Reflections on Black Hat 2011

There were a number of very good presentations this year and the after-hours parties were great, but from a security industry standpoint, Black Hat 2011 seemed like it had less energy this year. Some of that might have been because it got so much airplay on commercial media and NPR before and during the event, but even with many, many more people, there just wasn’t as much excitement as in the past. It’s long been clear that the US Government is interested in the space and is spending massive amounts of money on information security and new security technology. It’s also apparent that many organizations are waking up to the fact that they need to develop effective information security programs. Recent discussions with clients are generally about how much more budget they will have in 2012 than this year. These are good things and you’d think they’d lead to significant private investment and more innovation that might show up at Black Hat. However, while Black Hat (and DEF CON for that matter) is supposed to be vendor neutral, you would expect organizations to emerge as industry leaders or at a minimum to show overall industry thought leadership. Other than the US Government and its speakers (in particular Mudge), there wasn’t much commentary on the state of the industry and bigger picture issues. I realize that some of the lack of corporate thought leadership (and momentum) is intentional – Jeff Moss referenced getting back to vendor neutrality in one of the keynote intros and I do understand that Black Hat is more about security research and technology. Nevertheless, in past years, there was at least some industry excitement surrounding new concepts and industry related acquisitions such as IBM buying Ounce and AppScan, or HP buying WebInspect and Fortify. Even the spinoff (and eventual Dell acquisition) of SecureWorks created buzz at Black Hat in the past.  There was really no “buzz” and no real unifying industry vision at this year’s event – which ultimately is important as we mature as a vertical. As has happened before with the security industry, roll-ups and investment seem to be bungled.  Like the first major round of roll-ups (where Symantec, McAfee, and VeriSign were the acquirers), the latest generation of security rollups appear to be flailing. IBM has struggled to consume ISS and its other recently acquired security product lines. HP appears to be in a similar boat. RSA looked like it might be starting something, but, well they won a pwnie this year… Don’t get me wrong, I enjoyed many of the presentations – Moxie Marlinspike was great, Nelson Elhage’s preso on breaking KVM was interesting, and I always enjoy the Securosis crew. Additionally, the overall focus on mobile security, IOS and Android was good.  And the open discussion about advanced persistent threat (APT) and what actually is going on with foreign governments (like China) was refreshing – Alex Stamos gave a good 10 minute overview of APT within his presentation comparing Windows and Apple security. However, you know the industry is having issues when one of the main industry related discussions is about Trustwave trying to go public (which we’ve been hearing for 18 months) and the biggest booth at the show is occupied by a pwnie award winner, RSA (one of the reasons for increased budgets next year). I’m not sure that this will change soon, and, in fact, not having large major players benefits boutique firms like NetSPI, however, with all of the government money and the increased information security budgets, it’s inevitable that we’ll see more investment, new ideas, and new leaders emerge – maybe next year.