, lots of security technology vendors really don’t understand how an enterprise cybersecurity organization works, and that’s a problem. Furthermore, vendors have their proprietary product integration plans but few are thinking in terms of an open architecture like ESG’s security operations and analytics platform architecture (SOAPA). I get it that everyone’s trying to make money, but we are talking about safety and security here, not just compute, networking, and storage. Simply common standards and interfaces would make things a lot easier and a lot more secure. The community atmosphere at Black Hat would be the perfect place to work on this next summer.