Black Hat 2016: Seven Takeaways for Security Partners


With the largest Black Hat to date now in the rear view mirror, it’s clear there is edginess not only in the hacker community, but also in hot cybersecurity market segments where vendors are competing for thought leadership as well as wallet share.

SuperZoo 2016, a pet retailer show, provided a bizarre, but fitting backdrop including those of the furry, four-legged variety co-mingling with the cybersecurity industry. I had the opportunity to speak with CISOs, vendors, threat researchers, and catch up with friends. After navigating the up and down escalators of Mandalay Bay, I left with these takeaways:

1. New ransomware attack vectors: While no one would divulge much about the DNC hack, the rise of insidious ransomware is top of mind with customers, vendors, and researchers alike. In addition to new variants of ransomware targeting endpoints, Netskope noted an increase in the use of file sync and share apps as the attack vector, and Proofpoint shared examples of mobile ransomware including geo-targeted attacks and others that hijack iCloud accounts to employ the Find My iPhone service as a means to extort a ransom.

2. Next-gen AV definition (NGAV) and efficacy debate: While we’re long since aware of the ineffectiveness of signature-based AV, there is a debate on who came up with NGAV first, what it means, and the relative efficacy of machine learning v. behavior analysis, not that static and dynamic are mutually exclusive. Customers are not particularly interested in what’s under the hood - they just want to close the front door. And to do that they need markedly better efficacy, and therein lies another issue, questions on whether published detection tests from both independents and vendors have been fair apples-to-apples comparisons. Many are likely rightfully crying foul that certain detection features were disabled to tilt the scales.

3. Data security for the shifting perimeter. The increase in external sharing via enterprise file synch and share (EFSS) services and concerns about the insider threat as causes of data loss has resulted in the need for a data-centric perimeter, one in which access policies and auditing travels with the file. By launching at Black Hat last week, ThinAir joins “next-gen” enterprise digital rights management (DRM) players Vera, Seclore, and Ionics with an innovative category busting approach that employs user behavioral analytics (UBA) and file integrity monitoring (FIM) along with DRM for data security.

4. On the hunt. Sqrrl, Endgame, Carbon Black, Cybereason, CounterTack, Fidelis, and others all demo’d solutions for a proactive approach to finding compromises before they become breaches and to reduce dwell time. In a vendor-sponsored session, Carbon Black offered pragmatic advice based on a largely vendor-agnostic methodology encouraging practioners to not let perfect be the enemy of good by starting with the basics and, a la agile software development, iterating. While the acute cybersecurity skill set shortage and the skills needed to hunt has relegated such lean forward security strategies for the high rent district of well resourced companies such practical advice makes doing so attainable by many more.

5. Data sovereignty clouding the cloud. Horrible pun aside, there is much confusion around the laws regulating data sovereignty with respect to residency versus access that is slowing, in certain geos, the adoption of cloud delivered security solutions from US-based companies. This truly is a shame. The operational efficiencies, threat analysis and threat sharing enabled by the cloud is highly compelling. As Dan Kaminski noted in his keynote last week, companies don’t, or at least shouldn’t, compete on security. But organizations who are able to leverage the cloud to improve their security posture have a distinct advantage.

6. Cloud as the enabler. Speaking of the cloud, and making a strong case for a cloud first orientation, I spoke with the CISO of a company that aggressively employs M&A fueled growth strategy having closed 15 acquisitions in the last year. He was unequivocal in his statement that this was only possible because of how they leverage the cloud to onboard and secure these new organizations citing the use of Skyhigh’s CASB for cloud app visibility and control and Splunk for log aggregation and analysis. Like many cloud-indexed organizations, this company also rolls their own controls by leveraging APIs, a 1.0/MVP requirement in any cloud security offering.

7. That was fast! Acquisitions the order of the magnitude of Symantec’s of Blue Coat typically take a while to clear the hurdles of government approval. Symantec surprised many, myself included, by announcing it had completed its acquisition of Blue Coat last Monday, a testament to the complementary nature of the respective product portfolios. The new Symantec can now move from talking about some natural and compelling integration to delivering these to the market. Research conducted by ESG showed that 72% of respondents are likely to buy from the combined entity (login required) with the top perceived benefits including fortified threat detection and response capabilities and streamlined cybersecurity operations.

Lastly, Dan Kaminski’s keynote was chock filled with perspective and advice, not to mention a touch of controversy with an inadvertent display of CNN’s home page during his browser isolation demo which put a less than favorable headline for a POTUS candidate in front of thousands. From pets to politics to threats and much more, this year’s Black Hat was never dull.

Doug Cahill is a senior analyst covering cybersecurity at ESG. Read more ESG blogs here.