Top 10 Black Hat takeaways for security pros

Another Black Hat USA has wrapped up, attracting about 19,000 security professionals from a wide range of disciplines, including academics, researchers, and a contingent from the public and private sectors.

Over the four days of training sessions and two days of briefings where experts revealed the latest developments in security risks and trends, there was a lot of information to absorb, as always.

Here are the top takeaways from Black Hat USA in 2018.

Application Security Research Update: The State of App Sec in 2018

The Role of AI, ML, and DL in security is growing

It was evident at Black Hat that artificial intelligence, machine learning, and deep learning will be playing a key role in cybersecurity. The question is when it will happen.

"Artificial intelligence talks were a big part of the conference," said Jon Zayicek, practice principal for risk and security at Cask LLC, a business and technology consulting firm based in San Diego.

"One presentation I went to talked about how great and advanced it is, and the other said don’t believe in it yet because it is not ready for prime time."
Jon Zayicek

Andrew Howard, CTO of Kudelski Security, agreed that AI had a big presence at the show. "Virtually every vendor booth I walked by had the words artificial intelligence and machine learning in their product pitch," he said.

In the past, there were some serious gaps between those pitches and what was delivered, but that may be changing. Fernando Montenegro, a senior analyst on the information security team at 451 Research, said many times AI and ML technologies are being incorporated into products quietly, without a lot of hoopla.

"Vendors are getting better at what they're doing, but there is still a gap."
Fernando Montenegro

Still, many buyers remain unable to evaluate claims about AI and ML made by vendors, maintained Aaron Higbee, CTO and co-founder of Cofense, a provider of anti-phishing solutions in Leesburg, Virginia.

"Right now, I don't know if buyers have the sophistication to dive very deeply into these vendors claims. Maybe in a year or two they will."
Aaron Higbee

Automating security is necessary for keeping up with DevOps

The need to automate security tasks to keep pace with accelerated development schedules was another top-of-mind topic at Black Hat. "Application security has been squeezed by efficiencies in the software development lifecycle for several years, but at Black Hat I heard over and over again how CISOs are being asked to cut budgets, so the fuse is really lit at both ends now," said Manish Gupta, CEO of ShiftLeft.

They see automation as the only way to meet both security and operational goals, Gupta added.

"[While] security vendors increasingly talk about automation, the CISOs I spoke with don't view simply bolting an existing product on to a DevOps pipeline as a big enough change. They need exponential changes and technologies that increase signal and reduce noise through automation."
Manish Gupta

DevOps has created a velocity problem for security teams, Kudelski's Howard noted. "If you want your security people to succeed, they need tools embedded into the lifecycle that don't require human intervention," he said.

Moving security left in the development cycle remains challenging

Despite the amount of lip service given to moving security closer to the beginning of the application development lifecycle, the process remains challenging, said Brian Contos, CISO of Verodin.

"Expectations on non-security folks to be security savvy is way too high. We need to demand that our security tools do a better job."
Brian Contos

"I've been hearing about DevSecOps for years now," added Gary Hayslip, CISO of Webroot. "I'm just not seeing a lot of people doing it well."

Montenegro of 451 Research said he noticed that "shift left" wasn't a focus of vendors at the conference.

"That's an interesting message in itself. Shift-left functionality is starting to come from vendors not typically associated with the security industry."
—Montenegro

Measuring security effectiveness is taking a back seat to putting out fires

Much of Black Hat is aimed at addressing threats after they happen. In that sense, it's a reflection of the industry as a whole. "We are spending way too much time chasing lagging indicators of compromise—zero days and APTs [advanced persistent threats]—instead of actually measuring and improving our security effectiveness," Contos said.

In addition, the show seemed to emphasize novelty over value. "There is too much focus on the next new piece of tech instead of getting value from the tech we've got," Contos maintained.

IoT security is gaining vendors' attention

Past Black Hats have touched on IoT security, but this year it seemed to attract more attention than ever. "I saw a lot of vendors trying to do something about threats from IoT devices," Howard said. "Traditional players are trying to pivot into that space."

In addition, many speakers and presentations focused on attacking physical devices being attacked, he observed.

"The attack surface there is very large," added Mounir Hahad, head of the threat lab for Juniper Networks. "That's mostly due to the lack of security maturity of vendors in that space."

Product integration is rising concern for companies

Black Hat conference-goers appeared to be very interested in how products worked with other products, said Rosanna Pellegrino, senior vice president of sales and business development at Digital Defense, a vulnerability scanning and penetration testing company in San Antonio, Texas.

Everyone was asking vendors what ecosystem they were a part of, who were their partners, she noted."That's relevant to many organizations who need to make the data from these security products operational in their environments," she added.

Trusted partners are expanding the attack surface of organizations

Vendors at Black Hat showed concern about an organization's outside partners posing threats to security. "Some of the latest breaches have involved some sort of intrusion through a vendor that was either not assessed prior to on-boarding or tabs were not kept on their status," said Jason Zhang, a senior threat researcher at Sophos.

Vendors aren't alone in creating outside threats to organizations. There's also concern that remote workers are introducing threats to network by working with unsecured connections and on insecure devices, Cask's Zayicek noted.

"One thing that surprises me year after year at Black Hat is the vastness of the cyberattack surface. It's not just growing by single exploits anymore. It's growing by whole classes of exploits."
Mounir Hahad

Antivirus will be for more than defense

Antivirus software has had to take its lumps in recent times, but it may be about to stage a second act. "Lots of vendors were talking about the next generation of antivirus that is proactive rather than reactive, meaning that they will be hunting for threats," Zayicek said.

Ransomware is going manual

While automation was a hot topic during Black Hat, one area where it may be getting less popular is in ransomware. SamSam, a ransomware line that's earned its creators $6 million since 2015, leans heavily on manual techniques to work its malevolence.

Unlike most ransomware, SamSam doesn't depend on phishing campaigns to penetrate a system. The attacker uses tools that attempt as many logins as quickly as the Remote Desktop Protocol will permit, and exploits operating system vulnerabilities.

The manual approach SamSam employs could set a new trend in how ransomware attacks unfold, said Zhang.

"Progressively savvier cybercriminals, like the group or individual behind the SamSam attacks, are now adding a human element to their already devious mix of evasive techniques to keep even some of the most advanced security software from detecting it."
Jason Zhang

Nation-states are hiding their activity behind common hacker tools

Black Hat attendees also learned that nation-states are using commercial malware available from the dark web to conduct operations against their targets, rather than creating custom software, which is more likely to be traced back to them.

"Malware on the commercial market can be used over and over again without being traced back to a nation-state because many other cybercriminals are using it," Digital Defense's Pellegrino explained.

Tip of the Black Hat

Although this year's Black Hat conference seemed tamer than some in past years, for security practitioners looking to hone their skills and keep pace with the latest trends in the hacking world, there was plenty of information to consume and digest. "It shines a light on a lot of issues the security community is facing," Juniper Networks' HaHad said.
 

Topics: Security