What we learned at Black Hat USA 2019
From Microsoft’s $300,000 bounty program for those able to successfully hack its Azure public-cloud infrastructure, to the latest applications for the Internet of Things, this week Black Hat USA put its finger on the pulse of security and development in 2019.
The Egress Team had an amazing experience exhibiting at and attending Black Hat, and I wanted to share four key themes we saw recurring at the show.
1. Compliance, compliance, compliance
From GDPR to CCPA, and the UK’s ICO to BA, compliance conversations seemed to hit every letter of the alphabet in their use of acronyms!
Unsurprisingly, a major talking point was the UK’s Information Commissioner’s Office (ICO) intention to fine British Airways (BA) $230m for a 2018 breach of some 500,000 customers’ data, which is the biggest fine to be proposed by this regulator or any other under GDPR. The global security community recognizes GDPR as the turning point in the way data is regulated and the blueprint for all future laws. Watching how BA’s appeal against the potential penalty plays out will be an interesting process that will test the robustness of the regulator’s enhanced powers under GDPR.
With enforcement of the California Consumer Privacy Act (CCPA) only months away, focus was also put on helping organizations to complete their compliance measures ahead of the January 1, 2020, deadline. In particular, we had many discussions with delegates looking to find ways to securely automate processes around data subject access requests (DSARs), with the anticipation that this particular area of compliance will consume considerable time and financial resources.
2. Machine learning is making good on its promises
The value machine learning can bring to security was a key topic at the show – and also the subject of my presentation.
If we’re honest, machine learning’s reputation in the security community has peaked and troughed over the last few years: Initially hailed as a bit of a golden child that could tackle security’s biggest problems, under-delivery from the first few applications has led to some in the community feeling jaded. But I’m pleased to say, machine learning is now experiencing its resurgence – and it can make all the difference to your security posture.
This is a result of more recent applications of the technology bringing real business benefits. In particular, my presentation and subsequent discussions with delegates, focused on how machine learning and advanced DLP technologies can be used to improve email security – looking at preventing email data breaches, ensuring the right level of protection is applied to sensitive information, and making solutions easier to use to increase adoption by senders and recipients. For more information on this, download our technical white paper that looks at the way Egress uses machine learning to enhance email security.
3. BEC is big!
Many of the education sessions that explored ways to detect and prevent BEC attacks referenced FBI statistics from 2018, which showed global losses from business email compromise (BEC) attacks had exceeded $12bn. If there was room for doubt in the security community before, there isn’t anymore: BEC is a big issue that demands focus and attention. And where better to have these discussions than at Black Hat?
With such a large group of white hat hackers in any one place, inevitably social engineering and email attacks were always going to be a topic of discussion. In particular, we heard from delegates who are working to educate other, less technical, users in their organizations and communities to protect their accounts and their data. We also spent time discussing how the latest technologies and development techniques, including NLP, can help to detect idiosyncrasies in emails and ultimately prevent BEC and other spear phishing attacks.
4. Adapting to risk
Saying “one size doesn’t actually fit all when it comes to security” obviously won’t shock anyone within the security community and certainly not at Black Hat! But technology exists, and continues to emerge, that can now support approaches of dynamically adapting security in line with the actual risk of a data breach.
Gartner has coined the term “continuous adaptive risk and trust assessment” (CARTA) to describe how organizations should respond to both today’s rapidly evolving threats and the dissolving of traditional network boundaries. At Black Hat, we spent time with delegates discussing the CARTA approach in the context of email data protection, which requires a continuous assessment of the risk of an actual data breach as sensitive content is being shared across potentially untrusted networks and applying appropriate protection as those risks change. Again, if this this something you’d like to learn more about, I encourage you to download our recent white paper.
What a week!
Even the grasshopper invasion in Vegas couldn’t detract from the fact that Black Hat USA 2019 was bigger and better than ever before. Discussions at the event were inevitably wide-ranging and covered a multitude of topics – so I hope you enjoyed my quick summary of the four recurring themes that resonated with us at the show.
If you want to carry on the conversation about any of these topics, or what we do at Egress, please get in touch here.