Black Hat USA 2016
July 30 - August 4, 2016 — Mandalay Bay, Las Vegas, Nevada
The retrospectives on Black Hat and its associated conferences agree on one thing—there’s reason for great concern about the security of the Internet and those who use it.
Now, at a security industry conference, this is hardly what the lawyers would call “an admission against interest.” It’s in the nature of the sector to be unusually aware of and sensitive to threats, and a high level of fear-uncertainty-and-dread has long provided the community with its background noise as well as much of its signal. Bear this in mind as you consider reports from Las Vegas.
It’s also important to bear in mind that commodity attacks continue to succeed. Enterprises have a lot to do, their resources aren't unlimited, and, for small and medium-sized businesses as well as for private individuals, it's easy to fall into a kind of learned helplessness in which whistling past the graveyard and hoping nothing happens becomes a default security posture.
So don’t neglect the obvious. If Cozy Bear and Fancy Bear really want to pwn your mom-and-pop shop, there’s probably not much you can do about it. But that doesn’t mean you should give up trying to keep out the skids and script kiddies. After all, there the ones probably rattling your locks.
There are also some reasons for optimism. Several people told us they’d seen signs that CISOs generally have rapidly become more sophisticated in their understanding of and approach to risk. “They’re really upping their game,” as one company observed to us.
TechCrunch reported that four concepts dominated the talk in Las Vegas: "Behavior Baselining" (for anomaly detection), "Active Response" (to be sharply distinguished from "hacking back," a concept finding less favor nowadays, active response involves faster, more automated reaction to incidents), "Security Analytics" (especially in the service of vulnerability recognition and management), and "Public Key Cryptography" (which of course you're familiar with—and this conference was nothing if not crypto-friendly). A lot of companies are talking these concepts up; they'd do well to consider how they might differentiate their offerings from the other companies doing the same. Investors want differentiation. Customers want ease of deployment and a low burden on scarce skilled labor.
And Black Hat was a really big show. The Denim Group, who’s been attending Black Hat for a few years now, goggled at “just how bloody big this thing is. It's like RSA from six years ago. It's overwhelming for those of us who've been here for years.”
More coverage from Black Hat USA 2016:
- Keynote: the Hidden Architecture of Our Time
- Observations on the Evolution of the Threat
- A Role for Threat Intelligence
- Cyber Security as an Exercise in Risk Management
- Venture Capital and Early-Stage Security Start-ups
- What Industry Sees in Industry Trends
- Transitioning Technology from the Laboratory to the Market
- Building Software for Resilience
- Securing the Architecture as the Perimeter Vanishes
- Mobile Security
- A Role for Testing
- The Kaizen and the Dojo
- Security Advice for Security Conferences