Featured Image: A Gap in the Armor: What Was Missing from Black Hat 2024

A Gap in the Armor: What Was Missing from Black Hat 2024

Along with 30,000+ of my closest friends, HYAS participated in both the Black Hat 2024 cyber security conference and others last week in Las Vegas.  There have been a lot of articles published on the main themes, focus, and top keywords of BlackHat 2024; Chris Needs, the VP of Product Management at HYAS, published a HYAS view on the conference, so I didn’t see a reason to publish yet another one.

Instead, let me talk more about what I think is vitally important but didn’t see. While everyone is talking about AI, both the applications of it and risk from it, ransomware and the latest techniques to detect and stop it, cloud security and other related topics, I unfortunately saw very little about a topic I am passionate about  – cyber resiliency.  The White House and the US Government are talking about it, other foreign governments are talking about it, key clients around the world are deploying it, why isn’t it a more obvious, front-and-center conversation?

Yes, Crowdstrike had a key message on the walk to the business hall about how we all need more resiliency, but even still it was not a major focus of their marketing messages at their booth. And I do need to give a special shout-out to World Wide Technology who does have people openly talking about this topic.  

Nevertheless, we continue to talk too much in general about stopping attacks at the four walls and “preventing breaches.”  It’s time to admit that attackers will continue to innovate and adapt their techniques and tactics, that the attack surface will constantly be changing and updating, that people will always be susceptible to deception and social engineering.  That doesn’t mean we give up – we clearly need to continue to focus on training employees to be observant and aware; we clearly need to do our best to protect organizations and their assets by keeping criminals out through the deployment of existing and new software solutions.  But we also need to recognize that it’s likely never going to be enough. A complete cyber security approach includes the acknowledgement and recognition that one needs to prepare for the eventual breach.  If we assume that a bad actor is already inside the network – what visibility exists to detect this and stop it, what controls will be able to prevent the attack from rapidly expanding and causing damage?

While some bad actors are laying low inside organizations for months, increasingly there are reports of data exfiltration and damage within hours of the initial breach.  Despite the ever-increasing dollars poured into keeping criminals out of the network and detecting their attempts to break in, they still are – who is talking about this and, more importantly, who is doing something about it?

There are many ways to achieve cyber resilience – one of them is through the deployment of Protective DNS. That’s just one of the reasons it’s recommended by CISA and the NSA, it’s a recommended part of a SASE architecture, and is being asked about in cyber insurance attestation questionnaires.  Furthermore, when it’s integrated into other components, like integrated directly into your EDR or XDR solution, the combination is more powerful than either component by itself and combines the ability to stop the criminal on the way in with an assurance you can still stop them in time if they break through.

At HYAS we tested this hypothesis, and simulated attacks and traffic to 492 malicious domains in real actual use from recent campaigns.  While EDR and XDR solutions in general excel at detecting errant behavior on the device or at the point of entry, HYAS Protect protective DNS excels at detecting the beaconing behavior and outbound communication to adversary infrastructure, the telltale signs or “digital exhaust” of a breach.

graph detailing detection rate

(HYAS internal study and results; EDR/XDR vendors anonymized)

We as an industry need to be talking more about this – the integration of various solutions to form a more complete and resilient approach.  Yes, there is obvious competition and not every vendor can or wants to integrate with every other vendor.  But only through the right partner integrations can we collectively add value to the end customer and client; only through the right integrations will we develop more complete solutions vs point products; only in this way will we actually be able to turn the tide or at least hold back the onslaught of attacks a bit, and change the game on the criminals.  

This is what we need to be talking about more as an industry.  And this is, what I fear, was unfortunately lacking this year at BlackHat.


Ready to step up your defensive game? We'd love to connect with you to transform your cybersecurity strategy from reactive to proactive.