Black Hat USA 2019 is just around the corner! Selecting which sessions to attend from among the conference’s jam-packed catalog of training sessions, panels and briefings can be a daunting task without a clear strategy. In the run-up to every conference, we compile a list of the most engaging content and identify the most compelling cybersecurity trends highlighted in the agenda.
We have seen a telling shift in emphasis between the 2018 and 2019 Black Hat USA agendas, as the focus moves away from new attack vectors to devising improved approaches to closing long-standing security gaps. Recent high-profile breaches attributed to existing security gaps, such as those affecting Facebook, First America, and Quest Diagnostics, have inspired a return to security basics. Industry experts are increasingly hesitant to direct resources towards securing brand new IT environments when fundamental gaps endure within existing security architectures.
With this trend in mind, we invite you to read on, and learn about Black Hat USA sessions that focus on what really keeps CISOs up at night as well as the cybersecurity industry’s leading greenfield opportunities.
Secure development life cycle
As application development accelerates and code releases increase in frequency, “shift left” has become the watchword in DevSecOps. This shift has led security professionals to reevaluate the role of developers in application security: how can devs follow security best practices during coding, and how to do so in concert with modern development methods and strategies.
This year’s secure development lifecycle talks focus on bridging the gaps among security teams, developers and DevOps teams. Life-cycle talks will also shed light on what security professionals need to know to better secure modern application development. Moreover, these talks will cover the integration of security practices into the everyday work of developers and DevOps to help recast security teams as collaborative partners rather than a “necessary evil.”
We are particularly intrigued by a session led by Aladdin Almubayed, Senior Application Security Engineer at Netflix. Netflix hosts 100% of its assets on AWS, is leading the charge in modern development and boasts one of the most advanced security programs and portfolios in the industry.
Our session picks:
1. Controlled Chaos: The Inevitable Marriage of DevOps & Security
2. Building an Enterprise Application Security Program at Scale in 2020
3. DevSecOps: What, Why and How
4. Practical Approach to Automate the Discovery and Eradication of Open-Source Software Vulnerabilities at Scale
5. Shifting Knowledge Left: Keeping up with Modern Application Security
Privacy and the security of sensitive information is a critical concern in cybersecurity and across a range of end-user industries. Privacy compliance regulations are proving to have real teeth and significant financial implications for enterprises, leading to increased need for privacy regulation compliance technologies. This emerging requirement was best highlighted by the $230 million fine levied by the EU against British Airways for a 2018 breach that compromised the personal information of 500,000 customers—the largest fine issued under the GDPR to date.
Black Hat USA is offering a rare opportunity to discover how the new privacy landscape resonates with companies and consumers alike. Enterprises must rethink how to structure data management programs. This year’s talks focus on comprehensive bottom-up and top-down approach for enterprises to reshape how they secure sensitive data, as well as calling out gaps between GDPR and the actual pursuit of consumer privacy.
The standout event in this domain will surely be the session led by Jamil Farshchi, CISO of Equifax, whose company was subject to one of the most high-profile, data-compromising attacks of all time.
Our event picks:
1. On Trust: Stories from the Front Lines
2. GDPArrrrr: Using Privacy Laws to Steal Identities
Despite this year’s overall conference focus on long-standing issues, we can’t help including this particularly fascinating phenomenon on our list. The implications are just too fascinating to ignore.
In the past year, we have witnessed the proliferation of deepfakes – the use of AI-generated images and audio synthesis used to support increasingly advanced and sophisticated attacks. Symantec recently blogged about impersonation of CEOs to scam millions of dollars using deepfake techniques.
Industry experts speculate that deepfake attacks will increase over the next year and will significantly impact enterprises, financial institutions, and private citizens. Banks have been singled-out as particularly attractive targets, as convincing avatars can be created and inserted in remote know-your-customer processes when opening bank accounts, by replicating both voiceprints and appearances.
The geopolitical implications of deepfakes add another layer of interest and urgency to the phenomenon. Deepfakes first emerged in 2016 and experts are predicting a significant impact from deepfakes on the 2020 presidential race. Preliminary federal steps have been taken to address this threat, as the U.S. government singles out GAFA to reign in deepfakes within their respective platforms. We will be keeping a close eye on upcoming developments relating to this new frontier in cyber fraud.
Our session picks:
1. Detecting deepfakes with Mice
2. Playing Offense and Defense with deepfakes
Lastly, we asked our network of cybersecurity experts for their insights into the sessions that most piqued their interest. For a deep tech dive, check out these Black Hat sessions and also DEF CON sessions:
1. He Said, She Said – Poisoned RDP Offense and Defense
2. Infiltrating Corporate Intranet Like NSA – Pre-auth RCE on Leading SSL VPNs
3. A Compendium of Container Escapes
4. The Discovery of a Government Malware and an Unexpected Spy Scandal
5. DEF CON talk – SELECT code_execution FROM * using SQLite;- Gaining code execution using a malicious SQLite database
6. DEF CON talk – Say Cheese – How I Ransomwared your DSLR camera