Black Hat Boogie

I spent all of last week in Las Vegas at Black Hat 2015.  I used to pass on Black Hat but no longer – it is a great opportunity for getting into the cybersecurity weeds with the right people who can talk about evasion techniques, malware, threat actors, and vulnerabilities.  Alternatively, RSA Security conference conversations tend to center on things like IPOs, market trends, and PowerPoint presentations.

I made a list of a few Black Hat take-aways on my flight home from Las Vegas:

1. The burgeoning conflict between money and vulnerability disclosure.  As is common at Black Hat/Defcon, security researchers exposed numerous software vulnerabilities during presentations throughout the week.  This was expected but there is a bigger and more ominous trend I heard about in Vegas.  It has always been a common courtesy for security researchers to share major vulnerabilities (i.e. vulnerabilities that impact pervasive software like Oracle RDBMSs or the Windows OS, critical infrastructure technologies, common hardware, etc.) with vendors and government agencies before going public.  This lag time gives the good guys’ time to evaluate researchers’ claims and react if necessary.  Given the influx on money flowing into the cybersecurity market however, some researchers and VC-backed startups are eschewing this unwritten rule and going directly to the press to get the biggest PR bang they can.  Maybe it’s just me but I believe that this type of cybersecurity charlatanism is of questionable ethics at the very least.  In the near future, a highly-publicized vulnerability could put us all at risk. 
2. Endpoint battle royal.  A few years ago, the only people talking about endpoint security were AV vendors like Kaspersky, McAfee (Intel Security), Sophos, Symantec, and Trend Micro.  Now everyone seems to have skin in the game as evidenced by the parade of “next-generation” endpoint vendors at Black Hat.  Yes, the new kids on the endpoint block like Bit9, Digital Guardian, Invincea, Hexis Cyber Solutions, SentinelOne and Tanium are being measured by their detection efficacy, but I truly believe that the winners here will be the ones who can streamline incident response operations.  We’ll see, but the endpoint security game is certainly changing quickly. 
3. Cybersecurity recruiting and training hits the tradeshow floor.  I’ve been screaming about the cybersecurity skills shortage for years and even presented on this topic at RSA 2014 so I was extremely pleased to see real activity at Black Hat.  According to ESG research, 28% of organizations claim that they have a “problematic shortage” of cybersecurity skills today (note: I am an ESG employee).  This skills gap was not lost on Black Hat as a whole section of the show floor was dedicated to career enhancement and of course, Black Hat sessions were all about skills development.  Additionally, vendors like Accenture were actively recruiting new talent within their booth in the exhibitor hall.  Finally, kudos to the University of MD Baltimore for its consistent academic leadership and its proactive cybersecurity program marketing at Black Hat and many other infosec events.  Sigh, I wish my alma mater, UMass Amherst, demonstrated the same level of marketing and recruiting savvy. 
4. Threat intelligence sharing realities and rhetoric.  I’ve been wrapped up in threat intelligence sharing research for many months now and Black Hat only reinforced my viewpoints in this area.  The Vegas show demonstrated that there is lots of cyber threat intelligence out there but things are messy as everyone has their own names for malware and threat actors, TTP details vary, and attribution remains a hit-or-miss proposition.  Likewise, threat intelligence sharing is still hamstrung by manual processes, cybersecurity professional paranoia, and legal limbo.  If you want good threat intelligence, speak to the experts who live in this world (as I did at Black Hat), otherwise good luck.  Are they aware of this reality in Washington?
5. NSS labs brouhaha.  During the height of the Black Hat event, NSS labs released the results of its breach detection system testing, leading to a public debate on the test results, the merits of NSS’s testing process and the relative purity of the NSS business model.  Okay, but beyond NSS, there is an even bigger question looming:  Is single-product detection testing worthwhile anymore?  Most of the advanced cybersecurity shops I speak with are integrating multiple network and endpoint detection engines through APIs or aggregating detection tools and threat intelligence for incident response using integrated cybersecurity orchestration platforms (ICOPs) from Invotas, Phantom Cyber, or Resilient Systems.  As one CISO succinctly stated to me, “integration is the new best of breed.”  Synthetic tests may be an insightful data point but typical incident response processes rely on a multitude of tools, skills, and workflows.  To gain a real world perception on cybersecurity efficacy, infosec professionals should evaluate, test, and select products that offer the best fit for their unique networks, methodologies, organizations, and integration needs.  

One final observation and comparison between Black Hat and RSA.  In my humble opinion, there is an underlying, “hooray for technology” vibe at RSA each year.  This is to be expected since vendors announce new products and VCs crow about rounds of investment and IPOs across the halls of the Moscone Center.  On the other hand, Black Hat has a pronounced sophomoric ambiance in terms of personalities and pranks, but real discussions tend to be a lot more subdued, substantive, and cerebral than those that take place in San Francisco.  I tend to leave RSA with a sense of industry pride and a pocket full of business cards.  Upon exiting Black Hat, I’m usually scared to death.