days until DORA is in effect on January 17, 2025. Download your cheat sheet here.
Three Takeaways from Black Hat 2024
By Guest Blogger Jonathan Brucato, Director of Security Operations
This year, I was afforded the opportunity to represent ECI at the 2024 Black Hat USA conference, or as some in the industry like to call it, "Hacker Summer Camp." Black Hat USA is a multi-day event comprised of vendor-sponsored chats, industry professional "briefings" or presentations, and focused training. The conference also contains a massive Business Hall, hosting hundreds of security-related vendor booths, where you can demo software, chat with product experts or fill your Black Hat provided backpack with branded "swag" (authors note: branded tube-socks seem to be the most prevalent and sought after swag in this community, for reasons which I cannot explain). The size of the event cannot be understated, as it consumes the Mandalay Bay Convention Center in Las Vegas, its bars and restaurants, and adjacent casino spaces to keep attendees entertained throughout the night.
With my first visit to Black Hat on the books, I wanted to focus on the following:
Meet with our vendors face-to-face, provide feedback and build rapport that can't quite be achieved over video calls
Research how our other MSP and MSSPs are approaching modern security challenges for their customers
Identify areas where ECI can add value to our customers using new and emerging technologies
I checked off my boxes, however the event provided much more than the space needed to complete my checklist. Black Hat, since the mid-nineties, has developed a reputation for being a friendly, community driven event. Attending the conference by yourself? Not a problem - you will find yourself talking with other attendees, who like you, to learn about cool tech, dark art hacks and new problem-solving tactics. These random encounters will have you exchanging contact information, meeting up at after-parties and sharing tool recommendations. It's through one of these encounters that I found myself in a breakout room with two security analysts from PayPal, whose presentation on Novel Email Spoofing Attack Patterns attracted myself and a security analyst from Italy to a break-out space to further discuss the challenges of Mail Authentication.
While the conference provided all sorts of benefits, we'll be able to harness at ECI, a few key topics stood out which I'll cover below:
Artificial Intelligence was not a stand-alone topic, it was ubiquitous. Researchers presented on how to attack and/or defend GenAI platforms. Vendors stuck out like a sore thumb if their booths weren't decorated with some "AI Driven" or "AI Assisted" tagline. Omdia kicked off their Analyst Summit (a segmented, full-day event reviewing industry trends based on Omdia's own survey research) by calling out 2023 as the year of GenAI, to imply that it was already here and part of industry DNA, rather than a standalone topic.
What I derived from attending briefings, the Omdia Summit and connecting with vendors, was that AI has been here for what seems like a while, and it's our responsibility as security professionals to understand its value and risks in every business function. I also left feeling that emerging AI technologies such as LLMs, are not yet completely understood from a security defense perspective. In his briefing titled Living off Microsoft Copilot, Michael Bargury displayed how to "jailbreak" and exploit MS Copilot. While he did make some defensive recommendations on how to prevent such attacks, his presentation concluded with the notion that "We are all AI security n00bs." I understood this to mean that whether we are offensive or defensive security, we are only beginning to understand the implications of such tools existing in our environments.
Directly threaded to the subject of AI, there is an increased market interest in tool-based data classification. Data Security Posture Management (DSPM) tools give businesses a way to classify, tag and audit their data. In some cases, these tools can extend into the realm of Data-Loss Prevention (DLP). Data governance, by way of continuous monitoring of access and permissions, is not a new concept. In fact, it's a fundamental defined in standards dating back to the 1970s.
With the integration of GenAI technologies into an increasing number of data providers, the importance of data security should be top-of-mind for all organizations. Implementing a DSPM solution can decrease the risk of outside threat and prevent sensitive information being used in a training dataset (assuming a solution has been implemented prior to training). Additionally, leveraging a tool can improve the overall data management lifecycle, prevent misconfiguration of access privileges and reduce compliance headaches.
At Black Hat, the presence of DSPM solutions was notable when walking through the Business Hall. While there were many different offerings and feature options, I am reminded that many of our customers have access to the benefits of Microsoft Purview, which provides a Microsoft platform-native approach to classification, tagging and DLP. Deploying Purview, particularly when approaching a Copilot integration, might reduce the integration complexities of bringing in a separate third-party point-product.
Lastly, I was surprised to have gained a new perspective on cyber insurance, which has been a controversial topic of late. I've heard from some customers that obtaining cyber insurance feels like a "check the box" exercise, that payouts due to incident might be unlikely and it was hard to see value. In his briefing, The Fundamentals of Cyber Insurance, Tiago Henriques of Coalition Inc (notably an insurance provider), argues that cyber insurance promotes better security practices through policy requirements. Speaking as an insurer, Henriques described techniques providers will use to evolve customer posture such as deploying honeypots, a deception-based technology deployed to mimic customer technology to try to understand new and emerging attacks. Much of his presentation conveyed a "proactive" approach to customer service such as vulnerability remediation, as well as Third Party Risk Management (TPRM) as a frequent component to provider services.
Henriques also took time to dispel some common criticisms. He described that “most claims” end up getting paid out when filed and a majority relate to Funds Transfer Fraud (FTF). Conversely, ransom payment claims are observed to be minimal, which I found surprising. After attending a few additional briefings on the subject, I was left with the impression that cyber insurance could be a vehicle for positive proactive changes to an organization's security posture, not simply a box to be checked.
Overall, I found Black Hat to be an extremely enriching experience, where vendors and industry leaders collide with novel and bleeding edge ideas from the research and threat hunting communities. I look forward to applying what I've learned through briefings and discussion to ECI's security program and products.