Lessons from BlackHat 2024
8–12–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, August 12, 2024, and while there was some late breaking news over the weekend about a breach of Donald Trump’s campaign - allegedly, and still unconfirmed, by Iran - I’m going to let that one sit and focus on the important bits coming out of last week’s BlackHat conference in Las Vegas.
BlackHat Lessons For The Rest of Us
Last week saw the annual security conference known as BlackHat take place in Las Vegas. Also known as “Hacker Summer Camp,” this conference typically features a high level of who’s who in the space, including lots of good talks, research, news and keynotes.
It’s (slightly) less vendor focused than May’s RSA conference in San Francisco, and has always had a bit of an edge to it.
As somebody who just couldn’t justify the time and effort to make the trek this year, I paid very close attention to the news and notes coming out of the event, and there’s one theme that I think we should all take notice of as we continue to navigate our own risks and cybersecurity challenges.
In her keynote address, CISA Director Jen Easterly threw down the gauntlet to tech companies, saying “We don’t have a cybersecurity problem. We have a software quality problem.”
CISA is, of course, leading the charge on a “secure by design” effort, and said it’s past time that software vendors no longer consider vulnerabilities “as an inevitable act of nature,” when other industries would consider similar flaws as alarming as “product defects.”
This will continue to drive discussions around software liability - which today are typically waived away by pretty robust “click through” terms of use.
Easterly called for Congressional action on this effort, which seems unlikely to come to pass for a whole host of reasons.
She wasn’t the only one with this message, however.
Natalie Silvanovich, team lead and security engineer with Google’s Project Zero noted that:
“It’s becoming increasingly apparent that security research is not enough to end the era of zero days,” said Silvanovich at a session here at Black Hat USA. “We’re not in the place to make the next big changes that need to happen to protect users from zero days. Vendors are. This is not an easy task, and many vendors have made a lot of progress since we started. But there is so much left to do.”
Natalie also had some really interesting numbers and other data points in her talk, including a note that “up to 40 percent of in-the-wild zero days flaws are variants of existing flaws, meaning that they are similar to flaws already fixed in software. This could indicate that vendors are rushing into fixes for their zero days as a result of pressure and time constants. As a result, they are producing incomplete fixes and aren’t addressing the root cause issue behind the flaw.” Sounds similar to Easterly’s notes on software quality, or the lack thereof.
The other area that Natalie focused on is a “security gap between the “best we see and the worst we see is large and growing,” she said. The worst offending companies in this area appear to be “middle-ware,” or firmware and software sold to upstream vendors, and attackers appear to be increasingly targeting these areas”. Attackers, of course, will focus on these areas because of their increased impact - and the complexity of the digital ecosystem doesn’t seem poised to reduce or resolve anytime soon.
And, ultimately, as users and consumers of these pieces of technology, we really aren’t left with many options other than lobbying Congress as Easterly suggests. We aren’t going to write better software, our choices in the market aren’t exactly clear in terms of who is a “safe” bet (see CrowdStrike), and even if we could see the flaws, we aren’t in a position to resolve them.
Ultimately, this leaves us in the undesirable position of having to manage risk down to an acceptable level, and build in alternatives where we can.
It really does seem like there’s a change coming in this space - the problem is that it’s not coming fast enough for any of us to enjoy.
Fundraising
From a fundraising perspective, another relatively light week, with nearly the exact same $7.8B in newly committed capital as we saw last week, over just a handful of fund announcements.
As I’ve previously noted, this is likely just the summer slump, and things should be relatively quiet for another couple of weeks as we close out the summer.
Meanwhile, new research from consulting firm EY notes “PE sees its strongest quarter in two years” - with lots of interesting numbers and analysis.
Of note, the following:
“out of more than 250 separate PE funds that have closed this year, the top 20 funds have accounted for 61% of the total”
M&A Valuations stick at 9.5x, with 2/3rds of prices dropping to make the deal happen; and
A passing note on Exits being challenging - with the biggest reason they aren’t happening being “GPs are waiting for portfolio company financial position or market position to improve”
Well, that would explain it, wouldn’t it?
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://cyberscoop.com/easterly-secure-by-design-black-hat/
https://www.theregister.com/2024/08/08/election_tech_is_fine_says/
https://duo.com/decipher/project-zero-it-will-take-all-of-us-to-end-the-era-of-zero-days