Industry Trends

Black Hat Las Vegas 2016 Observations:The Show Floor

By Bill McGee | August 04, 2016

I’m always interested to walk the show floor the first day of a conference to get a sense of what the vendor community has decided is important. The show floor at Black Hat is especially interesting, because while most of the vendors are responding to the security demands of their customers, just upstairs researchers are demonstrating the next generation of threats that haven’t yet, for the most part, been addressed.

A quick walk around the floor shows two major trends. The big bets vendors are making are cloud security and threat intelligence. Nearly everyone has some variation on these two. Surprisingly, there is little mention anywhere of traditional security, like Firewalls or IPS.

The Problem with the Cloud

Clearly, enterprises have stopped kicking the tires and finally decided to move to cloud-based services in a big way. And there is a bewildering array of security solutions there to greet them. 

The challenge is that most of these are one-off solutions that will need to be added to an already overburdened IT security team. Larger enterprises now have an average of 35 different security devices deployed in their environment, and across the total market, organizations are trying to orchestrate and control security through an average of 14 or more different management interfaces. Talking to a few attendees, responses were generally, “I know we need this, but I’m not sure where I’m going to find the resources to deploy and manage it.”

The flexibility of cloud-based networking, computing, and services is compelling. The biggest risk, however, isn’t that the cloud environments provided by carriers aren’t secure. The risk primarily lies with the applications running in the cloud, or between the enterprise and the cloud, and with the inability to enforce consistent policy or share threat intelligence between traditional and cloud networks. So while many of these cloud tools are nice, when you deploy them they are flying solo. You will still need to hand-correlate events and threats between the cloud and the traditional network, and multi-vector attacks will still be difficult to detect. Which means a huge hit to your operating expenses budget.

Only a handful of vendors seem to be addressing the challenge of bridging security between the network and the cloud, so if you are looking for a cloud security solution, that’s where I’d start. Of course, those are only two pieces of the larger puzzle. You still have mobile devices and BYOD, wireless access points, IoT, virtualization, Big Data, and web and email traffic to manage. And as hard as I looked, almost no one besides Fortinet was talking about how you connect all of that together into a unified and collaborative security architecture.

What is Threat Intelligence?

Threat intelligence is the other major theme on the Black Hat show floor this year, but it doesn’t seem to mean the same thing to different vendors. Some conflate it with AI and automation, others with delivering or aggregating threat feeds, and some even with hands-on expertise. “Threat Intelligence” has become a buzzword in search of a definition. Right now, it means whatever a vendor wants it to mean.

So if you’re trying to navigate through this maze of meanings, here are some clues to help you along the way.

Threat intelligence sounds important, but it isn’t always helpful. An update about a threat after you have already been compromised, for example, is of limited value. So, the first requirement is, how do you extract relevant intelligence, at the moment you need it, from the mountain of information being produced?

The next requirement is whether the intelligence is actionable. For example, critical intelligence about a Windows server vulnerability isn’t very useful if you don’t have any of those servers deployed in your network.

And finally, intelligence needs to be able to be consumed and shared by a variety of devices. Correlation of threat intelligence to ensure its accuracy and relevance, combined with the ability of different devices to leverage that intelligence to deliver a coordinated response regardless of where that threat is located (even in the cloud) is what makes threat intelligence truly valuable.

Again, few vendors who have added the “threat intelligence” label to their offerings provide anything like what I described.

Everything Else

Of course, there were some other nuggets of interesting security tools worth looking at. Most of these are way in the back of the show floor in the little tiny booths occupied by security startups. There are dozens of interesting things out there, like application code analysis, and tools for detecting and blocking bot scrapers and skimmers. Most of these are tools that are likely to either get acquired and then incorporated into a larger toolkit, or will just quietly go away. I love this part of the show floor. It’s a lot like all the gadgets and gizmos piled up near the checkout registers at the local hardware store.

In summary, the key to walking a show floor is preparation. Window shopping is nice, but if you really need something, you need to start by asking a few simple questions:

1. What are you trying to do? Not just what problem are you trying to solve, but how does this relate to the rest of your business, now and into the future? You don’t build a car by just browsing through an auto parts store and buying individual components. They need to work together. Networks are the same.

2. Stop thinking in silos - even if you are only responsible for one piece of the network. No matter how interesting a particular cloud security tool may seem, for example, if it doesn’t integrate and collaborate with the rest of your security architecture, you may actually be reducing rather than enhancing visibility and control.

3. Consider how long you will need this solution before you replace or upgrade it. What is the development roadmap for this solution? Will it scale as your business grows? Will the manufacturer still be in business in five years? Is it based on open standards so you can integrate it with tools you haven’t even bought yet?