Take-aways from Black Hat USA 2018

Black Hat USA 2018 had record crowds, revealed a growing attack surface, and proved we have lots of work ahead.

Take-aways from Black Hat USA 2018
Steve Marcus/Reuters

I’m not sure how many people attended Black Hat USA in Las Vegas last week, but it surely felt like a record crowd. Optimistic attendees lauded the show for its threat research and focus on cybersecurity skills, while skeptics bemoaned Black Hat changes, disparagingly referring to the show as "RSA in the desert."

As for yours truly, my week was educational, albeit exhausting. I started early by participating in the CISO Summit on Tuesday where I hosted a panel on artificial intelligence (AI) and machine learning (ML) in cybersecurity. My week ended with a Thursday dinner brainstorming session on cybersecurity operations. There were dozens of formal and informal meetings in between. 

There was a lot to see and discuss at Black Hat — too much to elaborate on in a short blog. Nevertheless, here are a few things that stood out to me: 

  1. AI and ML are starting to come of age. During my panel discussion at the CISO summit, I asked the audience whether they had implemented AI/ML for cybersecurity, and only a few hands went up. This reinforces what ESG research indicates, that AI/ML for cybersecurity remains in its genesis phase. Still, some organizations (like those that participated in my panel) are getting a lot of value from the technology. In fact, my panelists were rolling their own algorithms. Why? As one panelist proclaimed, “Vendors don’t know my environment, requirements, or threat vectors. I do.” The panel came up with three recommendations: 1) Start slow, 2) Start now, 3) Ignore the industry hyperbole. I concur on all counts.
  2. There is a new and changing definition of endpoint security. For years, an endpoint in security terms meant a Windows PC, but this is no longer true.  Macs are a given, but the definition of endpoints now includes mobile devices, Linux systems, IoT sensors/actuators, cloud-based workloads, etc. Yes, all of these devices need security, but organizations now face a challenge in that device security will vary based upon the type of device, the role of the device, the capabilities of the device, the location of the device, the manageability of the device, and the user(s) of the device. All of this means that endpoint security is about to get a lot harder, and organizations will have to lean on technologies such as identity management, NAC, SDP, and security analytics to gain comprehensive protection. 
  3. The platform wars are in progress. Many of the vendors I met with (Check Point, Cisco, Cylance, Forcepoint, McAfee, Palo Alto Networks, Symantec, Trend Micro, and Webroot) have integrated their products together into platform solutions for threat prevention, detection, and response. With technical integration mostly done, they now must persuade cynical infosec pros to bet on a single company. Still, ESG research indicates that the industry is already leaning this way, as 62 percent of cybersecurity and IT pros believe that their organization would be willing to buy the majority of security technologies from a single vendor. The big challenge for these vendors, then, is to transition from transactional to solution selling, while working with customers on implementation projects that may take some time. Who has the chops to hold for strategic sales, customer hand-holding, and technical project planning? We shall see.
  4. The attack surface continues to grow in multiple directions. Cybersecurity is clearly a "one step up and two steps back" domain. We’re adding tools for AI and automation on one hand, but the attack surface continues to expand, driven by a quickly moving tsunami of new applications, devices, and infrastructure. The research was pretty scary, including hacks of aircrafts, IoT devices, and even fax machines connected over POTS that have been in place for over 20 years. Black Hat may be getting bigger and more industry-centric as money flows into cybersecurity, but this type of research will ensure that the show remains relevant in the future.
  5. Organizations are driving haphazardly toward automation. Paranoid cybersecurity professionals hate the notion of automation, but they also realize they have no choice because it’s the only way to deal with growing scale and the global cybersecurity skills shortage. While automation seems inevitable, it’s clear to me that most organizations have no idea how to get beyond the basics here. This is where the industry has to step up and help organizations phase in automation over time. While automation technology abounds, service providers will likely make the biggest contributions — and profits — in the short term. 

Two other quick points: 1) There is a lot of work going into improving decision support for risk management, 2) Every aspect of cybersecurity technology is in play right now — there are no sacred cows. 

Boston can be hot in the summer, but it was 113 degrees in Vegas last week at one point. I’m glad to be home. 

SUBSCRIBE! Get the best of CSO delivered to your email inbox.