Black Hat 2023: Exposure Management and Security Validation Take Center Stage

Within the cybersecurity community, Black Hat USA is one of the most anticipated events of the year. From August 5-10, security professionals from around the world flocked to Mandalay Bay Convention Center in Las Vegas, NV, for trainings, briefings, demonstrations, networking, and other activities. This year marked the 26^th annual conference, and its longevity speaks to Black Hat’s continuing leadership role in providing research and innovation that propels the industry forward.

The security space is sprawling, and conferences like Black Hat provide a welcome opportunity to meet friends, partners, and clients in person. As grateful as we all are for the digital events of the pandemic era, it just is not possible to replicate the energy and excitement of a live event. The chance encounters, hallway conversations, and unexpected surprises are a big part of what makes Black Hat great. It is always a thrill to realize you are finally shaking hands or fist-bumping with someone you have worked with online for years! I also thoroughly enjoyed the fun and playfulness of the Cymulate cyberpunk booth and the opportunity to help Richard Steinnon launch his 2023 Cybersecurity Journal with an in-booth book signing.

Key Takeaways from Black Hat 2023

Social interactions aside, the Black Hat presentations themselves offered no shortage of takeaways. Below are some of the impressions the Cymulate team took away from the conference:

Businesses are focusing on “proactive security.” Cybersecurity measures fall into three buckets: proactive, preventative, and reactive. It was proactive security that attracted the most attention at this year’s conference, and we saw multiple presentations promoting technology that “seeks out and mitigates likely threats” before they can escalate. Proactive security represents a new, extended perimeter—it is a mindset shift that can help organizations better prepare to face down unexpected and unknown threats. Unsurprisingly, most of the attendees we spoke to were familiar with Attack Surface Management (ASM), Breach and Attack Simulation (BAS), and Continuous Automated Red Teaming (CART) solutions, and were interested in learning more about how to incorporate them into their digital environments.

Risk-Based Vulnerability Management (RBVM) is on the rise. One of the key themes of proactive security is the ability to detect and prioritize vulnerabilities. Not all vulnerabilities are created equal—some are riskier than others. Cymulate solutions can help customers better understand which ones actually provide adversaries with dangerous attack paths, and which are effectively covered by compensating controls. Understanding where risk lies within the organization is critical, and it was great to see RBVM gather attention at the conference.

“Return on Security” is an increasingly popular concept. Businesses are always looking for Return on Investment (ROI), but security has long been considered an exception. Now, a growing number of businesses are treating security as a business enabler, and they want to be able to quantify and measure the impact of their efforts. It was great to see this topic gaining traction at Black Hat—especially since the Cymulate exposure management and security control validation solutions play an essential role in helping organizations translate their security capabilities into business terms. It is also a subject that will continue to be important, as other presenters illustrated that while IT budgets are continuing to rise, the amount of scrutiny over those budgets is also increasing.

 Where Exposure Management fits into the security landscape. We saw one analyst describe exposure management as “an extended definition of vulnerability management,” and while it is easy to see how that impression could arise, it is also an oversimplification. Gartner’s definition of exposure management makes it clear that it goes far beyond the capabilities provided by vulnerability management tools, enabling leaders to “build evidence-based security.” Continuous Threat and Exposure Management (CTEM) is gaining steam as a way to translate between security needs and business outcomes, and organizations will be increasingly looking for solutions that offer exposure management, security validation, and other tools within a single platform.

“Posture Management” is coming back into vogue. Attaching the term “posture management” to anything requiring controls and policy configuration has resurfaced as a trend. Data security has become “data security posture management,” cloud security has become “cloud security posture management,” and so on. It is good for businesses to think about posture management. However, this typically focuses too much on the defender’s point of view, with lists of assets, golden images, and vulnerabilities to fix, as opposed to opportunities to exploit, which is more how an attacker would think. For security teams looking to establish proactive measures, they will want to look more closely at emerging exposure management solutions.

Cloud security challenges persist. One striking presentation highlighted research showing that 38% of businesses still feel that their cloud environments are being “used without the necessary security features,” and another 36% say they struggle with responding to incidents in a timely manner. The cost of cloud-specific solutions and general lack of experience and expertise with cloud technologies were also listed as major concerns. This is not a problem that is going away, and it highlights the continuing need for security solutions that provide comprehensive coverage and exposure visibility for both on-premises and cloud environments.

Generative AI sparks interest…and concerns. Of course, generative AI solutions attract a significant amount of attention at any tech conference, and Black Hat is no exception. Interestingly, this year’s presenters tended to take a more cautious view of generative AI, emphasizing that these solutions lack the ability to “turn data into action more rapidly than human operators,” and noting that while the technology has a great deal of potential when it comes to assisting and augmenting human beings, it won’t be ready to replace them anytime soon. It was a refreshingly pragmatic take on a technology that has been generating (no pun intended) quite a bit of hype.

Notable Announcements at Black Hat 2023

Black Hat unveils “Certified Pentester” program. This year, Black Hat announced the Black Hat Certified Pentester (BCPen) program. Black Hat describes BCPen as “an intermediate level exam, intended to be taken by professional pentesters, bug-bounty hunters, red and blue team experts, SOC analysts and anyone wanting to evaluate or appraise their existing knowledge in topics involving hands-on pentesting.” This full-day, practical exam was offered during the first four days of the event and provided an intriguing opportunity for attendees to test their knowledge and gain a new certification.

DARPA announces AI Cyber Challenge. The DARPA AI Cyber Challenge (AIxCC) urges technology experts to design AI-based security tools capable of securing America’s vulnerable critical infrastructure. The competition will be open for two years and features both an open track and a funded track for a small number of businesses. The prize money is significant: $18.5 million has been set aside for the finalists. It will certainly be an interesting competition to follow!

Microsoft reveals new cloud security innovations. Microsoft announced new capabilities designed to help organizations better visualize their multi-cloud environments. This is a particularly timely development as a growing number of businesses are using multiple cloud providers. Microsoft states that this greater visibility will give businesses the ability to be more proactive in their breach prevention efforts.

Abnormal Security announces “CheckGPT.” AI was a hot topic at Black Hat, but Abnormal Security took an interesting approach to the topic, revealing a product designed to detect attacks created using large language models (LLMs). With attackers likely to continue using generative AI and LLM technology to generate spam messages and other social engineering attacks, having the ability to flag emails written by AI could prove valuable.

IBM and Cloudflare reveal new bot mitigation solutions. IBM revealed that the company will be incorporating new bot mitigation capabilities for many of its enterprise users, with the hope of preventing DDoS attacks and data theft associated with automated traffic. The new solution includes machine learning designed to identify bot traffic, and is targeted at the financial, ecommerce, and healthcare industries.

Cymulate announces new threat-informed cloud defense capabilities. Finally, our own big announcement. Black Hat was the perfect opportunity for us to highlight our new innovations in cloud infrastructure defense. The Cymulate Exposure Management and Security Validation platform now includes expanded cloud-focused simulation templates designed to deliver threat-informed defense capabilities covering all major public cloud providers. With the current spotlight on proactive security and the continuing need for stronger cloud protections, we were pleased with the response to our announcement and enjoyed having the chance to discuss these new protections with conference attendees.

Final Thoughts from Black Hat 2023

From presentations discussing the most pressing cyber issues of the day to the announcement of a DARPA-funded infrastructure security competition, there is never a dull moment at Black Hat. It was great to see so many of our customers, partners, and friends at the event—and wonderful to meet so many of my Cymulate colleagues face-to-face!

It was encouraging to hear so much discussion of exposure management and security validation at the conference, and we left more confident than ever that Cymulate is well-positioned as a market leader in those areas. As always, it was sad to say goodbye—but we are already looking forward to next year’s event.