Black Hat 2017: Insightful, but too much hype

Like many others in the cybersecurity community, I attended Black Hat in Las Vegas last week. Here are a few of my thoughts on the show:

1. This was the 20^th edition of Black Hat, and it was absolutely packed. I’ve heard that attendance was up from last year, and I know that 2016 attendance set a record. Not to be crass, but you had to wait 10 minutes just to use the bathrooms between meetings. 

2. Congratulations to Alex Stamos, CSO at Facebook, for his insightful keynote presentation. Alex’s main point was that the cybersecurity community at large (i.e. professionals and the cybersecurity technology industry) must expand its role in several areas.

First, he talked about having more empathy for users. Second, he talked about focusing on harm rather than technical complexity of security. That’s a good idea, as most people care how security impacts them rather than the details behind the scenes. He also encouraged the community to become more diverse, adding different perspectives to the cybersecurity mix. It was too much to go through in this blog, but I found his overall messages to be spot on.

3. Allow me to paraphrase from Stamos’ keynote and add my own thoughts:

The industry has become far too obsessed on the zero-day problem (i.e. zero-day exploits) and isn’t paying enough attention to eliminating all the manual tasks and busy work we do as cybersecurity professionals. Oh, I agree that zero-days are a problem, but these attacks are the exception. We need to get better at bread-and-butter cybersecurity operations with improved processes, automation and orchestration. In other words, people REMAIN the weakest link of the cybersecurity chain. Addressing this problem should be a high priority for all CISOs.

4. In the 15 years I’ve worked in cybersecurity, there was never a time when just about every cybersecurity technology was in play. New types of endpoint security tools are usurping traditional antivirus. New security analytics tools are expanding and challenging SIEM platforms. Software-defined tools are pushing out tried-and-true network security controls. All this innovation is ultimately good news, but it makes security engineering and strategy especially challenging. CISOs should make sure security engineers keep an eye on innovation and maintain an open mind on vendors, form factors, and layered defense elements moving forward.

5. Similarly, software-defined network security is taking over at a gradual but steady pace. This doesn’t obviate the need for firewalls, IDS/IPS, and gateway appliances, but it does mean that volumes of these devices will shrink steadily over time. I’m especially bullish on workload/application segmentation technologies, as well as the movement toward a software-defined perimeter (SDP).

6. Cybersecurity professionals beware: Startup hype is out of control. It’s not an exaggeration to say that Sand Hill Rd. has its own PR machine, sock puppets, and fake news outlets all to get you to buy stuff so they make even more money. When dealing with highly funded startups, strong due diligence and caveat emptor should be followed with extreme care.

7. Kudos to a security analytics company named ProtectWise for its innovative 3-D virtual reality (VR) user interface. It’s goal? Change the security analytics model and use VR technology to attract gamers and millennials into cybersecurity careers. It’s a unique approach that’s worth checking out. 

8. Threat intelligence is making a big comeback, but not just in areas like IoCs. The superset issue here is digital risk—tracking threats associated with employees, business partners, brand reputation, executives, infrastructure, etc. across threat actors, the dark web, social media, chat groups, etc. Given the advanced skills needed to do threat intelligence analysis well, I believe at least 80 percent of organizations will look to service providers to help them address requirements here. This goes for threat hunting, as well.

9. Enough about machine learning and artificial intelligence (AI)! Note to cybersecurity technology vendors: CISOs care about what they need and why, and they delegate the how-to technicians much farther down in the organization. We need to do a better job of explaining why machine learning helps and in what areas. In other words, talk use cases rather than supervised modeling. 

10. I’m surprised there isn’t more IAM discussion at Black Hat, but I’ll bet there will be in the future. Today’s IT is all about connecting mobile users/devices to applications, data, and services in multiple locations. Identity must play a bigger role here.

11.  IBM’s John Burnham is the tannest man in the cybersecurity industry. He also held this title in the networking and telecommunications industries previously in his career.

12.  It was great sharing Mandalay Bay with SuperZoo, a trade show for pet suppliers. I believe the shows don’t align next year; I’ll miss the dog and cat presence at Black Hat. 

Finally, as it stands today, lots of security technology vendors really don’t understand how an enterprise cybersecurity organization works, and that’s a problem. Furthermore, vendors have their proprietary product integration plans, but few are thinking in terms of an open architecture such as ESG’s security operations and analytics platform architecture (SOAPA).

I get it that everyone’s trying to make money, but we are talking about safety and security here, not just compute, networking, and storage. Simply common standards and interfaces would make things a lot easier and a lot more secure. The community atmosphere at Black Hat would be the perfect place to work on this next summer.