Black Hat 2022 was held in Las Vegas last week, at the same time as theCUBE’s supercloud event. Unlike AWS re:Inforce, where words are carefully chosen to put a positive spin on security, Black Hat exposes all the warts of cybersecurity and openly discusses its hard truths. It’s a conference attended by technical experts who proudly share some of the vulnerabilities they’ve discovered and of course by numerous vendors marketing their products and services.

In this Breaking Analysis, we summarize what we learned from discussions with several people who attended Black Hat and our analysis from reviewing dozens of keynotes, articles, videos, session talks, Dark Reading interviews and data from a recent Black Hat attendees survey conducted by Black Hat and Informa PLC. We’ll also share data from ETR in a recent post discussing how Zscaler Inc. became the last line of defense for a manufacturing firm.

We’ll end with a discussion of what it all means for the challenges around securing the supercloud.

Key Black Hat takeaways

We did not attend Black Hat, rather we spent days absorbing content from the event, which is renowned for its hundreds of sessions, breakouts and strong technical content that is unvarnished.

Featured keynote: Chris Krebs, the former director of the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, spoke about the increasing complexity of tech stacks and its ripple effects on risk. Where re:Inforce tends to emphasize the positive state of cybersecurity, it can be said that Black Hat, as the name implies, focuses on the other end of the spectrum. Risk was a major theme of the show: lots of talk as always about the expanded threat surface and tons of emphasis on supply chain risk.

Hybrid work and the impact on risk: There was also plenty of discussion about hybrid work and how remote work has dramatically increased business risk.

Attack vectors: Data from both the Intel Corp. 471 Cyber Threat Report and the previously mentioned Black Hat attendee survey showed that compromised credentials posed the No. 1 source of risk, followed by infrastructure vulnerabilities and supply chain risk.

The future of war is here and it’s cyber-led: At an MIT cybersecurity conference earlier last decade, theCUBE had a conversation with former Boston Globe war correspondent Charles Sennott about the hypothetical future of war and the role of cyber. We had similar discussions with Dr. Robert Gates on theCUBE. At Black Hat, these discussions went well beyond the theoretical with data from the war in Ukraine. It’s clear that modern wars are and will be supported by cyber. But the takeaways are they will be highly situational and unpredictable, because in combat scenarios anything can happen.

AI in cyber is not all hype: The role of AI was discussed and somewhat dissed as overhyped. But though AI is not a panacea to cyber exposure, automation and machine intelligence can augment stressed-out security teams by recommending actions. Most of the defense will still be based on monitoring, telemetry data, log analysis, curating known signatures and analyzing consolidated data. But increasingly AI will help with the unknowns – the zero-day threats and threat actor behaviors post-infiltration.

Collaboration has to walk the talk: Finally, while much lip service has been given over the years to collaboration and public/private partnerships, especially after Stuxnet was revealed early last decade, the truth is that threat intelligence in the private sector is still evolving. In particular, the tech industry began to try to monetize proprietary intelligence in the middle part of last decade with private reporting. But attitudes toward collaboration are trending in a positive direction. Public private partnerships are being catalyzed by a stronger government push and there was a sentiment at Black Hat that customers are demanding their vendors to work together to fight an increasingly capable adversary.

Supercloud security requires standards: Without this type of collaboration, securing the supercloud will be more challenging and confined to narrow solutions.

The state of cybersecurity according to Black Hat attendees

Let’s look at some of the survey data from Black Hat. Just under 200 serious security experts took the survey. So, not enough to slice and dice by hair color, eye color, height, weight and favorite movie genre… but enough to extract high-level takeaways.

Surveys with strongly agree or disagree questions can sometimes give vanilla outputs. But if we look for the answers where very there’s an overwhelming cluster of consensus, at the edges of the spectrum you can make some conclusions that are probably more telling. To wit, the it’s clear from the graphic above that these survey respondents believe the following:

• Your credentials are out there and available to criminals;
• Remote work is here to stay;
• Hope for the best, plan for the worst. No respondents were willing to jinx their firms and say they strongly disagree that they’ll have to respond to a major cybersecurity incident in the next 12 months.

COVID has catalyzed permanent changes to defense strategies

As we’ve reported extensively, COVID has permanently changed the cybersecurity landscape and chief information security officers’ playbook.

The chart above shows results that queried respondents on the pandemic’s most significant impacts on cybersecurity. They include new requirements to secure remote workers, more cloud, more threats from remote systems and users and a shift away from perimeter defenses that are no longer as effective – e.g. firewall appliances.

Note, however, the fifth response down highlighted in green. It shows a meaningful drop in the percentage of remote workers disregarding corporate security policy. Still too many, but 10 percentage points down from 2021’s survey.

Rock, paper, scissors… people, process and tech

As we’ve said many times, bad user behavior will trump good security technology every time. The following diagram from the survey results underscores this reality:

Consistent with commentary from Mark Arena on the Intel 471 threat report, the Black Hat attendee survey also shows phishing for credentials is the No. 1 concern of cyber professionals. This is a people and process problem more than a technology issue. Using multifactor authentication, changing passwords, unique passwords, password managers, etc., are all great things, but if it’s too hard for users to implement, they won’t and they’ll remain exposed.

The No. 2 concern on the graphic above — Sophisticated attacks exposing vulnerabilities in the security infrastructure — is also consistent with the Intel 471 data and;

The No. 3 concern, no surprise, is supply chain risk — again, consistent with Mark Arena’s commentary and the Intel 471 report.

Lack of cybersecurity expertise remains an acute problem

Ask most CISOs their No. 1 problem and lack of talent will top the list.

So it’s no surprise that 63% of survey respondents believe they don’t have the security staff necessary to defend against cyberthreats. This speaks to the rise of managed security service providers that we’ve talked about previously on Breaking Analysis. We’ve seen estimates that less than 50% of organizations in the U.S. have a security operations center, and we see those firms as ripe for MSSP support, as well as larger firms augmenting staff with managed service providers.

It is somewhat of a surprise that one-third of the respondents indicate they have adequate staff. However, note that figure is down noticeably from last year’s survey (44%).

Cloud is creating new organizational layers

After re:Inforce we put forth the conceptual model shown in the diagram below. It depicts how the cloud is becoming the first line of defense for CISOs and DevOps is being asked to do more, like secure the runtime and the containers and the platform, etc. And audit becomes the last line of defense.

Two notable trends we picked up from Black Hat that are consistent with this shift shown above:

• Observability: Getting visibility across the expanded threat surface was a big theme. This makes it even harder for CISOs to identify risk. It’s one thing to know there’s a vulnerability somewhere. It’s another to determine its severity. But understanding how easy or difficult it is to exploit that vulnerability is a challenge. And how to prioritize action is increasingly complex for CISOs.
• Federating SOC capabilities: The SOC, if there is one at the organization, is becoming federated. No longer can there be one ivory tower that is the magic god room of data and threat detection and analysis. Rather the SOC is becoming distributed, following data patterns. And as we mentioned above, the SOC is being augmented by the cloud provider and MSSPs. So there’s a lot of critical security data that is decentralized and this will necessitate a new cyber data model, where data can be synchronized and shared with a federation of SOC capabilities that live across an organization’s ecosystem.

Saved by Zscaler – cloud security as the last line of defense

To the point above about the cloud being the first line of defense, let’s turn to a story from Enterprise Technology Research that came out of our colleague Erik Bradley’s Insight one-on-one with a senior information technology person at a manufacturing firm. In a piece called “Saved by Zscaler,” check out this comment below from a senior technology leader at a manufacturing firm:

As the last layer, we are filtering all the outgoing internet traffic through Zscaler. When an attacker is already on your network, and they’re trying to communicate with the outside to exchange encryption keys, Zscaler is already blocking the traffic. It happened to us. It happened and we were saved by Zscaler.

So not only is the cloud the first line of defense… here’s an example where it’s the last line of defense as well.  

Is security the biggest blocker to supercloud?

Let’s end on what this all means to supercloud. At our event last week in the Palo Alto CUBE studios, we had a session called Securing the Supercloud. We had three technical experts,  Gee Rittenhouse of Skyhigh Security (Musarubra US LLC), Piyush Sharma, founder of Accurics (acquired by Tenable Inc.), and Tony Kueh, former head of product at VMware Inc.

A key takeaway was that security is going to be one of the most important and difficult challenges for the idea of supercloud to become real.

We reviewed in last week’s Breaking Analysis a detailed discussion we had at Supercloud 22 with Snowflake Inc. co-founder and President of Products Benoit Dageville. The conversation focused on how his company approaches security in their data cloud – what we call a super data cloud. But what if you don’t have the focus, engineering depth and bankroll that Snowflake has? Does that mean superclouds will only be developed by those companies with enormous resources?

It’s certainly possible.

John Furrier asked each of the panelists, what is missing? That is, what has to happen to secure the supercloud? Here’s what they said:

Listen to three security experts articulate what’s missing that’s needed to secure the supercloud.

Piyush Sharma

I think we need a consortium. We need a framework that defines that if you really want to operate in supercloud, these are the 10 things that you must follow. It doesn’t matter whether you take AWS or GCP, or you have all [three], and you will have the on-prem also, which means that it has to follow a pattern. And that pattern is what is required for supercloud, in my opinion. Otherwise security is going everywhere. [SecOps] will have to fix everything, find everything, and so on. It’s not going to be possible. So they need a framework. They need a consortium. And this consortium needs to be, I think, led by the cloud providers, because they’re the ones who have these foundational infrastructure elements. And the security vendor should contribute on providing more severe detections or severe findings. So that, in my opinion, should be the model.

Gee Rittenhouse

I think [what’s missing] is a business model. We’ve seen in cloud that scale matters. And once you’re big, you get bigger. We haven’t seen that coalesce around either a vendor, a business model, or whatnot to bring all of this and connect it all together yet. So that value proposition in the industry, I think, is missing, but there’s elements of it already available.

Tony Kueh

I think there needs to be a mindset. If you look again, history repeating itself. The internet sort of came together around set of IETF, RSC standards. Everybody embraced and extended it. But still there was at least a baseline. And I think at that time, the largest and most innovative vendors understood that they couldn’t do it by themselves, right? And so I think what we need is a mindset where these big guys like Google, let’s take an example. They’re not going to win at all, but they can have a substantial share. So how do they collaborate with the ecosystem around a set of standards so that they can bring their differentiation and then embrace everybody together?

Our take

Gee’s point about a business model missing is broadly true. But perhaps Snowflake serves as the model where they’ve just gone out and done it… setting (or trying to set) the de facto standard by which data can be shared and monetized, but accomplished within a proprietary framework that is a controlled environment. Snowflake uses the powerful metaphor of a data clean room. Perhaps that is one answer.

Tony lays out a scenario where there’s a collaboration mindset around a set of standards with an ecosystem. Intriguing is this idea of a consortium or a framework that Piyush was talking about. It speaks to the collaboration (or lack thereof) that we addressed earlier and was a key topic at Black Hat. Piyush’s and Tony’s proposal that the cloud providers should lead with the security vendor ecosystem playing a supporting role is compelling.

Can you see AWS, Azure and Google in a kumbaya moment getting together to make that happen and harmonize security standards? It seems unlikely, but maybe government could be a catalyst. Perhaps public policy could play a role and provide both carrot and stick incentives versus today’s solely adversarial posture toward big tech. It could drive large tech companies to take a leading role, as the panelists suggested, to drive collaboration in the interest of national security.

This would take a long-term vision that focuses government energies on partnering with big tech on national security versus trying to micromanage the behavior of big tech companies. History echoes, and the anti-big tech agenda currently being put forth by the FTC will likely end the same way it always has, with markets, not governments, determining competitive outcomes.

Keep in touch

Thanks to all the folks who created content from Black Hat and those who shared feedback on the event with us for this post: Becky Bracken, the editor in chief at Dark Reading, Kelly Jackson Higgins and the entire team at the Dark Reading News Desk. Mark Arena, Garret O’Hara, Nash Borges, Curt Franklin from Omdia, Roya Gordon, Robert Lipovsky, Chris Krebs and many others: Thanks for the great commentary and content you put out there.

Alex Myerson does the production, podcasts and media workflows for Breaking Analysis. Special thanks to Kristen Martin and Cheryl Knight who help us keep our community informed and get the word out, and to Rob Hof, our editor in chief at SiliconANGLE.

Remember we publish each week on Wikibon and SiliconANGLE. These episodes are all available as podcasts wherever you listen.

Email david.vellante@siliconangle.com, DM @dvellante on Twitter and comment on our LinkedIn posts.

Also, check out this ETR Tutorial we created, which explains the spending methodology in more detail. Note: ETR is a separate company from Wikibon and SiliconANGLE. If you would like to cite or republish any of the company’s data, or inquire about its services, please contact ETR at legal@etr.ai.

Here’s the full video analysis:

All statements made regarding companies or securities are strictly beliefs, points of view and opinions held by SiliconANGLE media, Enterprise Technology Research, other guests on theCUBE and guest writers. Such statements are not recommendations by these individuals to buy, sell or hold any security. The content presented does not constitute investment advice and should not be used as the basis for any investment decision. You and only you are responsible for your investment decisions.

Disclosure: Many of the companies cited in Breaking Analysis are sponsors of theCUBE and/or clients of Wikibon. None of these firms or other companies has any editorial control over or advanced viewing of what’s published in Breaking Analysis.

Image: beebright/Adobe Stock