Around infosec campfires, spooky tales are told about the horrors of logging on to the public networks at Black Hat and DEF CON, culminating in the legendarily adversarial network of the latter. But Bill Swearingen, strategist with Black Hat network operations center vendor IronNet, says that if his firm does its job well, Black Hat will not be such a scary place to be.
SC Media spoke to Swearingen about the unique challenges of running a NOC amidst 50,000 invited hackers, and what enterprises can learn from the experience.
What make's Black Hat a unique environment to run a NOC?
If we were to be protecting a SOC or NOC at an enterprise level, the CIA triangle — confidentiality, integrity, and availability — all have the same importance. And with Black Hat, it shifts a little bit. We're really, really focused on availability. It's redundantly built around ensuring that the network is available for the speakers and for registration and for the vendor area, you know, all of those kinds of things. And when the availability side stands out dramatically, then everything else, while still important, kind of takes a little bit of a backseat.
Then you add in the mix of that a lot of the attendees there are the type of people that have the skillset to carry off advanced attacks against networks. And you throw in the mix of Las Vegas and alcohol, and a lot of times you kind of get the "Hey, look what I can do" mindset. While it does mimic a very large enterprise network, the activity is very adversarial.
Does that mean it's as adversarial as people think it is? I remember one year my boss sent me with a Faraday Cage.
In the past, every year at Black Hat in the closing ceremonies, they talk about what the NOC experienced; and every year, yes, there are attacks. But a lot of times the participants and the media will, you know, glamorize the "Oh my gosh, don't bring your phone, don't bring your computer" reputation. And while I don't want to tell people not to be cautious — it is an adversarial network — the network is architected for that.
The most important thing that people need to be aware of are potential threats. There is a researcher that would drive down the strip, and record the number of cellular towers before Black Hat and DEF CON and during, and there was a dramatically increased number of cellular towers during Black Hat/DEF CON. Which, you know is, is very curious. Right? You can read into that however you want. But are the threats on the network dramatically different than just visiting your local Starbucks? No. Those same threat vectors exist on any wireless network, or any cellular network. It's just it's concentrated in that area during that time.
You mentioned the "Hey, look what I can do" mindset. It's literally a place training people to subvert NOCs.
One of the interesting things is how do you differentiate, attacks from what's going on in the training area, or the speakers that may be doing a demo and leveraging a hyperscalar like AWS. How do you differentiate those attacks versus somebody, you know, actually doing something? It really comes down to network engineering and ensuring that we understand the source of expectations.
So, segmenting the vendors and audience from the training is important?
It is. But a lot of those people though can fall back over to cellular. Because of the pandemic, Black Hat is livestreaming the event, as well. So just ensuring that bandwidth is available for — for not only everyone that's on the conference floor, everyone that's on the vendor floor, everyone that it's in a training session, all of the registration desks and keeping the stream going — a lot goes into the planning around how do we ensure that every one of those people receives good service.
What lessons can people in other NOCs take away from how Black Hat runs its NOC?
One of the things that resonates really well with me is if you take a look at the endpoint detection and response market, if you take a look over the last five years or so, the capabilities have dramatically improved. The endpoint protection that we have now — from a lot of different vendors — went through a maturity cycle, and we have some very good capabilities on the endpoint now. And I think that the network detection is really going through that same maturity right now. In NDR, we finally reached the point where we have enough computer power and advanced analytics that we can do some very tremendous things — detect malicious behaviors and get away from that, that the signature detections — which is very similar to what happened in the EDR market.
I don't want to make this a commercial, but I do think when we take a look at why IronNet was selected there, we just really complement that the other security tools that were already in the NOC, bringing in that more advanced behavioral type detection capabilities. This is a really good opportunity while people are at Black Hat, virtually or in person to really go and investigate the NDR space. It's going through tremendous maturity right now, and the capabilities that we and our competitors provide are getting really, really good.