Another Black Hat has come and gone, and the time is ripe for our first annual Best of Black Hat post. Through the noise of 270 vendors and over 15,000 attendees (not to mention the stupefying din of Las Vegas in general), signals emerge about the direction InfoSec is taking, and the ideas that will define the next phase of this increasingly complex and dynamic industry.
Here are the top three takeaways from Black Hat that we think everyone in SecOps should consider:
1. Cryptography Evolves
TLS 1.3 was ratified in March and the official RFC was released on August 10th, right in that liminal time between Black Hat and Def Con. With TLS 1.3 comes the deprecation of RSA key exchange, and the standardization of Perfect Forward Secrecy using Diffie-Hellman cryptography.
Right on time for the TLS 1.3 RFC, security researchers from Cisco presented a Black Hat briefing that demonstrated a successful Replay attack against TLS 1.3—but even though vulnerabilities still exist, the researchers also emphasized the fact that TLS 1.3 adoption is accelerating. With the official RFC release, every security vendor is going to start having to deal with the implications of the new standard.
For vendors who claim to help with threat detection and investigation, the biggest implications revolve around visibility. SecOps teams need to analyze network traffic in order to spot and track bad actors inside their environments. TLS 1.3 makes that harder because teams who can't decrypt Perfect Forward Secrecy cannot see a large portion of important traffic.
2. Network Traffic Analytics is Up Next
Network traffic analytics is a new category of security product unlike anything established in the security vendor space, and the level of representation for NTA at Black Hat 2018 reinforces the fact that this category is gaining steam and set to become an integral part of any SecOps practice over the next several years. Numerous vendors are emphasizing their ability to provide real time insights by analyzing network traffic, but many are cagey about what they mean by network data. There's a major difference between seeing traffic volumes and calling it "Network Traffic Analysis," and seeing actual transaction contents in real time and using that as a source of SecOps insight and investigative capability.
NTA presents a new opportunity and a new set of challenges for SecOps teams. The technology now exists to get definitive insights and immediate answers from the network in real time, but because the space is new, vendors are taking advantage of hazily defined requirements to sell weak-sauce solutions to eager SOCs. Discerning between opportunistic entrants and those with the muscle to really define the space will be a growing challenge for SecOps buyers.
Check out our post about what exactly Network Traffic Analytics is, and how to tell the real claims from the snake oil in this burgeoning category.
3. Network Security Pulls Everyone To The Cloud
Cloud-based tools have traditionally been a tough sell for security teams. The risk of putting sensitive data in the cloud or exposing internal security practices to potential slipups by SaaS vendors has been a deterrent to security teams using anything other than on-premises solutions. But as NTA gains momentum, the scalability and flexibility of cloud platforms is growing too strong to resist. Numerous vendors in the business hall at Black Hat 2018 were promoting network security products with major dependencies on the cloud. The value propositions of these products are strong enough that it seems likely customers will be motivated to relax their inhibitions about the cloud in order to use the next generation of powerful security products.
For NTA vendors specifically, the cloud provides the necessary compute capabilities for rapid iteration on machine learning models, but this requires incredibly stringent security and privacy practices to convince security buyers that their data will remain secure.
The Wrap Up
Black Hat is a great educational opportunity largely because it's less focused on vendors and products than many trade shows, but watching what happens in the expo hall can provide strong signals about the future of InfoSec technology. We predict the three trends listed above will be top-of-mind for CISO, SOC operators, and anyone working in SecOps in the next year.
This is a companion discussion topic for the original entry at https://www.extrahop.com/company/blog/2018/three-top-takeaways-from-black-hat-2018/