Another Black Hat has come and gone, and the time is ripe for our first annual Best of Black Hat post. Through the noise of 270 vendors and over 15,000 attendees (not to mention the stupefying din of Las Vegas in general), signals emerge about the direction InfoSec is taking, and the ideas that will define the next phase of this increasingly complex and dynamic industry.
Here are the top three takeaways from Black Hat that we think everyone in SecOps should consider:
1. Cryptography Evolves
TLS 1.3 was ratified in March and the official RFC was released on August 10th, right in that liminal time between Black Hat and Def Con. With TLS 1.3 comes the deprecation of RSA key exchange, and the standardization of Perfect Forward Secrecy using Diffie-Hellman cryptography.
Right on time for the TLS 1.3 RFC, security researchers from Cisco presented a Black Hat briefing that demonstrated a successful Replay attack against TLS 1.3. The researchers emphasized that TLS 1.3 adoption is accelerating, and with the official RFC release, every security vendor is going to start having to deal with the implications of the new standard.
Vulnerabilities aside, the advent of widely-deployed perfect forward secrecy will have significant impact on SecOps visibility inside their environments. For vendors who claim to help with threat detection and investigation, the biggest implications revolve around visibility. SecOps teams need to analyze network traffic in order to spot and track bad actors inside their environments. TLS 1.3 makes that harder because teams who can't decrypt Perfect Forward Secrecy cannot see a large portion of important traffic.
2. Network Traffic Analytics is Up Next
Network traffic analytics is a new category of security product, and the level of representation for NTA at Black Hat 2018 reinforces the fact that this category is gaining steam. Its visibility into late-stage attack activities are why it is set to become an integral part of any SOC over the next several years. Numerous vendors are emphasizing their ability to provide real time insights by analyzing network traffic, but many are cagey about what they mean by network data. There's a major difference between seeing traffic volumes and calling it "Network Traffic Analysis," and seeing actual transaction contents in real time and using that as a source of SecOps insight and investigative capability.
NTA presents a new opportunity and a new set of challenges for SecOps teams. The technology now exists to get definitive insights and immediate answers from the network in real time, but because the space is new, vendors are taking advantage of hazily defined requirements to sell weak-sauce solutions to eager SOCs. Discerning between opportunistic entrants and those with the muscle to really define the space will be a growing challenge for SecOps buyers.
Check out our post about what exactly Network Traffic Analysis is, and how to tell the real claims from the snake oil in this burgeoning category.
3. Analytics Pulls Everyone To The Cloud
Cloud-based tools have traditionally been a tough sell for security operations teams. The risk of putting sensitive data in the cloud or exposing internal security practices to potential slipups by SaaS vendors has been a deterrent to security teams using anything other than on-premises solutions. SOCs who have trialed MSP solutions have often pulled back some or all of their usage because of cost, speed, or business expertise requirements. But as NTA gains momentum, the accuracy and efficiency of cloud-enhanced analytics is growing too strong to resist.
The cloud provides the necessary compute capabilities for rapid iteration on machine learning models, but this requires incredibly stringent security and privacy practices to convince security buyers that their data will remain secure. For NTA, machine learning and rapid model updates make cloud-based systems essentially mandatory for effective detection of behavioral anomalies and emerging attack activities.
Numerous vendors in the business hall at Black Hat 2018 were promoting analytics products with major dependencies on the cloud. The value propositions of these products are strong enough that it seems likely SOCs will be motivated to relax their inhibitions about the cloud in order to use the next generation of powerful analytics products.
The Wrap Up
Black Hat is a great educational opportunity for those in the sessions, and watching what happens in the expo hall can provide strong signals about the future of InfoSec technology. We predict the three trends listed above will be top-of-mind for CISO, SOC operators, and anyone working in SecOps in the next year.