Black Hat USA 2018: Trends in Targeted Threat Hunting, Managed Everything, Serverless Security & More

Blog Author
Matt Hathaway

Quenching your thirst in the desert is a major challenge, but seeing everything at BSides Las Vegas and Black Hat is even more difficult.



While I am there every year, hydrating, I try to take note of the innovation I see. Luckily, the Black Hat team has named Innovation City to make it a little easier on me, so I started there and walked the full business hall to ask questions and listen. This year, I took note of a few key themes.


Targeted Hunting Tools

As the threat hunting revolution hit the industry, the rare experts with hunting skills were building their own or making due with whatever tool they had available. EDR solutions, log management tools, forensics solutions… in the hands of the right hunter, any can provide a lot of value for tracking down unexpected behavior. But whenever tools need significant adaptation for use in an important activity, there’s room for a targeted solution to emerge. I spoke to two teams looking to fill this very void:

  • Infocyte has built an agent-less solution for collecting forensic state across endpoints and using principles like data stacking and triage scoring. 
  • Active Countermeasures takes an alternative approach of simplifying beacon analysis by helping strip out known and common network activity to reveal the potentially malicious.


Managed Everything, but Not Like Traditional MSSP

MSSPs have, over time, obtained the reputation of being your one-stop shop for managing any security device your organization happens to acquire. Then, MDR services disrupted this large market by flipping the model and offering you a team that handles your detection and response with the tools they deem most effective. I saw a few new managed security vendors this year, but one caught my eye with its slightly different message:

  • Binary Defense simply listed out ‘Managed SIEM’, ‘Managed EDR’, and ‘Managed Threat Intelligence’, helping me know what they offer. It’s somewhere in between managing all of detection and simply managing devices.


Innovation Begets Security Start-ups

As better technologies emerge for high-scale elastic computing, existing security companies gradually get pressured into enhancing their solutions to serve them. Early adopters who can’t afford to wait that long have a clear need, so entrepreneurs quickly find solutions to address those needs. This happened with containers two years ago, and this year, the most obvious examples were focused on securing serverless environments:

  • NeuVector happily walked me through their Kubernetes network traffic solution with delivering east-west container traffic visibility and multi-vector container firewalls. 
  • Tigera initially caught my eye with their "Zero Trust" messaging, and it wasn't until I engaged with the team that I learned they deliver this and compliance for Kubernetes.


The Dark Corners of the Web

Well before companies were throwing around “dark web” in marketing emails (like way back in 2010), I watched polyglots in the RSA Israel office engage criminals on forums to find stolen credit cards and bank accounts. It always resonated well, but remained a highly manual feed of intelligence for years. Starting at RSA Conference this year, I’ve noticed more vendors emerge with their own flavor of threat intelligence in this vein. In the Black Hat Business Hall, two of them showed me very different solutions:

  • DarkOwl claims to translate massive amounts of deep web and darknet data into actionable intelligence for analysts. They’ve produced a series of vertical industry-specific indices to demonstrate.
  • Terbium Labs (acquired by Deloitte) tailors their “dark web data intelligence” to the specific types of sensitive data each vertical industry cares about.


Next-gen and "In the Cloud!" 

One thing that always stands out at security conferences (at least in the past 5 years) is how incredibly difficult it can be for new entrants to describe what they do and how it’s different. The thinking often goes “If we don’t make bold claims, we won’t stand out”, so I can empathize with that. However, I saw some examples which only caused more difficult booth conversations as I struggled to understand what the vendor does:

  • "Cloud WAF" - being curious if traffic went through their cloud, I asked the booth staff, and they immediately rolled their eyes. I learned how their WAF fits into modern SDLC processes and, accordingly, works especially well for cloud applications.
  • "Next-gen CASB" - I always struggle to learn what is next-gen about a solution. In this case, it was that the Cloud Access Security Broker was extended to devices, too. I think.
  • "Cloud deception leader with autonomous deception" - I remain intrigued by the deception micro-market because I have seen the value of honeypots and other decoys in action. Everyone triaging alerts in your organization had better be in synch with what kind of deception is given autonomy in your cloud, I suppose. 
  • "Ultimate AI-Powered Threat Detection and Hunting Platform" - is there anything it can't do?


There’s no way I could cover every vendor I met here, and we all know that the established vendors announced new products, features, and acquisitions. My biggest takeaway was that entrepreneurs are going to continue to identify unmet needs and build software solutions, leading to their biggest challenge at Black Hat: getting people to recognize what they do and why they need it.


Did you see anything awesome that I missed?