Black Hat’s Place in Enterprise Information Security

Black Hat’s Place in Enterprise Information Security

In general, Enterprise information security is planned and discussed in the hallways of high-rise buildings, conference rooms and closed-door meetings. These conversations usually involve men in button-down shirts and polos trying to find ways to use the limited resources available to mitigate the risks available across a huge threat surface. Phrases like “defense in depth,” “return on investment” and “acceptable risk” are the primary areas for conversation.

On occasion, the information security practitioners from these organizations decide to get together and hold much bigger meetings they call conferences. These conferences have basically the same elements. RSA conference is a great example. Instead of a 3-4 of us sitting in a conference room discussing how to secure our organization, we get 300-400 of us in a bigger conference room talking about how to secure all of our respective organizations. We get high quality speakers to share their knowledge and we go back to our offices with some new ideas.

No wonder RSA is so comfortable; it’s just a bigger version of the same meetings we participate in 40 hours a week.

If you go to the Black Hat conference expecting the same experience, you’re going to be greatly surprised. This was my first year attending Black Hat. It’s anything but ‘just another security conference.’

The nature of the attendees and speakers is different. Gone are the folks in business casual. They are replaced by swarms of people sporting infosec t-shirts and scruffy beards. Most of us are well warned that we should have our phones turned off before getting anywhere near the convention area. (Something I’ve never had to worry about at a local ISSA meeting.)

And throughout the Black Hat briefings I attended, I didn’t once hear the words “defense in depth” or “return on investment.” What I got instead is a steady stream of examples of exactly how the bad guys are going to break into specific systems. Black Hat doesn’t have a management track in their briefings; the focus is on the practical, hands-on attack and compromise of information systems.

Black Hat will draw our attention right back to the bad guys, in a dramatic style.

In our Enterprise information security world, our focus is more about getting real buy-in by the business than in actively engaging hackers.  We can spend so much time working with system administrators and developers creating security implementation plans and time-lines that our eyes drift away from the actual threats the hackers present. Spending a couple of days at Black Hat will draw our attention right back to the bad guys, in a dramatic style.

Black Hat offers dozens of very specific examples of how the systems we count on are vulnerable to exploit. Seeing highly skilled hackers cut through systems that you know are currently deployed in your organization transforms information security from a meeting topic to a critically important consideration.

Black Hat is the other side of information security, the stuff that many of us security managers don’t see enough of. It shows us a clear picture of the front line battle that sometimes gets lost as we think about the larger war. The RSA Conference will always have its place as a tool for making security programs better, but Black Hat’s unique perspective on system exploits gives a peek into a scene that’s far too often overlooked.

Connect with

Advertisements

3 thoughts on “Black Hat’s Place in Enterprise Information Security

  1. Looks like a good takeaway from the conference. It is important to have the conversation about “defense in depth” and such, but I agree that if there is no knowledge on actually performing the attacks, and learning how your implementation of “defense in depth” can be exploited, then you can’t provide security at the level you probably want to.

  2. Thanks for taking the time to read and comment Chris. I think so many infosec managers get buried in the big picture, and the politics of our jobs, that we sometimes forget how the battle is won and lost. We forget the trees for the forest.

    -Robb

  3. So it is said that if you know your enemies and know yourself, you can win a hundred battles without a single loss.

    If you only know yourself, but not your opponent, you may win or may lose.

    If you know neither yourself nor your enemy, you will always endanger yourself.

    – Sun Tzu –

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s