Black Hat’s Place in Enterprise Information Security

Wednesday, August 17, 2011

Robb Reck


Black Hat Conference’s Place in Enterprise Information Security

In general, Enterprise information security is planned and discussed in the hallways of high-rise buildings, conference rooms and closed-door meetings.

These conversations usually involve men in button-down shirts and polos trying to find ways to use the limited resources available to mitigate the risks available across a huge threat surface. Phrases like “defense in depth,” “return on investment” and “acceptable risk” are the primary areas for conversation.

On occasion, the information security practitioners from these organizations decide to get together and hold much bigger meetings they call conferences. These conferences have basically the same elements.

RSA conference is a great example. Instead of a 3-4 of us sitting in a conference room discussing how to secure our organization, we get 300-400 of us in a bigger conference room talking about how to secure all of our respective organizations. We get high quality speakers to share their knowledge and we go back to our offices with some new ideas.

No wonder RSA is so comfortable; it’s just a bigger version of the same meetings we participate in 40 hours a week.

If you go to the Black Hat conference expecting the same experience, you’re going to be greatly surprised. This was my first year attending Black Hat. It’s anything but ‘just another security conference.’

The nature of the attendees and speakers is different. Gone are the folks in business casual. They are replaced by swarms of people sporting infosec t-shirts and scruffy beards. Most of us are well warned that we should have our phones turned off before getting anywhere near the convention area. (Something I’ve never had to worry about at a local ISSA meeting.)

And throughout the Black Hat briefings I attended, I didn’t once hear the words “defense in depth” or “return on investment.” What I got instead is a steady stream of examples of exactly how the bad guys are going to break into specific systems. Black Hat doesn’t have a management track in their briefings; the focus is on the practical, hands-on attack and compromise of information systems.

Black Hat will draw our attention right back to the bad guys, in a dramatic style.

In our Enterprise information security world, our focus is more about getting real buy-in by the business than in actively engaging hackers. We can spend so much time working with system administrators and developers creating security implementation plans and time-lines that our eyes drift away from the actual threats the hackers present. Spending a couple of days at Black Hat will draw our attention right back to the bad guys, in a dramatic style.

Black Hat offers dozens of very specific examples of how the systems we count on are vulnerable to exploit. Seeing highly skilled hackers cut through systems that you know are currently deployed in your organization transforms information security from a meeting topic to a critically important consideration.

Black Hat is the other side of information security, the stuff that many of us security managers don’t see enough of. It shows us a clear picture of the front line battle that sometimes gets lost as we think about the larger war. The RSA Conference will always have its place as a tool for making security programs better, but Black Hat’s unique perspective on system exploits gives a peek into a scene that’s far too often overlooked.

Cross-posted from Enterprise InfoSec Blog from Robb Reck

Possibly Related Articles:
Security Training
Information Security
RSA Training Network Security Information Security Infosec Conferences Black Hat Conference
Post Rating I Like this!
Lucian Andrei Nice post.
You convinced me to go to the next Black Hat.
Robb Reck Lucian,

Thanks for the comment. Just make sure you show up with your learning cap on!

nathan ouellette I think I understand the point of your article but I also feel that sometimes there is simply too much adversity between business folks and what I'll call "black hat" types. I would agree with you that the RSAs of the world and the Black Hats of the world both have their place. They both serve a purpose: to provide a forum to exchange ideas and information. But it's all relative to that level of exerptise and subject area. Black Hat is great, but it doesn't help the 'suit' balance a budget or make resource decisions. RSA is great but it may not provide the technical details to understand a VERY particular threat that may be critical to the business you work with. I would argue that these two worlds need to co-mingle a bit better. In fact, shame on any executive that does not employ or contract a technical security practitioner to help them understand the threat vectors, risks, vulnerabilities and countermeasures to specific assets that apply directly to the industry they work in. Everyone has a place at the table and it's important to strategize that integration and relationship in every security program. Without management and executive decisions the ship has no direction. Without the hands-on, passionate security researcher, the managers have no real world insight to their own potential exposures. In fact, I would go as far as to say that both conferences (RSA and Black Hat) need tracks that educate the audience on why the other is important and why both need to be combined to present a more informed viewpoint.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.