Reflections From Black Hat 2018

Photo by John Such on Unsplash

Another Black Hat/Defcon in the books. Both conferences have been going strong for 20+ years, with Black Hat being the more commercial of the two (its latest event hosted over 17k people), and provide no shortage of interesting and alarming news. While the conferences are well known for their focus on the latest in hacks and vulnerabilities, it was great to see the emphasis on the importance of industry collaboration in the keynote. Parisa Tabriz, Director of Engineering at Google and head of Project Zero, kicked off the conference by detailing what she learned managing the security of the Chrome browser and leading the team holding the world’s software makers accountable for their products. Speaking to a room of predominantly hackers, Parisa helped recognize that hackers and defenders working together have the ability to not just find, but also solve problems.

Chrome is the most used browser in the world, so Google has an opportunity to add security at scale for users by making it secure by default. To do this, one of Google’s missions is for ubiquitous implementation of HTTPS. Through changes in UI and communication and making HTTPS a ranking signal, Chrome users can more safely use and understand the safety of their browser experience. This type of change doesn’t come easy and involves a host of folks across the industry. From the makers to the users, morale has to be a priority, with all stakeholders on board in order to make progress. Security doesn’t need to be scary to get results — check out all of the cool work by the Duo-Decipher. Also, security by default is worth the effort. Architectural changes, such as the introduction of site isolation, meant massive code refactoring for the Chrome team, but has a lasting impact in staving off harm from vulnerabilities like cross site scripting and speculative execution attacks like Spectre.

At the same time, not everybody operates with the same resources and support that Google has. Organizations that we frequently speak with are unable to hire people to handle the complexity of the security environments that they operate. But what folks can take away is the importance of usability in security. From dev tools to end user applications, the better the usability, the more security can be a forethought. Security baked into technology rather than bolted on should be the standard.

Changes in infrastructure always seems to necessitate a next-gen security product to protect it. There’s a container security market and now a serverless security market on the way. Instead of crowding the market with yet another security tool, I think the real opportunity is in infrastructure products that have security as a foundation. We consistently hear from CISOs that they don’t want another dashboard and that their environment is complex enough. Let’s make security easier to accomplish with the tools that people are already invested in.

The keynote reminded me how we all play a part in ensuring security. As investors, it’s important that we don’t further add confusion for defenders with a landscape of vendors that is impossible to navigate. If you think putting together the Momentum cyberscape is hard, imagine your neck on the line as you try to figure out what in this mishmash you actually need. Kelly Shortridge did an excellent funding analysis of the Black Hat business hall where she lays out where all the money is coming from. As she puts it, “the incredible amount of deal volume we presently see is driven by one-off investors who want to dip their toe in the infosec waters, having seen blazing, FUD-ridden headlines declaring its relevance.”

In a recent conversation with a CISO from a large global bank, he was looking for data encryption that could scale to the size of his organization, yet the pitches that he gets tend to focus on quantum-proof encryption or decentralized data stores. While novel ideas to security are welcome, many of the startups in the ecosystem are missing the core challenges that are affecting practitioners, such as key management and user-friendliness. We’re keenly focused on improving enterprise security fundamentals and identifying core technologies that help large organizations build security into their systems. If you’re working on a product that makes security easier to implement, we want to hear from you.