A few thoughts from Black Hat 2016

Last week’s Black Hat 2016 conference was a whirlwind of activity. Here are a few of my takeaways:

1. I kind of like Black Hat better than the RSA Conference. At Black Hat, you talk about the real challenges facing our industry and discuss intellectual ways to overcome them. At RSA, everyone throws buzz words at you and tells you how they solve all your problems. And maybe it’s because RSA is in San Francisco, but you can always count on the Sand Hill Road crowd to show up at RSA and let you know how rich they’ve become protecting all of our sensitive data. Black Hat is whiskey and grit; RSA is Merlot and PR messaging. In other words, the folks who really know, live and fight for cybersecurity are at Black Hat, while those looking to make money on cybersecurity are at RSA.

2. To truly understand the difference between Black Hat and RSA, look no further than the keynote speaker. Security researcher Dan Kaminsky kicked off Black Hat and talked about the need to enhance secure software development in an era of IT complexity and growing use cases. That’s as far from a vendor pitch as you can get—you could actually feel Dan bonding with the audience with a talk (i.e. sans PowerPoint) full of security geek speak.

3. Of course, there was the usual focus on the threat landscape, but I sensed an increased interest in software vulnerabilities, as well. This may be due to new exploits or all of the new software being written for cloud computing, mobile applications or IoT. I also had several meetings where the topic was return-oriented programming (ROP), a sophisticated exploit technique closely associated with software vulnerabilities. I’ll keep an eye on this.

4.  There was a lot of discussion around problems associated with cybersecurity complexity, and I view this as a healthy development. Let’s face it, most enterprise organizations base their cybersecurity defenses and monitoring capabilities on an army of disconnected point tools, and this strategy simply doesn’t scale to address today’s requirements. Cisco has been pitching this for a while, but it’s not alone—Fortinet described its security fabric, Intel Security talked about integration hubs such as ePO, DXL and TIE, and Symantec/Blue Coat described integration and strategic plans now that this deal has closed.

There was also a lot more chatter about things such as DevOps and API integration, especially with regard to incident response. This is the exact discussion the industry should be having.

5. On the technology front, there was an unbelievable amount of buzz about endpoint security. There truly is some great innovation going on with endpoint security, but I still believe most organizations haven’t really figured out what they need in this space. We need a much broader dialogue on endpoint security that includes use cases, mobility, existing security defenses and burgeoning requirements. Too many enterprises and technology vendors view endpoint security as a generic service that should be applied equally to all devices, but this is no longer the case given today’s risks. Someone needs to tell a better story here.

6. Finally, I’m more convinced than ever that we are still driving down the “on-ramp” when it comes to cybersecurity analytics based upon machine learning. In his keynote, Dan Kaminsky nailed this reality when he said the state of cybersecurity machine learning today is really a discussion featuring data scientists talking to other data scientists. So, we are building models that detect patterns, but we still need extremely knowledgeable subject matter experts to figure out if these patterns mean anything. Things are progressing for sure, but caveat emptor. 

Black Hat is certainly riding the wave of cybersecurity growth—I heard there were 20,000 attendees this year. In spite of this growth, Black Hat has maintained an authenticity that sets it apart. I hope this continues.