Security summer camp 2015: Three overarching themes at Black Hat, DEF CON and BSidesLV

Security summer camp 2015: Three overarching themes at Black Hat, DEF CON and BSidesLV
Analyst: Scott Crawford

The late summer week of Las Vegas security conferences – Black Hat, DEF CON and BSidesLV – together make up one of the year's most significant industry checkpoints. Although the booming interest in security has made the focus, particularly at Black Hat, more commercial in recent years, these conferences have maintained their position as leading forums for security researchers and practitioners, and as such remain bellwethers of many of the topics and trends security professionals care most about.

The 451 Take

This year, three overarching topics collectively stood out at every venue of the Vegas conference trifecta: the security of technology-equipped automobiles as a focus for growing concerns about security in the Internet of Things, controversy over the sharing of intelligence and security research tools and the role of government in both, and more subtle yet distinct changes in the nature of the security market itself. In this and two other related 451 Research spotlights, 451 Research analysts take a look at these and related themes that will set the tone of the industry in the months to come. 

Baby, you can drive my car: automotive exposures and the security of 'things'

Among the biggest noisemakers in the lead up to the week were demonstrations of the ability to break into the control systems of automobiles. With no small amount of grandstanding, researchers Charlie Miller and Chris Valasek executed an over-the-air compromise of various control systems of a Jeep Cherokee driven by Wired reporter Andy Greenberg in the weeks before Black Hat.

The act (or stunt, in the view of some security pros) captured the attention of mainstream media and was accompanied by pre-conference previews of two similar demonstrations: Samy Kamkar's OwnStar, a small device that intercepts communications with General Motors' OnStar RemoteLink app and that allows an unauthorized user to locate, unlock or start a GM vehicle; and Marc Rogers' and Kevin Mahaffey's demonstrations of Tesla Model S exploits that lead to a similar level of control. All these demonstrations were planned for the Vegas security conferences: Miller's and Valasek's for Black Hat; Kamkar's, Rogers' and Mahaffey's for DEF CON. These demonstrations further followed reports earlier this year of Chris Roberts' exploits of commercial airline in-flight entertainment systems, allegedly gaining control of aircraft engines in one case to make a plane briefly 'fly sideways.'

It's not as if compromises of 'things' had not been demonstrated before. Miller and Valasek had previously shown the same Wired reporter exploits of Ford Escape and Toyota Prius systems, while hacks of insulin pumps and pacemakers have been showcased at previous Black Hats since at least 2011, along with the vulnerabilities of 'smart meter' systems and other environmental controls. The well-known Stuxnet attack against PLCs (programmable logic controllers) dates back at least to 2010.

What's different about this year's demonstrations is that, in the Jeep and OnStar cases, they exploited vulnerabilities in large-scale wireless control systems that could disable entire lines of vehicles. The 'large-scale wireless' platforms in question may not have been intentionally connected to automotive control by the manufacturer, but the fact that the researchers were able to pivot from vulnerabilities in Chrysler's Uconnect or GM's OnStar to the car's on-board control functions effectively renders the distinction moot. In some cases the researchers also implicated mobile apps for accessing the wireless control functionality, introducing yet another threat vector into the mix.

Because of the broad-scale potential of this class of exploit, this year's demonstrations may have marked a turning point in awareness of the security challenges facing a growing world of 'smart' systems that make up multiple facets of everyday life. In a separate spotlight report, 451 Research senior information security analyst Adrian Sanabria discusses, among many other insights, the implications of these exploits and what they mean for industries not traditionally considered IT-centric, but which must now come to grips with challenges long familiar to information security pros.

We're the government and we're here to help

One topic that has seen no small amount of discussion in the months leading up to Vegas security week is that of the relationship between investigators who seek to share tools and findings, and the role of government in such efforts.

In threat intelligence sharing, government has largely been a proponent. The US government introduced a new Cyber Threat Intelligence Integration Center in February intended to provide a focal repository for threat intelligence for government and private industry, and signed an Executive Order to encourage threat intelligence sharing between private sector organizations, as well as between the private sector and government. However, many security professionals have argued for years – and continue to argue – that while governments are strong advocates of intelligence sharing within the private sector and from private to public sector organizations, there is still not enough actual sharing of intelligence from government to private industry.

When it comes to the sharing of research tools, government and related organizations have recently stirred controversy among security professionals. The impact on security research of the Wassenaar Arrangement (WA), a 41-nation multilateral export control organization, was a topic of discussion at both Black Hat and DEF CON this year, continuing an industry-wide discussion following a May statement by the US Bureau of Industry and Security (BIS) of that agency's intent to adopt 2013 WA agreements on export controls on what the WA calls 'intrusion software.' Organizations from independent security researchers to Google and even the Black Hat organization itself have decried the move, noting the vagueness of the WA's definition of intrusion software and the potential impact on research that serves to strengthen information security. In his Spotlight on this year's DEF CON, 451 Research information security analyst Dan Raywood reports in detail on this discussion as it took place in Las Vegas last week.

The changing nature of the security market

More pervasive than any specific topic were the ways that the Vegas conferences reflect the growing commercialization of security. Both Black Hat and DEF CON were originally organized as events for security researchers, particularly those whose expertise lies in educating defenders on how defenses can be broken. Today, the presence of commercial vendors has grown to the point where many refer to Vegas week as 'summer RSA.' The Black Hat vendor expo floor has grown substantially in recent years, and is now virtually indistinguishable from any other major vendor-oriented conference. With startup funding now reaching into nine figures in the security market, this is hardly surprising.

This also signals the growing influence of defenders in these conferences – or at least, an acknowledgement that having a response to threat scenarios is just as important (if not more so) to defenders than a demonstration of attack. Part of this recognition may also stem from another change in the tone of the security market. In years past, compliance was a primary objective of many security buyers. They may have used compliance as leverage to get the budget they needed to do what they wanted to do, but compliance as a primary driver for spending has now largely given way to a recognition that organizations really do need to be more secure. Security spending and successful breaches have both grown in recent years. Despite the gamesmanship nature of security, where adversaries constantly seek to circumvent defense and defenders respond to strengthen countermeasures, organizations expect to see benefit from their security investment. Continued breaches raise the bar on that expectation.

Exacerbating the challenge organizations face in making themselves more secure is the increasingly short supply of personnel with security expertise. Vendors and enterprises alike now vie for a rare and shrinking talent pool. Technology vendors see themselves as contributing to the solution to this problem, with technologies that automate operational tasks and expand analytic capabilities. Security analytics generally have become a much more active aspect of the market in recent months, capitalizing on the rise of data analytics to open new doors for security awareness and more effective defense through advanced techniques in machine learning, anomaly detection and behavioral modeling.

At the same time, however, these technologies pose a risk that they could make the talent crunch even more painful. Organizations are already overwhelmed with data, often finding that the evidence they needed to defend against a very real threat was buried in information they could neither analyze nor put to work quickly enough in effective action. To have a real impact on helping organizations cope with short staffing and data overload, emerging technologies must:

- Help develop skills by guiding security professionals toward the most meaningful insight needed to respond quickly and effectively.

- At the same time, preserve the body of data that enables more highly skilled investigators to search for as-yet undiscovered evidence when conditions warrant.

- Most importantly, these technologies must lead to results. Analytics only contribute to noise when they do not result in action. Those that point the way to specific response measures, decision support or concrete results should therefore be expected to get a far more favorable hearing from buyers.

This is, in fact, the direction in which security conferences such as these should themselves point. Hopefully, these indicators of change in the market also indicate the growing maturity of the security industry as reflected in trends seen at the Vegas security summer camp, giving defenders what they need to be effective rather than simply showcasing how technology can be broken.

Scott Crawford is Research Director of the Information Security practice at 451 Research, where he leads coverage of emerging trends, innovation and disruption in the information security market. Well known as an industry analyst covering information security prior to joining 451, Scott's background includes experience as both a vendor and an information security practitioner. At IBM, Scott guided offering strategy and development with a primary focus on security intelligence for IBM Security Services. He is the former CISO of the Comprehensive Nuclear-Test-Ban Treaty Organization (CTBTO) International Data Centre in Vienna, Austria, where he pioneered the implementation of security policy and architecture for a non-governmental organization (NGO) serving more than 150 nations. His experience includes systems and security management for leading organizations in both the private and public sectors, from Emerson to a division of the University Corporation for Atmospheric Research in Boulder, Colorado focused on the collection, management and analysis of geophysical and meteorological data.
Bringing Cloud 2.0 into Focus at HCTS
Why This Attendee Keeps Returning to #451HCTS, Yea...

Related Posts