4 things I learned at Black Hat 2021

The Black Hat 2021 cybersecurity conference took place in Las Vegas this week, and it’s been a whirlwind few days. The awkwardness of returning to face-to-face events and the sensory overload of walking through the Mandalay Bay casino gave way to some fantastic content from the sessions and engaging discussions on the show floor. It was great to get back together with the security community and really reconnect after a truly extraordinary year in security — and in society. As I head home, a few themes that seemed to underpin so much of the show are now coalescing in my mind.

1. One thing remains clearer than ever: Security pros have really hard jobs. And that’s not going to change anytime soon. This isn’t news to the diehards in our world, but I’m not sure the broader tech industry fully grasps it, to say nothing of the leaders in every company, government, and organization out there. My team ran a poll on the expo floor and via our social channels during the show, and the responses are telling.

Even in the remote-work, post-SolarWinds, post-Colonial Pipeline, post-Exchange, post-Kaseya era, 64% of respondents said security resources in their organization have not increased in the last 12 months. And only 18% of those respondents who didn’t get more resources said they “have everything covered sufficiently.” There’s a lot of moving of deck chairs going on, too: 27% of companies have opted to shift resources to different security priorities instead of adding more resources.

Security professionals sleep with one eye open thanks to cybercrime — and fight an uphill battle inside their organizations too. Asked about the most significant human factor threatening security in their organizations, 44% cited malicious actors, either inside or outside their organization, and 33% cited human error. The burnout is real, but the unfortunate reality is that the attackers continue to overrun the defenders.

2. But we might finally be at a turning point. Thanks to the Colonial Pipeline attack, cybersecurity is now a national defense issue, and there is growing recognition both in government and the private sector that if we’re not all secure, then nobody is secure. We’ve all seen the executive order from the Biden administration. There is a growing understanding in the government and upper reaches of private-sector leadership of what those of us in the security industry have all known for a long time: that we must deeply understand the incidents of the past, actively prevent intrusions today, and anticipate what might be lurking around the next corner. The smooth and predictable functioning of our society depends on this. What’s more, we cannot do any of these things without the private and public sectors collaborating closely. That will require a massive cultural shift and a willingness to prioritize the greater good over immediate profit.

In her keynote speech at the event, Jen Easterly, the new Director for the U.S. Cybersecurity and Infrastructure Security Agency (CISA), laid out a vision for how collaboration can address the existential threat. She announced the Joint Cyber Defense Collaborative to introduce operational collaboration between different government agencies and with the private sector. Many, myself included, were concerned after Chris Krebs’ departure from the agency, but it’s very reassuring to know it remains in good hands. Easterly’s passion and drive were inspiring and motivating. Things that particularly resonated with me were the agency’s concrete actions to close the skills and education gap, ranging from K-8 programs to workforce reskilling and points in-between, and her call for increased transparency and information sharing among agencies and the private sector. When it comes to cybersecurity, the fortunes of private companies are now irrevocably intertwined with those of the government. We are all in this together.

Scott Shackelford from Indiana University and former NTSB chair Christopher Hart also made an interesting and compelling argument for a National Cybersecurity Safety Board that would do for cybersecurity what the National Transportation Safety Board does for aviation. Of course, cyber attacks are intentional, not accidental — and there are massive political challenges to consider — but like aviation accidents, the unique, rare, and highly consequential nature of major breaches make them highly suitable for this kind of focus. And, as Shackleford and Hart argued, we need an independent entity to investigate breaches and make recommendations for future protections. I’m curious how something like this can also draw on innovation from the private sector; there’s plenty of goodwill that companies can garner by demonstrating their contributions to national security.

3. If we really want to find novel ways to collaborate across the public/private divide and succeed in addressing the threats we all face, we’re going to need a better mousetrap — one that doesn’t rely on manual actions. Humans need help if we ever hope to get ahead of the threat. Capacity is already the rate-limiting factor, and malicious actors are swimming in circles around us. This is where automation, including, yes, machine learning and artificial intelligence, has to be brought to bear on the problem. These technologies are crucial to a faster, stronger defense against attack.

If security professionals don’t get serious about bringing automation to bear on these problems, they’re bringing a knife to a gunfight.

Qualys CISO Ben Carr hit on this in his session on “extortionware” — ransomware’s bigger (and meaner) brother. In Ben’s words, “People need to start thinking of hackers as business entities, who are trying to create revenue streams at massive scale.”

It’s time for security to go from a solely defensive posture to one that blends offense and defense, and the only way to do that is to automate everything that can be reasonably automated and reduce the signal-to-noise ratio in the results of that automation. That’s how we will free up humans for the hard stuff — like offensive security research to stay one step ahead of the next threat.

4. And a bit of good news: We haven’t lost our sense of humor. (Because if we didn’t laugh, we’d cry our eyes out.) Perhaps the best way to illustrate the reality of the day-to-day for a security professional emerged when we asked our poll respondents to #badlydescribeyourjob. A few of the best quotes here:

• “Custodial engineer. I clean up the mess.”
• “I let people cry on my shoulder and help them realize it was their fault.”
• “If people hate me, I am doing a great job.”
• “I tell everyone their work quality is bad. Eventually they agree.”

All memes aside, it was a great time being back with our people and seeing at least the top half of people’s faces in real life. And I’m already looking forward to next year’s Black Hat, hopefully with Covid fully in the rearview mirror. It will be interesting to see how these themes evolve between now and then. I hope we will be amazed at the changes we’ve seen and how much better we are at working together to address one of the most pressing issues of our time. I’m also hoping to see people’s smiles again. That said, I’m officially adding generously spaced rows in the keynote auditorium to my list of Covid-era practices to keep.

Mark Ralls is President and COO of Invicti.