Black Hat, DEF CON Founder Offers Insight Into Security Shows, Trends
Q: What are the high-level differences between Black Hat and DEF CON? A: DEF CON's a hacking conference and Black Hat was started four or five years after, so we could have a professional venue. So they grew up differently. I ended up selling Black Hat years ago, but I'm still involved there and consult. But I don't have the day-to-day stress, of, you know, running it. Q: What can we expect to find out at Black Hat/DEF CON this year? A: A couple things: Like we saw at RSA, there's more machine learning -- those are the new magic crystals that are being sprinkled everywhere. Data analytics; your IDS (intrusion detection system) collects the data and then you use machine learning to get insight. Data analytics has come a long way from its earlier days in the data center. Now, instead of looking at just your network, you look at data sets across 500 networks. Using cloud infrastructure, you're sharing data sets. That's what's adding the value; much richer, contextual data sets. That's allowing another level of analysis.Defender techniques are getting better and better. We're at a tipping point where over the next four or five years, the defenders will be sophisticated enough that the more annoying stuff will go away. We will programmatically detect spear-phishing; training employees against social engineering is getting automated and easier. All of this stuff is growing up and breaking out of the one-off niche phase into a consumer-productized area. Companies like Intel are baking more security into the CPU, and operating system makers like Microsoft, VMware, and Apple are starting to take advantage of the hardware protections. So in this next generation of secure boot, this will mean that your security software can be trusted to be loaded first. If you know how attack and defense works, a lot of times whoever loads first, wins -- because they're in front of the bad guy's software. If the bad guy loads first, they can lie to the security software. Security software still has to work, but if you are first, you are no longer are fighting over who wins that race. Good guys can now win that fight, but it's taken us 15 years to get to a secure boot. Q: Black Hat and DEF CON have experienced continued growth for more than 20 years. Few sectors see that kind of consistency. A: Both conferences reflect the overall industry; there seems to be never-ending growth in interest. Normally we get a few hundred submissions at Black Hat; this year we have almost 600 submissions. Just to review 600 technical submissions is a huge job. We've got a review board of 20-plus experts, and it just takes a long time. We're seeing these submissions diversify; we now see them on Internet of things, car hacking, automation, drones, wireless, satellites, all this machine-learning stuff -- on top of all the normal Web-app sec. The trend of complexity is accelerating. That's the big trend; the ecosystem is diversified and becoming more complex, which makes it harder and harder for any one person to understand what's really going on. Q: The attack surfaces are increasing all the time. A: You might need to have five or 10 people in a room to even understand what your exposures are. The access control system is now plugged in, the video surveillance system is plugged in; smart locks, the ticketing system -- everything's getting plugged in. Sometimes they don't realize that they are inheriting each others' vulnerabilities. In the old days, you could get two or three people together and understand what your exposures are. Now, especially with cloud and SaaS, you're inheriting whole chains of risk that you didn't even know you were inheriting. If you outsource your email, does your email provider ever tell you when they're being attacked? They never tell us. Is that because nobody ever attacks them, or because they don't know? I don't know the answer to that. Users just figure, 'I bought it, therefore I assume it is secure.' Do you realize that you have no Fourth Amendment protection once you outsource something? [The Fourth Amendment to the U.S. Constitution is the part of the Bill of Rights that prohibits unreasonable searches and seizures and requires any warrant to be judicially sanctioned and supported by probable cause.] What does your general counsel say to that? I don't think he knows! Okay then! I think we're at a psychological tipping point, where the human way of responding to this onslaught of complexity is that they sort of shut down. I hear people saying: 'Well, they're going to get the data anyway,' or, 'There's no such thing as privacy anymore,' or 'You can never keep them (hackers) out.' Well, s--t, if you're not even going to try, then I guess they win. That dismissive, defeatist attitude -- that to me is the most troubling. They've accepted the fact that they've lost before they've even started.
Attackers and researchers are using this. Now they can model behavior better; they can do deeper analysis of a program flow. Both sides are using it; it's a two-edged sword. I think what it will do in the long run is flush out some of the noise.