Black Hat 2018: USA Report
An overview over the world's leading Las Vegas information security event in its 21st year given by Francesco Cipollone with his personal impressions and thoughts.
The opinion expressed in this articles are my personal opinions and do not reflect one of my employers. The pictures used in this article are the property of NSC42 Ltd (unless mentioned otherwise) and shall not be used without explicit acknowledgment from NSC42 Ltd
Follow me on LinkedIn or Twitter for more articles or visit my blog at NSC42 Ltd
Is that time of the year where the security community flocks to Las Vegas for a week fueled with information sharing, and of course partying. Last year I did not report on Black Hat, and I promised myself and a few colleagues I would be more diligent this year.
CyberSecurity Week In Vegas
The week is intense and compressed with information and conferences:
- Black Hat trainings and briefings
- Black Hat Conference and vendor meetings
- DEFCON 26
That is more than a security week is a summer security boot camp (as many now refer to this intensive week). The conference is broken up with parties in various part of Vegas to help networking and release the stress. This displays how the industry and the individual in the industry are under constant pressure and have to release this tension and pressure with parties and other similar activities.
The pressure on the individual is even more evident by the fact that Black Hat started a stream dedicated to mental health. The extent of the mental health issue in our industry was (profusely) explained by Facebook CISO in a recent talk. With his recent departure, the organization after the stressful aftermath of the recent events (disclosure to Cambridge Analytica) topped up by the constant threats directed to him via various media.
(see the specific talk Optimistic Dissatisfaction with the Status Quo: Steps We Must Take to Improve Security in Complex Landscapes)
First days - Training Sessions
The first days of Black Hat were dedicated to various training. I attended the Advanced DEVSECOPS training by Securos. As they warned, the training was advanced and fast-paced. The training was very hands on like the other training. One thing I’ve noticed over the past years and past raining session at Black Hat is that trainings and sessions are oriented to a very technical audience.
In the future it would be nice if they enrich the offering with some more strategic presentations and training.
The venue as past years is the Mandalay Bay convention center, more than fit for purpose regarding logistics, location, and space.
The logistic is one that amazes me every time, and how smooth the organizers can hoard (yes sometimes feels like hoarding cats) such as many people.
Parisa Tabriz (Director of engineering at Google) took us on a journey of Chrome and the evolution of security in the web space (see the full keynote talk here)
First of all, let me say, it was refreshing to see a woman on stage in such an important conference. Over the year there has been an overall theme to encourage Women in cybersecurity and that initiative together with Woman in cybersecurity forum is paying off.
The Parisa Tabriz talk focused on how to sponsor challenging and strategic topics in an organization. Specifically the talk touches an important point like how to keep focus and how to keep up morale and most importantly how to internally market ideas. Some of the ideas she did push in Google, and further in the web, have been forward-looking and sometimes challenging to justify.
Overall, I found the talk refreshing and looking at a different perspective of cyber, but not - interesting addressing the outlook for the future. On that matter, I have enjoyed last year’s talk from Facebook CTO.
The first day of the conference was busy as expected; nonetheless, I had the feeling the affluence was less this year. Unfortunately, I haven’t manage to verify this fact, but that was my overall impression. The talks were as always quite variegated, like a good meal; nonetheless, the main dishes were the followings (for the full list refer here):
- Cloud security and incident response (with automation)
- Assuming breach and how to react
- Microservice and container security
- IoT security
- Various firmware and hardware security
- Some talk on Blockchain
- Just one talk about specter (just one?!)
The overall theme that I’ve perceived was an overall improved maturity of the industry on cloud and cloud security. The industry is shifting from a defensive position to assume breach position, and hence the following topics are more and more relevant:
- Contain security and minimizing persistence of an attack
- Logging, logging and logging, oh and log analysis.
- Forensic and Automated response to the attacks
The big absence from the day, and might be again just from my perspective, were:
- blockchain and security
- Big data and security on big data
- Artificial intelligence and challenges posed by this technology
- Social media and manipulated information
Of particular interest, from my perspective the following talks:
- Detecting Credential Compromisation in AWS by William Bengston from Netflix (@__Muscle) and the work that he initiated on AWS automated discovery of compromised credentials
- An attacker Looks at Docker: by Wesley McGrew - interesting focus on container security and how to integrate security in the pipeline
- Are You trading Stocks securely? From Alejandro Hernandez from IOActive. Fascinating perspective on how flawed the retail stock application is. The talk was refreshing and unique in Black Hat. I would like to see more and more of those talks in Black Hat considering crypto exchanges and crypto exchanges are being targeted more and more.
- Playback: A TLS 1.3 Story with RTT warnings from Alejo Murillo Moya and Alfonso Garcia Alguacil - exciting overview of the new TLS 1.3, troubles and the 0-RTT issues.
- On the Crypto Exchange, there was an interesting talk from Coinbase in the Monero channel of DefCon26, but I will address DC26 in a separate article.
From all the above talks, as always, I managed to take takeaways that are applicable directly or indirectly to my consultancy.
Another interesting talk was the ZEROing Trust: Do Zero Trust Approach Deliver Real Security from David Weston from Microsoft.
The overall affluence might have been a bit in decline, maybe due to the 40 and more degree of Nevada desert, but Black Hat USA remains THE security conference to go.
Don’t get me wrong, it is a very expensive conference but the quality of the talks is very high, the opportunity of networking is rewarding. I keep on being very satisfied with the level of the talks and the fact that from each one of them I can have takeaways that I can apply as soon as I’m back in the office. Plus the conference offers the ability to the individual to discuss ideas and compare approaches with high caliber professional.
I will be returning to BH19 in the USA, and maybe I’ll give the European versions another shot at the end of the year.
For now is time to pack my luggage, security, with all the information and go back to Europe. See you next year Vegas stay (cyber)safe.
Black Hat logo and post conference image: © UBM.