The Shakedown From Black Hat USA, 2024
My colleagues Allie Mellen, Paddy Harrington, Erik Nost, Cody Scott, and I assembled in Las Vegas last week for the Black Hat USA 2024 event. We spent the week attending sessions; meeting with clients; looking for trends, highlights, and lowlights in the festival of vendor marketing (on the show floor and in the convention center hallways); and making sure to drink a lot of water to survive the stifling 110-degree heat.
Here are some highlights from the show floor:
- Application security (AppSec) dominates. AppSec vendors reigned on the show floor — and there was a particular emphasis on software supply chain security and application security posture management (ASPM). Walking through Startup City, we noted several early-stage vendors pitching ASPM on their signage. As API security specialists have been gobbled up by larger AppSec vendors or have expanded their initial offerings, there was less API-specific messaging and more “application and API security” language.
- Other buzzwords fade. Notably, generative AI (genAI) and Zero Trust mentions were few and far between. GenAI’s absence was particularly surprising, as it was such a popular topic at RSA Conference earlier this year. However, Forrester has anecdotally heard from both practitioners and vendors that the chatbot use case is rife with usability challenges, which we have written about. Rather than pushing genAI, vendors are using buzzy attempts at differentiation by adding words like “the,” “dynamic,” “fastest,” and “scalable” to their product names.
- Industry moves to “SPM all the things.” Vendors pitched ASPM, data SPM (DSPM), cloud SPM (CSPM), Kubernetes SPM (KSPM), and identity SPM (ISPM). With SPM being the “hot new thing”, it brings several questions: Does every discipline need SPM? How do the SPMs interact? How does vendor consolidation into platforms and solutions like exposure management play a role? Unfortunately, we find that these singular SPMs lack the comprehensive picture to best prioritize and often lack remediation capabilities.
- IoT security vendors had a decent showing. Armis was a Titanium sponsor, Dispel was Platinum Plus, and Claroty was Platinum. Their presence confirms what we hear from customers about their need to improve IoT device security within the enterprise and puts pressure on the other security vendors to level up their offerings within this market.
- Post-CrowdStrike messaging emphasized resilience and risk. Many vendors touted “risk” and “resilience” in their value messaging. However, beneath the marketing language, there hasn’t been a lot of substance as to how other tools could stop this issue beyond other vendors having different QA and kernel access policies. As we wrote about in multiple pieces, preventing this issue as an end user in the future is operationally challenging — the changes need to come from the vendor. Further, the onus is on the practitioner to use the outage to systematically prioritize and manage their total risk posture. While we’re encouraged to see vendors and practitioners talking about resilience use cases in more concrete terms, resilience isn’t achieved through any single security product.
- Some vendors had fun with their booths. We would like to recognize some vendors who opted not to take themselves too seriously and had booths that deviated from the standard corporate branding. A little bit of whimsy is OK (as long as it is respectful, please). Pentera’s booth was designed to look like a game of Candy Land, a late-1800s scientist would feel at home in HUMAN’s old-timey conservatory/lab, and Wiz’s booth marketing was a retro supermarket ad come to life.
Election Security Is Front And Center
Off the floor, one of the key themes of Black Hat was not enterprise focused. During the opening keynote, a panel of leaders from the US Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC), and the EU’s European Union Agency for Cybersecurity (ENISA) discussed election security and the dynamics of protecting elections in a year where over two billion people globally are expected to vote. The panel focused on two elements for election security: protecting infrastructure (which we have written about before) and addressing the misinformation and disinformation campaigns that target citizens. CISA director Jen Easterly expressed confidence in US election infrastructure and noted that the distributed nature of US election administration — at the county level rather than the federal or even statewide level – limits the reach of any potential infrastructure attacks. Felicity Oswald of NCSC and Hans de Vries of ENISA both pointed out that many of the elections in their regions still use paper ballots and manual counting.
On the topics of misinformation and disinformation, members of the panel stressed that media and leaders are responsible for using proper language so as not to propagate misinformation (hard agree), while CISA’s Easterly emphasized the importance of getting information from subject matter experts (a message that resonated with those attending the keynote but wouldn’t with the subgroup of citizens that tend to distrust “experts”). Not discussed was what these agencies are doing to disrupt disinformation campaigns and prevent misinformation from taking hold.
Another Year, Another Attempt At Avoiding The Heat
Outside of the sessions, meetings, and show floor where we spent our time staying out of the heat, we also went to a smash room and spent 15 minutes breaking things.
Reach out to us if you have any questions about Black Hat, DEFCON, or what’s next for the market. Forrester clients can request an inquiry or guidance session to discuss the event and any other lingering questions.