Disclaimer:
The opinion expressed in this articles are my personal opinions and do not reflect the one of my employer. The pictures used in this article are property of NSC42 Ltd (unless stated otherwise) and shall not be used without explicit agreement from NSC42 Ltd.
Intro
Is that time of the year where the security community flocks to Las Vegas for a week fueled by information sharing, and of course partying.
Last year I missed doing the report on the Black Hat conference and I promised myself I would be more diligent this year.
CyberSecurity Week In Vegas
This week is always an intense one, packed full of information and conference.
As it's held in Las Vegas, it's hardly a surprise that the conference is broken up parties across various parts of Vegas to help with networking and relieve the stress of the day.
I think this is a great way to show how both the industry and the individual are under constant pressure and have to release this tension and pressure somehow - like with partying.
This is even more evident by the fact that Black Hat started a stream dedicated to mental health.
The extent of the mental health issue, in our industry, was (profusely) explained by a Facebook CISO in a recent talk.
This came following his departure from the organisation after a stressful aftermath of the recent events (disclosure to cambridge analytical) and further accentuated by the constant threats directed to him via various social media platforms. (see the specific talk Optimistic Dissatisfaction with the Status Quo: Steps We Must Take to Improve Security in Complex Landscapes )
First day - Trainings
The first day of Black Hat were dedicated to various elements of training and I attended the Advanced DEVSECOPS training by Securosis.
As they warned the training was advanced and fast paced and it was also very hands on like the other trainings.
One thing I’ve noticed over the past years at BlackHat is that training and session are aimed at a very technical audience.
In the future, it would be nice if they enriched the offering with some more strategic presentations and trainings.
The Conference
The venue as in recent years was the Mandalay Bay convention centre, which is more than fit for purpose in terms of logistics, location and space.
The logistics amaze me every time, and how smooth the organisers can herd (yes sometimes it feels like herding cats) such a number of people to where they need to be.
Keynote Talk
Parisa Tabriz (Director of engendering at Google) took us on a journey of Chrome and the evolution of security in the web space (see the full keynote talk here)
First of all, let me say, it was refreshing to see a woman on stage in such an important conference.
Over the last year there has been an overall theme of encouraging more women in cybersecurity and that initiative together with the Woman in Cybersecurity Forum seems to be paying off.
The talk from Parisa Tabriz was focused on how to sponsor challenging and strategic topics in an organisation. Specifically the talk touched on important points like how to keep focus and how to keep up morale and most importantly how to internally market ideas.
Some of the ideas she pushed in Google, and further in the web, have been very forward looking and sometimes challenging to justify.
Overall I found the talk refreshing and enjoyedlooking at a different prospective of cyber, but not - interesting really addressing the outlook for the future.
On that subject I enjoyed last year’s talk from the Facebook CTO more.
The Conference
The first day of the conference was busy as expected, nonetheless I had the feeling the excitement was less this year.
Unfortunately i haven’t managed to verify this fact but that was my overall impression.
The talks were as always quite varied, like a good meal, nonetheless the main dishes were the following (for the full list refer here).
Cloud security and incident response (with automation)
Assuming breach and how to reactMicro service
Container security
IoT security
Various firmware and hardware security
Some talks on Blockchain
Just one talk about spectre (just one?!)
The overall theme, was an overall improved maturity of the industry on cloud and cloud security. The industry is shifting from a defensive position to assume breach position and hence the following topics are more and more relevant:
Contain Security and minimising persistence of an attack
Logging, logging and logging, oh and log analysis
Forensic and Automated response to the attacks
The big absence from the day, and might be again just from my prospective, were:
Blockchain and Security
Big Data and security on big data
Artificial intelligence and challenged posed by this technology
Social medial and manipulated information
Remarkable talks
The following talks were particularly interesting, from my prospective:
Detecting Credential Compromization in AWS by William Bengston from Netflix (@__Muscle) and the work that he initiated on AWS automated discovery of compromised credentials.
An attacker Looks at Docker: by Wesley McGrew - an interesting focus on container security and how to integrate security in the pipeline.
Are You trading Stocks securely? From Alejandro Hernandez from IOActive. Very interesting prospective on how flawed the retail stock application are. The talk was refreshing and quite unique at Black Hat. I would like to see more and more of those talks and also ones considering crypto exchanges and crypto exchanges are being targeted more and more.
Playback: A TLS 1.3 Story with RTT warnings from Alejo Murillo Moya and Alfonso Garcia Alguacil - an interesting overview of the new TLS 1.3, troubles and the 0-RTT issues. On the Crypto Exchange there was an interesting talk from Coinbase in the Monero channel of DefCon26, but i will talk about DC26 in a separate article.
From all the above talks, I managed to take takeaways that are applicable directly or indirectly to my consultancy.
Another interesting talk was the ZEROing Trust: Do Zero Trust approach and deliver Real security from David Weston from Microsoft.
Conclusion
The overall excitement might have been in decline, maybe due to the 40 degree heat of the Nevada desert, but Black Hat USA remains THE security conference to go to.
Don’t get me wrong, it is a very expensive conference but the quality of the talks are very high, the opportunities to network is rewarding and I always leave with takeaways that I can apply as soon as I’m back in the office. Plus the conference offers the ability for individuals to discuss ideas and compare approaches with high calibre professionals.
I will be returning to BH19 in USA and maybe I’ll give the European version another shot at the end of the year.
For now it's time to pack my luggage with all the information I have gained and go back to Europe.
See you next year Vegas, stay cyber safe.