Black Hat Startup City Unveiled: 6 Themes that Stole the Show

Many vendors are narrowing in on the popular phrase "context is key" and this theme was apparent at the Startup City. We were seeing vendors across all types of disciplines- application security, cloud security, SOC toolsets, etc. all attempting to tackle the challenge of security teams having too many alerts, unclear of which ones to prioritize, and finding a quick path to remediation. This context lens is interesting to our team and one we believe is the juice driving innovation within our 2024 Enterprise Technology Themes, in areas including runtime security and SOC optimization.

While these solutions clearly span different areas in security, the approach they each are taking is similar. By pulling a variety of data sources, they can gather a complete picture of an environment, one that represents the dynamic relationship between variables and continuously creates a baseline of expected behavior. Having such a dynamic and personalized baseline of the environment allows organizations to quickly understand when drift occurs, and how to best fix an environment that has drifted. Of course, these solutions each have a different flavor of this context theme but key takeaways from our stroll through the Startup City were- context is becoming more dynamic and tailored reporting can simplify security posture. Moving forward, it is clear that context is the biggest differentiator for adoption and maturation of a product within a security team. For security teams, evaluating solutions against their completeness of context will no doubt become a priority requirement in the future.

The Black Hat Startup City (SC) atmosphere was absolutely shifty this year. Not as in, Sin City shiftiness (apologies to the host city) but rather shift “left” or “right”. It was obvious, and the messaging was in bold – if you have an API, existing application, developing new cloud-native modern application architectures, or replatforming a product, you needed a “Shift” mindset and initiative(s), no shift-neutral allowed. Shift-right, where runtime security can be found, was a highlight when walking through Startup City and talking to many founders.

Organizations need to encompass runtime security into their journey to monitor application behavior and track real-time signals that might indicate compromise. Discussed solutions tackle runtime protection a few different ways, some deploy lightweight agents (eBPF) for real-time protection, anomaly detection, and alerting. A few deploy web application firewalls (WAF) to monitor API traffic and apply incident response rules. While combining both approaches, a select few attempt to provide end-to-end runtime security for APIs, applications, and containers running in an organization’s infrastructure.

Once deployed, applications often behave differently in production than in development, testing, and staging environments, often a byproduct of having different performance variables, stability, and reliability requirements. Therefore, runtime security tools can not only provide real-time visibility into application behavior but also help prevent misconfigurations and drift, which are common in dynamic deploy frequent environments. By combining runtime security with pre-production deployment (shift-left) strategies, organizations can achieve a comprehensive security posture that covers the entire application lifecycle from development, through to production ensuring robust protection against both known and emerging threats.

The signs were everywhere, each row reflected at least one startup that had the term “non-human identity” on their signs. It was so prevalent that it may leave you feeling like you can’t even ask what exactly that means in the tactical terms of entities? To level set, when we look at the market of non-human identity management, we are talking about the following types of entities: applications, services, APIs, bots, devices, and machine-to-machine (M2M) components. The thesis behind these technologies is to ensure these non-human identities are properly authenticated, authorized, and monitored to prevent unauthorized access, data breaches and other security risks.

This is really an age-old problem that is starting to get the attention it deserves due to several factors driven by the evolution and adoption of cloud and microservices, increased use of software-as-a-service (SaaS), increased automation, identity first security strategies and the innovations in non-human identity management. With the market response to the problem also comes market confusion on the approaches and of course those adjacent markets that are pivoting into the space to try to capture budget.

Non-human identity management is a critical focus area for organizations of all verticals looking to secure their increasingly complex and automated IT environments. Selecting the right solution depends on the maturity of your identity environment, the types of entities you are managing and how your operational models can support addressing the unique challenges this space presents.

Application security is hard and by the looks of investments and innovations, far from solved. While many organizations are still working out details around the basics (SCA, SAST, DAST, etc.) the application security landscape expansion is underway. I counted 22 startups in the startup city as evidence of the expansion. Evolutions in API security, code remediation, code level privacy tasks, data leaks through application flows, and more. It is a thrilling blend of innovation and challenge, pushing the boundaries of what’s possible while reminding us of the complexities that lie ahead.

Overcoming challenges in complex environment, diverse architectures, cultures of “move fast, fix later” and fragmented ownership have been key contributors in the exciting growth of the ecosystem.  Add in the heavy responsibility that comes with a major data breach due to an application vulnerability and we have a fertile ground for innovation for decades to come.

We couldn’t help but wonder what the modern application security stack looks like in a mature organization? How much consolidation do we see in our future? How will GenAI play a role in overcoming some of the skills gap and resource constraints? While there may not be answer to all of the questions now, it is clear that the enterprise will need to have a well-crafted strategy and focused attention in order to purposefully adopt the technology that will shape and protect the future.

In 2010, Apple trademarked the phrase “there’s an app for that” — a phrase that became integral to their marketing strategy in the early years of the iPhone.[1] This phrase highlighted the versatility of the iPhone, and how nearly any imaginable use-case could be realized through mobile applications. For our latest generation of technology, a fitting adaptation to that phrase might be “there’s an AI for that.” And that phrase certainly rang true as we walked through the Startup City (SC) section of Black Hat’s business hall this year.

Would you like to improve your DevSecOps and application security hygiene? There’s an AI for that. Perhaps you want to optimize your cyber defense operations and response-time through data-driven insights? There’s an AI for that too. Want to enhance network observability, gather real-time contextual insights from threat intelligence data, combat ransomware threats, or better understand your cyberattack exposure? In each of these cases, you guessed it — there’s an AI for that. And all of that was just in the SC section of the business hall. But this same trend was prevalent throughout the entire conference. Regardless of whether you think that AI is an overhyped gimmick for marketing, a necessary tool to better prepare businesses for the future, or somewhere in-between; there is no denying the fact that AI is continuing to rapidly transform everything about the ways we approach cybersecurity.

Just like in cybersecurity, AI capabilities are also being broadly adopted by enterprise technology solutions used for all kinds of different functions across the entire business (finance, marketing, sales, legal, and many others). The increasingly widespread adoption of this technology is also introducing new and unique risks. In addition to all of the cybersecurity risks that are incurred by adopting new AI infrastructure, these models are also inherently non-deterministic and behaviors/outputs generated by them can be problematic, unreliable, and even unpredictable. And misuse of these models is now frequently resulting in unintended leaks and data incidents for organizations worldwide.

To address these new risks, we are beginning to see a new suite of solutions. These solutions have a wide range of different approaches and implementations, but the objective is the same — to minimize the risks related to the increasing adoption and use of (generative) AI solutions within the business. These solutions are designed to help organizations move faster and innovate more efficiently, by addressing these uniquely new business risks.