InfoSecEurope 2018 - Was it worth going?

I attended InfoSecEurope and BSidesLondon conferences this week.
The InfoSec conference was in London’s Olympia Exhibition centre. I hadn’t been to it before as I had a rather selective view of conferences in general. In the end I was glad I took the time and got the opportunity to attend, and certainly would recommend it, with some guidance.

Before I decided to attend I got some advice from those who had been there previously. I wanted to avoid walking miles of aisles of trade booths being targeted by every salesperson who made eye contact.

If you have been following my tweets and blog, you will know I think we have too many infosec tools and need to focus more on the basics before we introduce magic tools to secure our networks. The advice I received was very sound and I will write up some of my recommendations if you are thinking of attending next year’s event - just let me know.

Here are some of the highlights for me.

1) Community Collaboration
One of the absolute high points of the trip was meeting people in the industry. Leaders and industry veterans who have been in the infosec space for years. As well as meeting some people I know and respect in the industry on the sales and vendor side. It was great to catch up with people from www.pluralsight.com also, hi Andy !

The Security Bloggers awards organised by Brian Honan was a great event. The who’s who of InfoSec blogging attended and it was a great opportunity to bring people together for a great night. The awards and winners have been well reported upon, and congratulations to them.

When you stand back and think about it, many bloggers provide a valuable knowledge transfer service, giving up their own time and driven by a need to share knowledge and build their personal brands. It doesn’t stop their though. By these bloggers providing this information on the web for free it gets picked up and used within the industry. I’m sure tools that trawl the web, I’m thinking of IBM’s Watson here, pick up much of the educational content delivered in these blogger’s material and use it to help security analysts in their day to day role.
It is great to see events such as this being organised to recognise those who have invested their time and provide their knowledge to improve overall skills in the infosec space.

2) Sound Strategy Sessions
There were three on-going presentation types during the conference. Technical Tracks Strategy Talks and Geek Street for the deep technical output.

Jack Daniel, (from Tenable), gave a great talk. The punch line really was, don’t be getting distracted with APT defence, until you have the basic protections in place. For APT where a foreign state or commercial espionage is in play these attackers have such big budgets that you’re probably going to have trouble defending you network anyway, unless of course you have a large security team at your disposal. However, people still don’t have the basics sorted so get them sorted first.
Jack1

It was interesting that on Wednesday Troy Hunt, www.HaveiBeenPwnd.com, also provided a similar message. Troy raised the recent supply chain compromise for BrowseAloud and highlighted how organisations are still not taking steps to protect their applications. I am a big believer it getting the basics right and have written about this previously.
Troy1

3) Technical Clarity and Marketing Antidote
Scott Helme’s session on “Hacking the world’s most secure communications protocol” was a fantasic session. This session summed up so much about the infosec industry. Scott presented his work that was previously broadcast on the BBC.
Scott1
A product marketed as being the “world’s most secure communication protocol” was reviewed by Scott. The device was a Raspberry Pi with a few extra ports/LEDs in a bigger case than a Pi and marketed as a new email security device. However, Scott found numerous security vulnerabilities in the devices, not cryptic vulnerabilities – just basic weaknesses that really made this device a danger to put onto your network.
The supplier rigorously defended their product, tried to discredit Scott’s work and really just reflected the crap side of the Infosec industry where vendors are more interested in fancy marketing rather than producing tools that help us. Scott raised the question on whether there needs to be more regulation to certify devices are secure, I wrote about this following the TalkTalk hack a few years back.

I so enjoyed the fact that you had a technical person, with evidence-based information (facts not opinions) and the marketing engine of this product totally disregarded the findings or risk it was putting its customers at.

As for the trade booths, well they were trade booths. Some stands had representatives that knew little or nothing about their products. Others (on the smaller stands) were far more knowledgeable and had little marketing façade to them. I found the Thinkst stand to be one worth visiting where they were showing their canary product.

Would I go again, absolutely; but you need to be prepared. Don’t go to InfoSecEurope for the trade booths, plan you trip before you leave, and take in as much of the high value content as you can identify on the conference programme. If you would like me to write up a prep guide in advance of next year’s conference let me know and I will share it here.