Socially distant Security Summer Camp was different but effective

August 12 2020
by Fernando Montenegro, Scott Crawford


There's an expression in Portuguese – Quem não tem cão, caça com gato – that translates to 'they who don't have dogs, hunt with cats.' It's closely related to the idiom 'make do with what you have.' That was the general feeling this week for what would have been the yearly gathering of security practitioners in Las Vegas for the combination of events – BSidesLV, Black Hat and DEFCON – that is colloquially known as Security Summer Camp. Instead of in-person events, BSidesLV was cancelled, while both Black Hat and DEFCON converted to online formats. The results were mixed, but mostly positive.

The 451 Take

Back in early January 2020, we had already highlighted the changing nature of security conferences and that organizers had lots of levers to pull. Although already under way, a global pandemic disrupting virtually all of society was not yet on our horizons, but here we are. Conferences had to adapt, and Black Hat and DEFCON did just that, switching to online venues that were scaled-down versions of its in-person events. Both conferences offered much of their traditional content: trainings, mini-summits or villages, regular briefings, keynotes, and expo halls. New this year were the challenges of getting past the so-called paradox of choice inherent in being able to easily switch between talks, and the occasional technical hiccup of a video session locking up.

Ultimately, though, the format did deliver. Talks were informative, and there was a modicum of the professional networking activities one finds at in-person events. This is welcome news because it is increasingly likely that, as large technology vendors announce plans to work from home or retreat from public events until well into 2021, this new mode of interaction may be with us for longer than some expect.

Black Hat Virtual

Black Hat is the traditionally more polished corporate event compared to DEFCON, and this year's version was no different. Informa, the company behind Black Hat, slashed the typical registration fees by almost 60% and chose the SwapCard platform to host Black Hat Virtual. The virtual event offered many of the well-known features of physical Black Hat, including briefings and keynotes, Business Hall for sponsors, the Arsenal area for new tools, and more.

Content was pre-recorded and speakers were available in real time to discuss their work. Save for a few instances of minor technical glitches, the platform worked well, and participants were able to engage with sponsors, speakers, and each other. In a further nod to the new online reality, all sessions were made available for playback for up to 30 days, which is also helpful for those that were unable to attend during the live broadcasts.

Following the traditional introductions by conference founder Jeff Moss and longtime supporter Qualys CEO Phillipe Courtot, the briefings part of the conference got under way with the first of two main keynotes. Both tackled relevant, extremely current, and potentially sensitive topics: election security considerations, and insights into modern misinformation campaigns.

Georgetown University's Matt Blaze, a well-known expert on election security, elaborated on the enormous complexity of the US electoral system, highlighting the inherently contradictory requirements of maintaining secrecy and transparency, plus the challenges facing the thousands of precincts all over the country. He also discussed key elements of the threat model for elections, how wide the attack surface is – far beyond just voting machines, there are numerous other components that require protection – and how electoral systems would typically handle different types of failures. He warned how different the failures may be amid the current health crisis, as systems normally used for exception handling (mail-in ballots) may be called upon to do a lot more. Finally, he exhorted security professionals to engage with their local election officials, urging them to move quickly because the election is only a few months away.

The second keynote speaker was Renée DiResta, director of the Stanford Internet Observatory (SIO). DiResta and her team specialize in tracking misinformation campaigns in their various shapes and sizes, and presented the key concepts and background information needed to understand how different state-level actors are conducting information operations in modern times. She presented insights into how modern social media platforms are used to consolidate audiences and target individuals or groups with messages that range from misinformation aimed at bolstering some state-level objectives to those that instigate conflict using identity-driven tactics. Ultimately, her message to the security industry was to be more aware of the threat, and consider how information operations affect existing threat models.

Much of the attention at Black Hat is devoted to the presentations delivered at Briefings, often highlighting new research into flaws in everything from container technology to wireless chips, and all that's in between. This year, the conference saw a drop in number of sessions, from 124 in 2019 to approximately 90 in 2020. Another area of interest is the Arsenal, which highlights tooling that can be used by security teams. This saw a drop of approximately 50%, from 100 tools highlighted in 2019 to approximately 50 in 2020.

The Business Hall typically houses the sponsor booths, be they established vendors in the main hall or startups in a separate Innovation City area. This year, there was no meaningful distinction between them, since every vendor booth was essentially an entry on a web page. The spontaneity of walking up to a booth was not there. Instead, prospects 'visiting' a sponsor booth were greeted with a variety of links to resources and a scheduler for booking time in 20-minute intervals.

For vendors, the upside was that reaching attendees in this way introduced opportunities to be more focused on outreach, and less distracted by the normal noise and interruptions at booths (including visitors less interested in learning about the vendor or doing business with them, if not outright competitors). Some indicated that prospects could be reached more proactively via the platform, and many vendors indicated they used teams dedicated to reaching out that way.

According to our estimates, even after removing from the roster of sponsors those that in 2018 and 2019 had sponsored something related to the conference's physical presence – receptions, mobile apps, meeting rooms for on-site briefings – the 2020 edition of Black Hat US saw a drop of approximately 50% in number of sponsors.

Figure 1

Sponsorship Presence for Black Hat Virtual 2020
451 Research LLC

The anecdotal feedback we received about the expo hall was mixed. For some vendors, there was much less 'foot traffic' (meaning, in this case, opportunistic visitors who made the effort to stop by the vendor's virtual presence) than occurs at traditional events. Still, some indicated that the quality of those fewer interactions they had with prospects was higher.

As in previous years, the general theme of research and conversations gravitated toward the challenges in securing an ever-expanding technology footprint, be it because of sheer scale and volume, or because technology continues to permeate more of society. Some of the highlighted talks included analysis of flaws in satellite systems, a variety of mobile devices, cloud computing, and more. Vendor and practitioner conversations included topics such as zero trust and its many forms, as well as interest in recent concepts such as SASE (secure access services edge) and XDR (extended/expanded detection and response).

DEFCON (Safe Mode with Networking)

DEFCON labeled itself this year as DEFCON (Safe Mode with Networking). As with Black Hat, the event switched to a virtual format. One of the key differences from Black Hat, however, is that DEFCON was free of cost. When coupled with the more community-oriented focus of DEFCON (indeed, one can argue that DEFCON possibly captures the essence of the original hacking/security community ethos), the combination led to an extremely popular online event attended by different levels of practitioners from all over the world. Rather than a single venue, DEFCON content was streamed in several platforms, mainly YouTube and Twitch, supported by Discord as a conference-wide communications platform.

DEFCON normally runs different conference tracks and several villages that are dedicated to specific topics. While last year's DEFCON had 37 different villages, this year DEFCON hosted 31, including additions such as a village dedicated to payment technology and one dedicated to password cracking.

The consensus about DEFCON seems to be mostly positive – while the current crisis made physical presence impossible, much of the content and atmosphere transferred well online. With DEFCON often being an entryway into security for many practitioners, the global aspect and easy availability certainly made it possible for a very diverse audience to join in.

Looking ahead, a predominantly virtual world?

We're now faced with an uncertain future. What do we expect from conferences – physical? virtual? a mixture? We imagine the answer will vary, but will lean virtual. Local, smaller events – more meetups than conferences – may revert back to physical meetings before larger conferences do, although even those may struggle. How much less attendance can a local meetup take due to safety measures before it simply becomes more practical to host it virtually?

We expect larger conferences to significantly lag other reopenings. Much like concerts and sporting events, they have the potential to achieve the inglorious designation of 'super spreader' incidents. Even when they do come back, we expect physical attendance to be significantly different than before.

If virtual is the way to go, there's useful learning that can be applied moving forward. Making the content easily available is a must (be it prerecorded or available just when the live session ends), as is understanding that, by being virtual, the event will attract a broader audience, likely worldwide. Still, even then, we found that maintaining a schedule closer to 'before' – full-day events hosted in timeslots friendly to the majority of the expected audience – are more engaging than spreading out information over a period of weeks. Events should also provide for, and even highlight, support for the 'hallway con' – the myriad side conversations that happen alongside presentations and business hall visits. Both live during the event and afterwards, peer-to-peer communications will remain a key aspect of participation.

Much like remote work capabilities proved they could support day-to-day work during the pandemic, so now must remote attendance. Those who don't have dogs, hunt with cats.