The retrospectives on Black Hat and its associated conferences agree on one thing—there’s reason for great concern about the security of the Internet and those who use it.
Now, at a security industry conference, this is hardly what the lawyers would call “an admission against interest.” It’s in the nature of the sector to be unusually aware of and sensitive to threats, and a high level of fear-uncertainty-and-dread has long provided the community with its background noise as well as much of its signal. Bear this in mind as you consider reports from Las Vegas.
It’s also important to bear in mind that commodity attacks continue to succeed. Enterprises have a lot to do, their resources aren't unlimited, and, for small and medium-sized businesses as well as for private individuals, it's easy to fall into a kind of learned helplessness in which whistling past the graveyard and hoping nothing happens becomes a default security posture.
So don’t neglect the obvious. If Cozy Bear and Fancy Bear really want to pwn your mom-and-pop shop, there’s probably not much you can do about it. But that doesn’t mean you should give up trying to keep out the skids and script kiddies. After all, there the ones probably rattling your locks.
There are also some reasons for optimism. Several people told us they’d seen signs that CISOs generally have rapidly become more sophisticated in their understanding of and approach to risk. “They’re really upping their game,” as one company observed to us.
TechCrunch reported that four concepts dominated the talk in Las Vegas: "Behavior Baselining" (for anomaly detection), "Active Response" (to be sharply distinguished from "hacking back," a concept finding less favor nowadays, active response involves faster, more automated reaction to incidents), "Security Analytics" (especially in the service of vulnerability recognition and management), and "Public Key Cryptography" (which of course you're familiar with—and this conference was nothing if not crypto-friendly). A lot of companies are talking these concepts up; they'd do well to consider how they might differentiate their offerings from the other companies doing the same. Investors want differentiation. Customers want ease of deployment and a low burden on scarce skilled labor.
And Black Hat was a really big show. The Denim Group, who’s been attending Black Hat for a few years now, goggled at “just how bloody big this thing is. It's like RSA from six years ago. It's overwhelming for those of us who've been here for years.”