Oh, the irony. 

On the day Black Hat 2016 kicked off in the place where virtual reality and the real world overlap – Las Vegas – word leaked that 200 million Yahoo! email address were for sale. Attendees were still counting their poker losses when Qualcomm reported a major chip flaw that could expose 900,000 Android devices to exploitation. And, less than a week later, came word that Oracle’s payment system had been hacked.

Not counting the Yahoo! breach, the number of records reported compromised in the US through August 9, 2016 stands at 20.5 million in 584 events, according to the San Diego-based Identity Theft Resource Center.

That’s just the reported number. If you view the ITRC’s breach list, you’ll see there are a lot of organizations of all sizes that acknowledge a breach has occurred, but do not publicly report the number of individuals impacted.

It’s no wonder 15,000 people showed up in Vegas to see what can be done to shore up their defenses before they, too, become a statistic. If organizations like Yahoo!, Qualcomm and Oracle are being successfully attacked, how’s a smaller organization supposed to defend itself? Against that background, you would think Black Hat would be buzzing with new technologies designed to stem the growing tide of big hack attacks. Not exactly.

Over in the left corner of a ballroom in the Mandalay Bay Hotel – just past the longest Starbucks line in history – nearly two dozen emerging technology companies hawked their wares while the more established companies competed for attention with mini-theatres, on-demand tee-shirts, and cups of espresso. Continuing a theme that started at this summer’s Gartner Security Summit, opening keynote speaker Dan Kaminsky set out the imperative: move faster. What took hackers months, now takes minutes and consumers are losing patience.


Among the 20 or so emerging companies, most of the products and services were aimed at making sense of the ever increasing streams of real-time data coming from system monitors. You could also find software designed to root-out bad actors inside your organization, crowd sourced pen-testing, enterprise level mobile device solutions, and a hardware solution or two. There were even two Runtime Application Self-Protection (RASP) solutions with very different approaches – including Waratek and our RASP by virtualization.

A mile away, TEN/ISE hosted the “Lions’ Den” event, a competition designed to highlight emerging security companies. The winner, PivotPoint, presented a much needed product that linked the risks associated with a potential breach with the actual coverage (and price) of cyber insurance policies. (Waratek’s RASP by virtualization was the runner-up.)

There was more talk of doing things differently in the extensive Black Hat catalogue of workshops. Here’s where you heard discussions of “lengthening the kill chain” and ways to introduce randomization as a means of keeping the real black hats guessing. Moving targets are hard to hit, after all.

Next year is the 20th anniversary of Black Hat and the 15th anniversary of when the California Breach Notification legislation was first introduced, adding “data breaches” to the public lexicon for the first time. As much progress as we’ve made in cyber security and data protection since those milestone events, there is still a lot of work to do. I wonder what we’ll see that’s new and interesting next year…and ironic.