451 Research analyst key insight roundup: Black Hat 2019 week in Las Vegas
August 22 2019
by Scott Crawford, Fernando Montenegro, Daniel Kennedy, Garrett Bekker, Patrick Daly, Craig Matsumoto
The week of Black Hat/DEF CON in Las Vegas is more than just those two conferences alone. Several venues attract a large swath of the global information security (infosec) family for an event that spans a variety of interests. From research findings across a number of disciplines (seasoned with a liberal side of vendor hoopla) to something like an annual 'Gathering of the Tribe,' there's something for just about everyone at what we think of as 'security summer camp.' The week is never dull, and happenings there usually emerge that color the rest of the year for the security community.
The 451 Take
This year's gathering was bracketed by two events that set 2019 apart – neither of which took place in Vegas. Weeks before the conference began, Black Hat had to backtrack, taking the unusual step of withdrawing a named keynote speaker in the face of vocal controversy. Toward the end of the week, one of security's leading incumbent vendors got split and half-acquired by a bigger (and opportunistic) fish that had little association with infosec prior to last year. Both occurrences seemed to frame the year as a whole: political polarization beyond the realm of security interests, and more key indicators of the innovator's dilemma gripping security's incumbents. As we head into the closing months of 2019, our analysts share some of their key takeaways from the week, as well as observations that we expect to set the tone for the field in the months to come.
The week's conferences in context
In many ways, I saw Black Hat 2019 as being very similar to the RSA Conference: comparable conversations and vendors, albeit at a smaller scale. Still, there are two main differences worth calling out: With three community-focused events (BSides Las Vegas, The Diana Initiative and DEF CON) around or overlapping with it, Black Hat appears more integrated into the community than RSA; second, Black Hat content is more research-focused than RSA.
Content-wise, discussions around cloud security were plentiful, as was the need to better understand the existing environment. The increased importance of inserting security within DevOps was made abundantly clear by the keynote and additional presentations. Asset discovery was mentioned often, as were various efforts around prioritization. In that sense, the Kenna study proposing a more-efficient patching strategy seemed particularly interesting. – Fernando Montenegro, Principal Analyst, Information Security
Taking center stage: Secure software and application security
The 2019 Black Hat conference engendered controversy before it began when Congressman Will Hurd of Texas was disinvited from delivering the keynote talk for positions held outside of the sphere of information security. Sidestepping the politics, the 'fill in' Dino Dai Zovi (and those quotes are intentional) is likely better known to a security audience, especially those in the New York metro area. Although not a politician, Dai Zovi stayed on message like one, and unsurprising for a talk titled 'Every Security Team is a Software Team Now,' application security themes featured prominently, including discussions about federating more responsibility to software engineers (there are more of them than security people) and the benefits of automation.
While every security person becoming a full-stack developer might be too far out on the horizon to reasonably agree with, that is a quibble with an end state without disagreeing with the overall message. Our upcoming end-user research on Organizational Dynamics will bear out the underlying message: Application security is the second most commonly cited inadequacy when security managers are asked what skills are missing from their security teams. – Daniel Kennedy, Research Director, 451 Research: Information Security
Zero trust: Gaining awareness, sowing confusion
Like RSA earlier this year, and not surprisingly, zero trust was a common theme at Black Hat that has clearly entered the 'hype' phase. Most enterprises and vendors we speak with are still trying to wrap their arms around what zero trust actually means, and more important, how to go about addressing it.
For enterprises, the key issue is how to implement the principles of a zero-trust framework &– primarily, how to incorporate identity-based security more broadly – without completely disrupting their existing IT estate and starting over, since most lack the financial and technical resources to start over a la Google BeyondCorp. For vendors, the main issue is finding the right messaging and market positioning for a trend that is still in the very early stages. 451 Research data indicates that just 12% of firms have actually deployed zero-trust principles, while 61% have no current plans. – Garrett Bekker, Principal Analyst, Information Security
Asset inventory gains ground
Just ahead of this year's Black Hat, Qualys announced that its Asset Inventory application would be made free for all of its customers, taking a not-so-subtle shot across the bow of emerging asset management players like Axonius, the winner of this year's RSA Conference Innovation Sandbox. Using a combination of agent-based and passive scans, the app aims to discover and inventory all of an enterprise's existing assets across on-premises and cloud environments, including the organization's operational technology (OT) assets, container workloads and web applications. When combined with Qualys' vulnerability-scanning and patch management applications, Asset Inventory becomes a powerful tool for reducing an organization's overall exposure.
The move reflects a heightened enterprise need for visibility and control across increasingly diverse IT environments – long an enterprise need, but becoming more exacerbated by trends such as the introduction of a wide variety of 'smart' devices and technologies in the Internet of Things, as well as the integration of IT and OT. As Axonius' win at RSA demonstrates, the problem of asset management has experienced renewed interest and investment of late given the persistent challenges. Qualys making this capability available to its considerable installed base signifies just how important a matter it has become. – Patrick Daly, Analyst, Information Security
Breaking down the silos between network visibility and security
Security and network visibility have been separate silos. The former watches for breaches while the latter is more about ongoing issues such as performance degradation, and the two sets of data traditionally end up in different hands. That's starting to change. One obvious sign is the merger of NetScout and Arbor, now manifested in the release of Arbor Threat Analytics, made available days before Black Hat.
We also have Spirent, famous for network testing, now asserting itself as a security player as well with the new 'Spirent assured' tagline and demonstrations of the vendor's new Reconnaissance Mode feature in its CyberFlood Data Breach Assessment offering. And startup Plixer, which gathers and interprets metadata from a horde of network elements, is primarily a security provider but can be useful in a network-monitoring context as well. One more wall between silos is starting to come down, and that's a good thing. – Craig Matsumoto, Senior Analyst, Datacenter Networking
Looking ahead: The innovator's dilemma continues
Beyond the Vegas strip, the announcement of Broadcom's acquisition of Symantec's enterprise business brought a somewhat disconcerting conclusion to the week – disconcerting, at least, to security's established leaders, for whom the Symantec deal symbolized struggles of their own. In the largest transaction in infosec's history, Broadcom looked less like a shopper aiming to expand and diversify its product portfolio (the oft-stated rationale behind the purchase) and more like a financial investor seeking to capitalize on an underperforming asset in a dynamic market.
This highlights the innovator's dilemma as faced by security's incumbents: In a world where the nature of IT itself is being redefined – by the cloud at one end and a burgeoning IoT at the other – those who have succeeded based on offerings that serve the past must reinvent themselves or face the threat of a new generation that exemplifies how security will be implemented tomorrow. We highlighted this reality at infosec's other banner conference of the year, RSA 2019. We expect it to continue to shape the security market of tomorrow. – Scott Crawford, Research Vice President, Information Security