Black Hat USA 2023: Insights From Our Short Vegas Residency
Black Hat has gone from being RSAC’s smaller tech and practitioner-focused cousin to being a commercial showcase for cybersecurity vendors. A tightly packed, noisy Business Hall included over 300 vendors and 400 organizations with booths, which was great for swag but bad for anyone with even the mildest case of claustrophobia.
Our band of Forrester analysts — Joseph Blankenship, Jess Burn, Allie Mellen, Tope Olufon, and Jeff Pollard — spent the week in Las Vegas with temperatures well over 100 degrees Fahrenheit …. outside …. which is why we stayed inside as much as possible. As Tope noted upon landing, “42 degrees Celsius should be illegal.”
Together, we logged over 160,000 steps, attending 80 client meetings and 20 track sessions. We left the event with these takeaways:
Security Services And SaaS Stood Out In The Business Hall
Everyone has a flavor of managed detection and response (MDR), MXDR (this is a bad term; don’t use it), or a variant of *DR. We’ve discussed the security services flywheel and “everything-eventually-becomes-a-service”; the booths at Black Hat 2023 confirmed this phenomenon in real time. But very few knew how to stand out and offer value besides claiming, “We’re the best.” Vendors without a better way to describe what they offer resurrected “single pane of glass (SPOG),” and “the everything everywhere dashboard” is also alive and kicking, but few vendors could articulate the actual value that their dashboards displayed. Demos were heavily scripted with an outsized focus on detection, conveniently forgetting that an “R” exists in MDR for a reason. Response matters.
Some vendors demonstrated real value additions with a few AI applications, but a well-written python script could address most of the use cases. As a final tip for vendor booth staff, make sure the people talking about your product offer more information than what can be found on Wikipedia.
The Cybersecurity Industry Stays Robust
After a year of RIFs — in an industry with an oft-mentioned talent shortage — and with vendors like Rapid7 announcing one during the event and Secureworks following on soon after, the industry is as healthy as ever based on the number of vendors, booths, and attendees. During the event, Rubrik and Check Point announced acquisitions, and Endor Labs announced a $70 million series A. While capital flowing into cybersecurity has slowed, innovation still happens, and companies with strong business models are keeping the attention of investors and customers.
Generative AI Transitioned From Marketing To Demos
Vendors marketed generative AI at RSA. Vendors demonstrated it at Black Hat. Actual production deployments remain … hard to find. Don’t expect general availability of these releases until the new year for the vast majority of vendors (if not all). Applications are becoming more diverse, no longer limited to security operations use cases and broadening into application security and vulnerability management.
Generative AI Fatigue Is Real … And Irrelevant
Everyone — that’s security leaders and vendors — is tired of generative AI. But that won’t make it go away. Enterprise adoption will increase, vendors will need to embed generative AI capabilities into their products and services, and we will all spend the next few years thinking and reacting to generative AI’s security implications. The mistake to avoid here is letting that fatigue trick you into thinking these problems disappeared. Don’t get desensitized by the hype around this topic. If you do, you’ll wind up playing catch-up, and that’s not an enviable position to be in for any senior executive.
Cyber Insurance And You, Perfect Together?
Black Hat hosted a “cyber insurance microsummit” with four briefing sessions discussing the topic from different angles — CISO, insurtech, legal, and managed security services — but the same message came through. Your program and your policy are now inextricably linked. Continued insurability hinges on how you respond to the increasingly prescriptive requirements carriers place on your controls, processes, and your tech, based on their digestion of their — now plentiful — claims data. While ransomware remains a focus, the ease and profitability of business email compromise and fraudulent funds transfer is also on the rise and is far less noisy than ransomware.
The Feds Swarmed The Stage, The Business Hall, And The Event
The days of “Spot the Fed” at Black Hat are over. They’re everywhere. The US government was out in force at Black Hat, nabbing two keynotes at the conference, one briefing session, and a lot of square footage in the business hall. Representatives from six government or government-affiliated agencies had impressive booth space, including the Air Force Civilian Service, Cybersecurity and Infrastructure Security Agency (CISA), Los Alamos National Laboratory, NSA Cybersecurity Collaboration Center, Sandia National Laboratories, and the United States Department of Justice.
DARPA took to the main stage to announce its AI Cyber Challenge — a two-year competition with the goal of creating a new set of cybersecurity tools designed to defend critical software and systems — and CISA and White House leaders made the rounds at Defcon and SquadCon while in Vegas. This love-bombing at scale is a large part of the administration’s desire for and focus on the tight public-private partnership needed to protect the nation — and if a little recruiting happened for said federal agencies, especially with practitioners who may see a government job as a safer bet than one in the volatile security tech industry, well, that would be a bonus.
Startup Competition: Appsec All The Things
The four finalists in the Black Hat Startup Spotlight — Binarly, Endor Labs, Gomboc AI, and Mobb — all featured a slightly different (but appsec- and DevSecOps-heavy) message. Despite each vendor operating somewhere different in the tech stack for prospective clients, each focused on helping developers find and remediate software, configuration, and policy flaws within the DevOps pipeline.
Despite All The Meetings, We Still Saw Some Of The Briefings
In spite of all the client meetings, we still managed to attend some of the Black Hat keynotes and briefings. For the most part, we agreed that many of the sessions were more “RSA-like” than we’ve come to expect for Black Hat briefings. As you might expect, many of the sessions focused heavily on AI — its benefits as well as ways it can be exploited for evil. See below for our favorite sessions:
- JB: Maria Markstedter’s opening keynote, Guardians of the AI Era: Navigating the Cybersecurity Landscape of Tomorrow and Me and My Evil Digital Twin: The Psychology of Human Exploitation by AI Assistants.
- Jess: Devising and Detecting Phishing: Large Language Models (GPT3, GPT4) vs. Smaller Human Models (V-Triad, Generic Emails)
- Tope: BingBang: Hacking Bing.com (and much more) with Azure Active Directory
- Jeff: Ram Shankar Siva Kumar’s Briefing Risks of AI Risk Policy: Five Lessons
But Wait, There’s More!
These are just a few of our Black Hat USA 2023 insights. To hear more about our collective Black Hat experiences, please join us for a client-exclusive webinar, Get Insights From Black Hat Without Going To Vegas, on Tuesday, August 29, at 11 a.m. Eastern time. Forrester clients can register now!