Not just grasshoppers, but security pros and enthusiasts swarm Las Vegas for conferences
August 23 2019
by Fernando Montenegro, Garrett Bekker, Daniel Kennedy, Patrick Daly, Scott Crawford
The security industry once again gathered in Las Vegas for a week-long series of events dubbed 'security summer camp' or 'hacker summer camp,' depending on one's view of the industry. Taken together, BSides, Black Hat and DEF CON, plus assorted other events, bring tens of thousands to Las Vegas to present novel research, show off latest products, network with peers and discuss all sorts of industry topics. All this happens while the rest of the IT industry continues to move forward with ever-increasing reaches into modern society. The security industry now needs to navigate a complex maze of user demands, political realities and ongoing technology innovation.
The 451 Take
With its 2019 edition suitably distant from the RSA conference earlier in the year, the set of security summer camp events seemed again to be an appropriate moment for the industry to catch up on developments and trends. From the corporate-oriented Black Hat to the more community-centric DEF CON, BSides and Diana Initiative, Vegas is where one sees the sprawling reach of cybersecurity: It touches everything, from clouds to IoT, from corporate laptops to planes, trains and automobiles. All the attention and activity should not, however, obscure the fact that the industry remains at a crossroads, looking for ways to efficiently engage with society at large and within organizations themselves. How the industry – professionals and vendors alike – reacts to the demands of increased collaboration, automation and inevitable regulation will make and break fortunes much more than gambling in the Vegas casinos ever could.
Initially, this year's Black Hat keynote risked being mired in controversy as the organizers had to replace speakers in the spring on account of backlash from the community: Congressman Will Hurd was deemed too controversial a choice given the current political climate. Dino Dai Zovi, a well-known researcher and practitioner, was chosen instead.
The change worked well. The Black Hat keynote was prefaced, as usual, with brief remarks from Jeff Moss, founder of DEF CON and Black Hat, and Philippe Courtot, CEO of Qualys. Both highlighted the increased need for security teams to improve communication and cooperation across the business, with emphasis on the growing visibility of the DevOps approach to modern infrastructure.
Dai Zovi was eloquent in advocating for a much more communicative and inclusive security industry. The key principles he articulated were to 'work backward from the job' (i.e., focus on user needs and the objectives of development), adequately seek and apply available advantages (such as automation), and focus on culture. Taken together, these should help the industry better serve the needs of modern society.
The regular conference talks at Black Hat tend more toward reporting on newer techniques and trends, and this year's crop was no different. Topics of talks included securing Kubernetes clusters, briefings on DevOps and software bill of materials, among others. One of the themes we notice overall is the increased importance of asset discovery and prioritization. With that in mind, Kenna's research into an exploit-prediction system seemed interesting – it may allow teams to better prioritize remediation efforts.
One discordant note was the controversy generated by a sponsored talk that made claims about an approach to encryption that raised more than eyebrows. The episode ended with the talk being removed from the conference materials, and we expect that future sponsored talks may have additional scrutiny.
The expo hall at Black Hat was, as in previous years, virtually indistinguishable from RSA in terms of content. The usual flurry of attention-grabbing attractions and attendees looking for novelty items dominated the show floor, although some of the more egregious antics of past years seemed mercifully less brazen.
Endpoint security vendors were out in force, with a large presence from known brands. One of the key announcements was Cybereason's $200m funding round, which should give it room to expand its presence.
Two key trends we're noticing in the space are the increased convergence of protection and detection use cases (EPP and EDR), and the increased acceptance of coexisting with other agents. Another relevant trend is the rise in popularity of 'endpoint plus' – endpoint data being collected alongside other data sources (network, cloud, email and others) and processed via a centralized analytics capability. This arguably started with FireEye's Helix approach, but is now evident in offerings such as Cortex XDR from Palo Alto Networks, Trend Micro's new XDR message and Sophos with Sync security, among others. We expect more to follow.
The increased visibility of discussions around cloud security was timely, given the disclosure of a very cloud-centric breach at CapitalOne announced just days before the conferences. Organizations are indeed moving significant portions of their workloads to cloud environments – be it IaaS, PaaS or SaaS â€“ and security teams are looking to adapt to this new reality. We fully expect that the increased importance of cloud and the lessons still being learned about the high-profile breach will bring additional scrutiny to just how organizations are making this transition. Data from 451 Research already points to this renewed interest, even before high-profile breaches. As can be seen from the chart below, cloud infrastructure security is the area with the highest proportion of respondents indicating increased spending in 2019.
Securing cloud workloads grabs the greatest aggregate increase in spending
This also provides opportunity for vendors looking to offer a deeper look into cloud security. This was evident with cloud security – alongside container security, Kubernetes and service mesh – being well represented in the Innovation City area of Black Hat. As organizations delve into the complex maze of cloud permissions and automation, vendors such as CloudKnox may see increased interest.
One common theme among our conversations was, unsurprisingly, zero trust. Although zero trust has arguably been around for nearly a decade â€“ with roots dating back to the Jericho Forum in the early 2000s â€“ the trend has garnered considerable attention in the past year. Despite greater 'presence,' most of the enterprises and vendors we speak with are still trying to wrap their arms around, first, what zero trust means specifically, and second, how to go about addressing it.
For enterprises, the primary issue is how to go about implementing the principles of a zero-trust framework – primarily, how to incorporate identity-based security and stronger forms of authentication more broadly, following principles such as least-privilege access – without completely disrupting their existing network architectures and investments. There is general consensus that most enterprises lack the financial and technical resources of Google, and thus a full BeyondCorp-like reference architecture is unrealistic for all but the smallest minority of firms.
For vendors, the situation is how to begin to address zero trust, and what the right messaging and market positioning might be so that they can place the right amount of emphasis on a trend that, despite considerable hype, remains in its very early stages. Recent survey data from 451 Research indicates that just 12% of firms have actually deployed zero-trust principles in their current environments, while 61% have no current plans. Furthermore, 44% of respondents indicated that they plan to slightly increase their spending on zero trust in the next 12 months.
The explosion of unmanaged devices connecting to corporate IT environments, such as printers, routers, IP cameras and (in some cases) medical devices, has made it more difficult for enterprise security teams to gain a complete understanding of their exposure. On top of this, increasing connectivity between IT and operational technology (OT) networks, a process known as IT/OT convergence, has brought security for both of these environments under the domain of the CISO. The potential security implications of IT/OT convergence have been well explored, and were further illustrated at this year's Black Hat conference when security researchers from IOActive demonstrated that vulnerabilities in a Boeing 787's firmware could expose the plane's avionics system to remote exploitation. (It should be noted that Boeing claims the attack outlined would have been prevented by its network security controls if attempted outside of a lab environment.)
To capitalize on these trends, several IoT security vendors have emerged over the last several years, either providing IoT device OEMs with tools to build more robust security into their devices or providing organizations with the means to inventory the connected devices in their environment (IT or OT) and to detect and respond to potential threats. We also see vendors from such adjacent areas as PKI/key management looking at IoT as a key use case. This is the case, for example, with Sectigo (formerly Comodo), Venafi and Globalsign, among others.
As the market opportunity created by unmanaged devices and IT/OT convergence has become better understood, incumbent IT security vendors have begun to throw their hats into the ring. Tenable and Qualys both emphasize their ability to passively scan unmanaged devices and OT environments for vulnerabilities, while others have acquired their way into the market, as ForeScout did when it bought SecurityMatters in 2018.
Much like Kubernetes appears to have consolidated its position in the cloud-native orchestration space, the MITRE ATT&CK framework seems to have raised its stature as the lingua franca for defining a specification that characterizes (in a consistent and machine-readable way) attack attributes and related information. The goal of ATT&CK supports MITRE's long-standing commitment to better automation and integration of security operations tactics and incident response. ATT&CK's continued embrace is one of the more positive signs that this aspiration seems increasingly within reach. Many vendors either have adopted MITRE's terminology for their products or are in the process of doing so.
One of the areas with increased activity is asset management and discovery. This may have started in earnest with Axonius' win at this year's RSA Conference Innovation Sandbox, but is now in full swing with announcements at Black Hat, such as Qualys offering free asset discovery. As organizations recognize that incidents may occur in obscure portions of their ever-sprawling estates, asset discovery becomes a high-priority concern.
As an example of the increased importance of collaboration between vendors and researchers, both Apple and Microsoft announced significant upgrades to their bug-bounty efforts, with Apple increasing payouts for iOS flaws while Microsoft opens up security testing within its Azure platform.
Broadcom acquires Symantec's enterprise business
While not directly tied to the many August security events in Las Vegas, Broadcom's acquisition of Symantec's enterprise business and brand was made public during 'summer camp,' and is something of a bellwether for the security products and services market. In our analysis of this transaction, we called out that Broadcom, far from seeking to build out a complementary software portfolio, was functioning more like a financial investor, seeing opportunity in an asset underperforming in an otherwise dynamic market.
Over the course of this year, we have discussed the 'innovator's dilemma' facing security incumbents. Many of today's existing vendor empires were built on the security technology of the past; the enterprise of tomorrow, however, is largely being defined by the sweeping changes remaking IT – from cloud and cloud-native technologies to a profusion of 'smart' devices, 5G networks and IT/OT integration. Whether incumbents can navigate these fast-moving changes successfully remains to be seen. In the meantime, these stresses may precipitate even more milestones, such as that represented by Broadcom-Symantec.
The DEF CON conference starts right alongside Black Hat, and now in its 27th edition brought 29,000 people – professionals and enthusiasts alike – to four locations on the Strip. Of note, DEF CON includes both main tracks and several 'villages' with specific focus areas. This year, new villages were started for application security, cloud security, maritime security, aviation security and others.
Much like the DEF CON conference facilitated the creation of Black Hat, the congregation of security professionals in one spot incentivizes the appearance of adjacent events. The popular BSides series of community-led events was started alongside Black Hat and DEF CON in 2009, and now numbers over 500 events worldwide. At this year's BSides Las Vegas, the keynote featured DNC CISO Bob Lord revisiting the Yahoo attack and current linkages between cybersecurity and politics.
Additional gatherings during the week included the Diana Initiative, a community-led conference that highlights the accomplishments and work of underrepresented minorities, and separate events such as AGC Disruption (aimed at investment professionals and executives), a Cyber Insurance Summit and a Bug Bounty Summit, among others.
Beyond the buzz
While the buzz of insects along Las Vegas Boulevard may not have materialized as many seemed to expect, security practitioners look forward to the buzz of security's annual summer gathering throughout the year. The week remains unique for bringing together not only a critical mass of the industry, but also a range of events for sharing new insight that produces new techniques, among adversaries and defenders alike.
This is a large part of why 'security summer camp' remains important to the industry as a whole. The fruits of the summer may take some time to mature, but practitioners and security technology and service vendors alike are always well advised to review the content of all the week's conferences – and the events that revolve around them – to gain better insight into what they can expect in the months to come.