As security conferences go, this has always been a favorite for EMEA folks. Small venue, easy to navigate, and easily accessible within the UK vs a transatlantic flight to San Francisco or Las Vegas. It’s technology focused, and the smaller vendors tend to staff their booths with a great mix of founders, builders and sellers. Sure, there are competitions and freebies, but they don’t steal the show. If you want to experience a microcosm of the cybersecurity scene, this is a great place to start.
3:30am alarm to make the redeye to London? ✔
Parking garage barrier not keeping its promise to read my car number plate? ✔
Huge Starbucks coffee at the airport to wake me up. ✔
Let’s do this!
InfoSec EU was a great conference back before in-person events got put on hold for a couple of years. Previously hosted at the Olympia, with the big guns on the main shop floor, and the smaller (arguably more interesting) vendors on the mezzanine overlooking the impressive custom-built booths below.
This year the conference moved to the ExCel, but maintained that cozy vibe despite being in an enormous venue! Despite the travel interruptions that hit London on days 1 and 3, folks were excited to get back at it.
So how did it go?
Swag game was strong, with a lot of cool vendors showing off some exciting new tech, and some great conversations with partners, prospects and total strangers who just happened to be tempted by a snazzy Cobalt t-shirt! Oh, and socks. Socks were back with a vengeance.
There were few surprises in terms of what was on show (or should I say on sale) around the exhibition floor. A quick round of buzzword bingo as I strolled by the vendor booths threw up some familiar terms that we’ve been seeing gain traction in the security industry.
Zero Trust, Account/Access Management/Identity were some of the most prominent across the larger firms exhibiting. Controlling endpoints and the permissions that grant access to those endpoints is big business, and locking this down is key to securing any network, and perhaps more so with the majority of companies moving their critical systems to cloud infrastructure.
One of the big surprises for me was the human aspect i.e. Training, Certification, and Education. This thread was far more prominent than I expected, but lines up with what we’ve been saying about talent in the industry for the past 5 years. Companies need more security people, and need to continue to invest in and upskill (and retain) the people they have. This also resonates with a takeaway from the 2022 Verizon DBIR, as an estimated 82% of breaches involved the human element — including social attacks, errors and misuse.
Data was a key theme, split along two lines. One was predictable, sandwiched mostly with Loss. The story here was that companies have a huge responsibility to protect data, and bad things happen when valuable data isn’t properly managed and secured. The second track wasn’t the risk associated with data, but the usefulness of security data and the opportunity to use data from various sources to build alerts, leading to action. How you grab and analyze that data was another story altogether, with a lot of talk about consolidation and “single pane of glass” type services, albeit that’s a phrase that has slipped in the charts. There were a plethora of SIEM/IDR/XDR tools on offer to satisfy the ingestion and analysis angle, but surprisingly few mentions of automation and orchestration — especially given the urge to consolidate tools and reduce the complexity of operationalising security programs.
Email and Phishing seem to be making a comeback, and were a frequent flier among the vendors big and small. Stolen creds and phishing are two of the most pervasive attack vectors, involved in almost 50% and 20% respectively, in non-misuse breaches according to the 2022 DBIR report.
One of the big omissions this year from my perspective was how few products were talking about Vulnerability Management. It wasn’t that they aren’t doing it anymore, but it’s almost become a bundled item, obvious enough that it’s hardly worth mentioning. Another item I expected to see more of was attack-surface management. There was a lot of talk about endpoints, but discovery of those endpoints? Nada. Again, it wasn’t that folks weren’t talking about it, or don’t have great products to address what is a big problem in the industry, it’s just that it wasn’t front and center in the messaging on display.
Domain and DNS/Network Layer security caught my attention in some of the small & medium vendors, and the message was clear — why bother with all that internal asset tracking and vulnerability management when you could just stop all the attacks in-flight.
One of the major pivots I noticed was Application Security, which barely featured at all, at least the traditional terminology. The big players were in town, but the pitch was different. Scanning barely got a look in, and the positioning was all geared towards securing the SDLC, enabling developers to be secure code warriors, and hardening apps against attacks. Is this the end of traditional application security? Not a chance, but it may signal a move towards a more modern way of doing things, replacing traditional approaches in favor of more modern tooling. One thing I expected to see a lot more of was 3rd party risk management, and Supply Chain attack defenses given the recent high profile incidents, but it was on the subtle side. This one goes against the grain, given the frequency and scale of impact of some high profile breaches e.g. SolarWinds.
Risk was a very high profile feature among the booths. We all have it, few of us know how to quantify it, and even fewer have a plan on how to reduce it. Or at least that’s what all the banners would have you believe! The Platform angle came into full swing here, with value the companies were adding aligning closely with risk exposure, visibility and action.
Bots and Ransomware were two notable absentees, which is surprising in the second case as ransomware attacks have been increasing exponentially since 2017, and show no signs of slowing down. This may have been the case as this is much more common among small businesses — which may not be the core target market for some of the bigger names exhibiting.
Last but by no means least, there was Pentesting. Obviously this is an interesting topic for the folks at Cobalt. Even though we were recognised as G2’s #1 pentesting vendor for the 3rd consecutive quarter, we know from experience how fast the industry moves, and have no intention of hanging back. There are a few flavors of offensive testing such as bug bounty, penetration testing and automation tools like Breach Attack Simulation which you can read more about here. At Cobalt we believe the advantage of traditional pentesting is that a software product can be trained to do something fast and reliably, but isn’t very good at adaptive testing. Humans are amazing at this, and pentesters have a unique mindset, where obstacles are challenges and the stronger the security of a network or web application, the greater the reward of finding a way to exploit it.
The secret sauce for Cobalt is making pentests and pentesters accessible to our customers, and ensuring we find the right people for the test. This means our customers get the right information they need to fix the exposures that could ultimately lead to exploitation of their networks and assets. We also had pretty amazing t-shirts, but I guess all the vendors say that, don’t they?!
So what were the key takeaways?
The Cybersecurity industry is as creative as ever in its marketing and technical innovation, and some of the best of the best were on show in London. At a glance it was clear the majority of vendors want to solve more than one problem, but no one has figured out how to do it all just yet. Visualization and accessibility of data is a must-have, especially when it takes many products to build a comprehensive security program. I didn’t see anything particularly novel/newsworthy this year, but rather than a rehash of previous years, teams had been doubling down on their strengths and making steady progress in their respective areas of expertise.
Apart from losing all social cues and not knowing when to hug/handshake/fist bump, being back at an in-person event was great. The cybersecurity community is pretty tight knit, and it was a return to normality for many folks who would be regulars on the conference circuit. The beers were cold, the smiles were warm, and perhaps best of all, we got to rub shoulders with some real people from an industry we know and love.
Next stop… Vegas!