Black Hat’s Place in Enterprise Information Security
In general, Enterprise information security is planned and discussed in the hallways of high-rise buildings, conference rooms and closed-door meetings. These conversations usually involve men in button-down shirts and polos trying to find ways to use the limited resources available to mitigate the risks available across a huge threat surface. Phrases like “defense in depth,” “return on investment” and “acceptable risk” are the primary areas for conversation.
On occasion, the information security practitioners from these organizations decide to get together and hold much bigger meetings they call conferences. These conferences have basically the same elements. RSA conference is a great example. Instead of a 3-4 of us sitting in a conference room discussing how to secure our organization, we get 300-400 of us in a bigger conference room talking about how to secure all of our respective organizations. We get high quality speakers to share their knowledge and we go back to our offices with some new ideas.
No wonder RSA is so comfortable; it’s just a bigger version of the same meetings we participate in 40 hours a week.
If you go to the Black Hat conference expecting the same experience, you’re going to be greatly surprised. This was my first year attending Black Hat. It’s anything but ‘just another security conference.’
The nature of the attendees and speakers is different. Gone are the folks in business casual. They are replaced by swarms of people sporting infosec t-shirts and scruffy beards. Most of us are well warned that we should have our phones turned off before getting anywhere near the convention area. (Something I’ve never had to worry about at a local ISSA meeting.)
And throughout the Black Hat briefings I attended, I didn’t once hear the words “defense in depth” or “return on investment.” What I got instead is a steady stream of examples of exactly how the bad guys are going to break into specific systems. Black Hat doesn’t have a management track in their briefings; the focus is on the practical, hands-on attack and compromise of information systems.
Black Hat will draw our attention right back to the bad guys, in a dramatic style.
In our Enterprise information security world, our focus is more about getting real buy-in by the business than in actively engaging hackers. We can spend so much time working with system administrators and developers creating security implementation plans and time-lines that our eyes drift away from the actual threats the hackers present. Spending a couple of days at Black Hat will draw our attention right back to the bad guys, in a dramatic style.
Black Hat offers dozens of very specific examples of how the systems we count on are vulnerable to exploit. Seeing highly skilled hackers cut through systems that you know are currently deployed in your organization transforms information security from a meeting topic to a critically important consideration.
Black Hat is the other side of information security, the stuff that many of us security managers don’t see enough of. It shows us a clear picture of the front line battle that sometimes gets lost as we think about the larger war. The RSA Conference will always have its place as a tool for making security programs better, but Black Hat’s unique perspective on system exploits gives a peek into a scene that’s far too often overlooked.
Connect with Robb on Google+