In its 17th year, the annual Black Hat security conference was bigger than ever, with more than 8,000 registered attendees, 147 vendors exhibiting in the expo hall, and more workshops. The conference’s size and the fact that the conference had moved from Caesars Palace to Mandalay Bay are fairly cosmetic changes. The tenor of the conference had completely changed, as well.
Black Hat was, at heart, always a hacker conference. The hackers showed off the latest things they’d managed to break, and tried to out-do each other on creativity. It was about breaking ATMs, showing off zero-day exploits, and causing controlled chaos. This year’s vibe, however, was less hacker, more professional.
Consider what Dan Geer, the CISO of In-Q-Tel, the CIA’s investment arm, said about bug hunting during his opening keynote on Wednesday: “Finding vulnerabilities got to be too hard to do as a hobby in your spare time — you needed to work it like a job and get paid like a job.”
The attendee makeup also reflected the conference’s growing professionalism. Alongside the people who do security everyday were those who traditionally would never have considered security as part of their job description, including software developers from non-security companies.
Geer noted during a press conference that people are increasingly willing to do the right thing, so long as everyone else is doing the same thing. Whether that applies to mandatory breach reporting or having to make an investment to ensure certain policies are done securely, if it’s clear the rules apply equally to everyone, there will be less pushback. No one wants to feel like they are being picked on, he said.
The conversations are also a mix of breaking things and the business of security. “We aren’t likely to hear much about NIST frameworks, GRC, or CISO strategies,” the Enterprise Strategy Group’s Jon Oltsik wrote in a preview of the conference. As it turns out, the roundtable discussion on the NIST Framework for protecting critical infrastructure was so in demand that the room filled to capacity. And this was while a pair of researchers discussed how to remotely hack a car.
“I have long preferred to hire security people who are, more than anything else, sadder but wiser,” Geer said towards the end of his speech. “They, and only they, know that most of what commercially succeeds, succeeds only so long as attackers do not give it their attention while what commercially fails, fails not because it didn’t work but because it wasn’t cheap or easy or sexy enough to try.”