Perspectives From Black Hat 2022
- By Erik Nost, Forrester
- August 30, 2022
Thousands of security practitioners, vendors, and researchers from 111 countries packed the Mandalay Bay Convention Center in Las Vegas last week for the first in-person Black Hat since 2019. Since the 2019 Black Hat, new technologies and security providers have increased, as have threats, actors, and social/political/economic concerns. This year’s high attendance demonstrated the desire for in-person conferences to make a full-fledged comeback. However, the continued growth of cyberbreaches shows that security progress is, unfortunately, still lacking.
Vendor marketing teams had a shorter window than in prior years to refine booth and banner messaging between the RSA Conference and Black Hat 2022. At Black Hat this year, Zero Trust messaging was surprisingly very low, while themes around risk reigned supreme. Vendor booths ranged from boxing rings to lock-picking contests, while ample LEGO swag from multiple vendors helped build encouragement from the practitioner-heavy DEF CON crowd.
Assessment and detection of assets and threats or recent acquisitions were highlighted in many booths, especially from the startups in “Innovation City.” Recent calls for security collaboration have meant vendors are no longer shying away from keeping data for themselves and are exposing APIs for the benefit of the security community. Startups are using these APIs to ingest whatever data they can and provide their proprietary risk scoring and prioritization. Expect more vendor entrants into this asset/threat prioritization and prediction space, some of which will eventually get bought by larger vendors.
The keynotes from ex-CISA director Chris Krebs and long-time security journalist Kim Zetter reiterated a similar theme that, in the 25 years since the first Black Hat, we are not more secure. Krebs offered an optimistic approach and was encouraged by emerging innovations of security products, predicting that tools will help improve security, but first, due to humans’ constant need to connect things to the internet, things will get worse. He referenced a quote from Daniel Miessler, underlining that software remains vulnerable because it’s not beneficial yet. Zetter echoed the sentiment that security must (and slowly is) becoming a business problem and that security fundamentals must improve. She added that the Colonial Pipeline breach taught us that maintenance, user training, and incident response plans are the most important means to keep organizations secure.
Black Hat attendees came decked out in their T-shirt best, with phrases like “I spy with my APIs” and “Exploit Wednesday” weaving throughout the conference. My favorite t-shirt was Simon Pavitt’s “I AM LYING TO YOU” during his and Stephen Dewsnip’s briefing “‘No Mr. Cyber Threat!’ – A Psychological Approach To Managing the Fail-to-Challenge Vulnerability.” In their talk, they addressed how security practitioners can use gamification to change end-user behavior by thinking of security training as “level one” of a video game. They make their social engineering training easy by wearing obvious T-shirts and labeling USB drives “VIRUS” or “EVIL.” By giving users easy wins, they’re rewiring their psychological process of identifying threats. Vulnerability management vendors such as Balbix have added gamification, and it will be interesting to see if other products and vendors apply Pavitt and Dewsnip’s research.
The original article by Erik Nost, senior analyst at Forrester, is here.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/BeeBright