Sandy, Allie, Paddy, Erik, and Cody assembled in Vegas last week for BlackHat. We spent the week attending sessions; meeting with clients; looking for trends, highlights, and lowlights in the festival of vendor marketing (on the show floor and in the convention center hallways); and we made sure to drink a lot of water to survive the stifling 110 degree heat.
Here are some highlights from the show floor:
AppSec dominates. Application security vendors reigned on the show floor – and there was a particular emphasis on software supply chain security and on application security posture management (ASPM). Walking through Startup City, we noted several early-stage vendors pitching ASPM on their signage. As API security specialists have been gobbled up by larger application security vendors or have expanded their initial offerings, there was less API-specific messaging and more “application and API security” language.
Other buzzwords fade. Notably, genAI and Zero Trust messaging were few and far between. Generative AIs absence was particularly surprising, as it was such a popular topic at RSA Conference earlier this year. However, Forrester has anecdotally heard from both practitioners and vendors that the chat bot use case is rife with usability challenges, which we have written about. Rather than pushing genAI, vendors are using buzzy attempts at differentiation words like THE, dynamic, fastest, and scalable to their product names.
Industry moves to “SPM all the things.” Vendors pitched ASPM, DSPM, CSPM, KSPM, and ISPM. With security posture management being the “hot new thing” it brings several questions: Does everything discipline need an SPM? How do the SPMs interact? How does vendor consolidation into platforms and solutions like Exposure Management play a role? Unfortunately, we find that these singular SPMs lack the comprehensive picture to best prioritize and often lack remediation capabilities.
IoT security vendors had a decent showing. Armis was a Titanium sponsor, Dispel was Platinum Plus, and Claroty was Platinum. Their presence confirms what we hear from customers about their need to improve IoT device security within the enterprise and puts pressure on the other security vendors to level up their offerings within this market.
Post-Crowdstrike messaging emphasized resilience and risk. Many vendors touted “risk” and “resilience” in their value messaging. However, beneath the marketing language, there hasn’t been a lot of substance to how other tools could stop this issue beyond other vendors having different QA and kernel access policies. As we wrote about in multiple pieces, preventing this issue as an end user in the future is operationally challenging – the changes need to come from the vendor. Further, the onus is on the practitioner to use the outage to systematically prioritize and manage their total risk posture. While we’re encouraged to see vendors and practitioners talking about resilience use cases in more concrete terms, resilience isn’t achieved through any single security product.
Some vendors had fun with their booths. We would like to recognize some vendors who opted not to take themselves too seriously and had booths that deviated from the standard corporate branding. A little bit of whimsy is OK (as long as it is respectful, please). Pentera’s booth was designed to look like a game of Candyland, a late-1800s scientist would feel at home in HUMAN’s old-timey conservatory/lab, and Wiz’s booth marketing was a retro supermarket ad come to life.
Election Security Is Front And Center
Off the floor, one of the key themes of BlackHat was not enterprise focused. During the opening keynote, a panel of leaders from the US Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC), and the EU’s European Union Agency for Cybersecurity (ENISA) discussed election security and the dynamics of protecting elections in a year where over two billion people globally are expected to vote. The panel focused on two elements for election security: protecting infrastructure (which we have written about before) and addressing the misinformation and disinformation campaigns that target citizens. CISA director Jen Easterly expressed confidence in US election infrastructure and noted that the distributed nature of US election administration – at the county level rather than at federal or even statewide – limits the reach of any potential infrastructure attacks. Felicity Oswald of NCSC and Hans de Vries of ENISA both pointed out that many of the elections in their regions still used paper ballots and manual counting.
On the topics of misinformation and disinformation, members of the panel stressed that media and leaders are responsible for using proper language so as not to propagate misinformation (hard agree), while CISA’s Easterly emphasized the importance of getting information from subject matter experts (a message that resonated with those attending the keynote but wouldn’t with the subgroup of citizens that tend to distrust “experts”). Not discussed was what these agencies are doing to disrupt disinformation campaigns and prevent misinformation from taking hold.
Another year, another attempt at avoiding the heat
Outside of the sessions, meetings, and show floor where we spent our time staying out of the heat, we also went to a smash room and spent 15 minutes breaking things.
Reach out to us if you have any questions about BlackHat, DEFCON, or what’s next for the market. Forrester clients can request an inquiry or guidance session to discuss the event and any other lingering questions.