Five thoughts from DefCon
Fundamentals still matter in security; lots of security growth opportunities; focus on community is bigger than ever
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
Shoutout to all the new subscribers, and thanks to everyone who featured my blog as part of a list of security blogs people should read! A special thank you to John Cowgill for being the first founding member. If you want to support more of my writing and continue to see it, please consider buying a paid subscription or becoming a founding member!
This year, I finally returned to DefCon after several years of skipping. For the first time, I spent more time at DefCon than I did at Blackhat. In the past, I’ve mostly been spending time at Blackhat, but I’ve gotten overloaded by the “commercial” feeling of it. So, I want to go back to a conference more focused on practitioners, and people closer to the threats.
After recovering from a few days from the heat and craziness of Las Vegas, I got around to gathering my thoughts on the conference.
tl;dr: DefCon was awesome, and I’m glad I spent more time there than Blackhat. My belief is that DefCon will become a more important conference in the future — security leaders have gotten too far away from the actual problems, especially as their organizations have grown in size.
Anyway, here are my five major observations/thoughts from DefCon.
The busiest villages/areas weren’t surprising.
Other than the infamous merchandise line, the other longest lines for villages were the social engineering, bug bounty, AI x CC, cloud security, and packet hacking villages. This isn’t too surprising.
The social engineering, bug bounty, and packet hacking villages are the easiest to understand, especially for security generalists. The other villages did require more investment, either through sitting down and doing CTF or requiring more prerequisite knowledge. For example, the social engineering village had an audience observing others doing some basic social engineering attacks, which weren’t that hard to follow.
It seems like the demand for AI and cloud security villages was related to many practitioners wanting to expand their knowledge. It seemed that people in line were eager to learn more about these areas, and from the people I talked with, it does seem that their employers are asking them to learn more as many companies are realizing that cloud and AI adoption are inevitable. (Side note: part of the reason I went was to understand people’s perspectives on cloud and AI security and potential future attacks.)
In addition, there were long lines for vendors, not the typical security software vendors, but vendors who were selling more “traditional” security tools, such as hacking kits, pineapple wifis, lockpicking kits, etc.
Overall, this wasn’t surprising, and it was promising because security practitioners are investing time in both new and old trends. We should be investing more in both areas: the new and the fundamentals.
Security needs more bottom-up decision making.
Traditionally, security has had a top-down decision making process. This is quite common with operational organizations, such as finance, legal, etc. However, this is uncommon for efficient and highly productive engineering organizations that want to move fast. It’s no surprise that most security products try to target CISOs or heads of security.
I do believe that those days are coming to an end as we see more technical leaders who are pushing ownership and decisions closer to those we have more day-to-day context.
The reason I bring this up is that DefCon tends to be a practitioner-focused conference, and it doesn’t attract a lot of security software vendors. This year, I noticed two interesting trends.
First, there were more salespeople than before, and I heard at events that more sales organizations are asking to send their sales teams to DefCon. This is likely because sales teams are seeing more senior security practitioners influencing buying decisions, which is a good thing. Those people tend to have the most context on both the technical and business side.
Second, having been a regular at Blackhat and RSA as well as keeping track of upcoming security startups, I noticed a disconnect between the areas that startups were working on and what security practitioners were interested in at DefCon. In other words, there seems to be a much lower overlap than what I thought. It seems that security companies are working on what security leaders are interested in not what security practitioners. Of course, there’s some argument to be made that security leaders are in charge of strategy and have more business context, but it seems the disconnect seems too big.
Therefore, what’s more likely is that threat surfaces have substantially increased and/or changed in the past decade. The universe of threats is larger than a CISO has the cognitive load to handle. They are trying to combat this with bigger organizations, but it doesn’t seem to be working. There are still security issues, and CISO burnout is a prominent issue. It seems that the top-down approach isn’t working. Their organizations need more autonomy. Especially, since security has to handle more technical issues now, it should look to rely on its senior technical leaders to have a leaner, more efficient, and more effective organization because they are the ones who have the most of the important day-to-day context to make the best decisions.
Some things never change in security… but we should try to change them.
In many ways, DefCon stayed the same. Sure, they moved to the Las Vegas Convention Center. There were more people. There was more interest in topics like the cloud, and there were new topics, like AI. However, many of the villages and CTFs were the same. The conference still had the same vibe of people wanting to improve their security skills, which is awesome!
What I want to focus on is that a lot of the skills being taught in the villages were the same, especially in the ones that have been around for a while. The AppSec village was still doing static analysis training. The packet hacking village was still able to detect locations of phones by intercepting packets. Finally, the social engineering village was still able to have volunteers and professionals gather information over the phone using similar techniques. This is the part that didn’t change. Some might view that as good. I believe this is an area that should change.
As I discussed above, there’s way more investment in security tooling, but it seems that many of the “hacking” techniques have stayed the same. Some might argue that we are better at detecting and responding to these types of techniques, and that’s true. However, we haven’t made it harder to do the security basics, and as an industry that has seen increased investment, we should change that.
We need to take security more seriously as a national defense issue.
One of the most notable and biggest “villages” was the AI x CC village. This was the DARPA-funded cybersecurity challenge that brought together AI and cybersecurity experts to hack into critical infrastructure, such as water systems, hospitals, etc. Going to the village was another reminder that our society relies more on technology than we notice. If you think about it, almost every company is a technology company or trying to be one. That’s why I believe we should start thinking about cybersecurity as more software and technology security rather than the traditional “information security.”
Most companies are online, and almost every aspect of our lives uses technology. We can’t rely on the same techniques that used to protect paper files and floppy disks to also protect our SaaS applications. Attackers have evolved, and more information is available online than ever. It seems that it also seems easier to find. For example, social security numbers used to be considered extremely sensitive and needed to be safeguarded, especially since they are unique and don’t change. Now, they seem to be readily available through breaches.
Many people used to not know who Crowdstrike was, but they became known not after a breach but after an outage caused by a software update meant to prevent a breach. What was illuminating is that it severely disrupted many people’s lives, such as preventing payment, delaying flights, etc. It took days to recover. This makes cybersecurity a serious national defense issue that we need to invest more in.
I hope DefCon doesn’t give in to commercial pressures and keeps trying to make security more accessible.
As stated above, I’m already starting to see salespeople start showing up to DefCon. What was always nice about DefCon is that the conference always felt like an educational forum whereas Blackhat and RSA felt like places where vendors would sell goods. There aren’t lavish parties to market your product, or marketing people trying to get your information so that they can contact you and generate leads to meet their quota. There were small, intimate gatherings where people could talk with like-minded people about what they were working on and get advice without being bombarded with marketing jargon and buzzwords.
DefCon was also a place where someone who doesn’t work in security could go and learn more about security. In fact, this year, I went with one of my friends who didn’t work in security and just wanted to learn more. Many of the villages were educational and accessible — there were actually other security professionals teaching rather than salespeople selling a product. It’s a good way to start getting exposure to security, especially if it’s not your day job.
There are already two major conferences focused on vendors. I hope that DefCon will continue to be a place where security professionals can come learn and share ideas even though that might not be the easiest path financially.