InfoSecurity Europe 2017: Computer security has become everything security

If events such as InfoSecurity Europe are barometers for the health of each particular segment of technology, security is as fit as a fiddle. Company stands now rival most London flats for floor space, quality, and even amenities such as games and coffee machines. A couple of the larger vendors have stairs leading to whole extra stories which would probably require planning permission if they were outside.

Why is there such opulence on show? Because security is a bigger issue than ever before. But it’s also far more complicated, which means more money flowing to the hundreds of companies in attendance.



The Internet of Things, as was the case last year, was a big topic of discussion.

Security expert Bruce Schneier said that we are almost creating a world that is a robot; where microwaves are computers that heat up food, fridges are computers which make food cold, ATMs are computers that hold cash, and so on. But that means “computer security becomes everything security”, and as these systems become more critical to society, so does the effect of them being compromised.

The Mirai botnet attack was just the first example of how this new interconnected world can be abused. Schneier said that while it was of little surprise to the security industry to see CCTV cameras being used to take down Dyn and a large part of the internet, it was to the wider world, which is why it made the headlines.



WannaCry was understandably a common topic throughout the conference. But it wasn’t necessarily about blame; it’s easy to argue the NSA shouldn’t hoard exploits, or that Microsoft could have done more, or that companies affected should have been patching better. But the realities of the world aren’t always so simple. Lack of resources and legacy systems can make patching more difficult than it seems on paper, and governments are becoming more and more interested in the art of ‘cyberwarfare’. Losing such exploits, however, is incredibly dangerous and likened at one point to losing a nuclear warhead.

However, WannaCry is largely seen as an amateur attack that got lucky. According to Sophos’ James Lyne, ransomware is succeeding “despite being hideously implemented” but the nature of Ransomware as a Service and the increasingly modular way these attacks are created means such attacks will only become more sophisticated in time.

The Shadow Brokers group, which revealed the NSA exploit WannaCry was based on, have promised to release more exploits in the near future. Trend Micro’s Rik Ferguson warned that the next leak from them could cause a “shit show” if the impact of WannaCry is anything to go by.


Simplicity vs AI

Going back to basics and making security simple – especially for SMBs which lack significant security resources – is a mantra of several companies I spoke with over the duration of the event. Helping those security professionals who often double up as the main IT & network person in their business by making security simple but also ensuring that they do the basic hygiene procedures such as patching is something the security industry needs to make sure is happening, before we start talking about the newest shiny products and the state-sponsored APTs.

Which feeds in Artificial Intelligence and Machine Learning; most vendors at security shows now say they use one or the other, and most willing accept they are buzzterms. Aside from the fact that the two should not be used interchangeably – ML is relatively simple pattern-based learning and rules, AI is more sophisticated and getting towards being truly pre-emptive – too many companies are selling snake oil and/or over-egging their capabilities, and even those who can deliver are more likely to be features waiting to be bought rather than real products.

And that before you address the fact that while these ‘AI’ products are meant to make security simpler, the fact is these are generally very specific tools meant for larger companies, and that one-man-band IT type who does security doesn’t have the time, money, capability, or even need to use these types of products.  



Last year, the upcoming EU General Data Protection Regulation (GDPR) was mentioned in a few talks but largely missing from the conference floor. This year, GDPR was sprawled across more than a few marketing materials – including Gemalto’s bus outside the venue – but this could well be too late since compliance can often take up to a year, which is well past the May 2018 deadline.


« Seven things to know about datacentre deployment in Africa


How impressed is the UK tech scene with 2017's election manifestos? »
Dan Swinhoe

Dan is a journalist at CSO Online. Previously he was Senior Staff Writer at IDG Connect.

  • twt
  • twt
  • twt
  • Mail


Do you think your smartphone is making you a workaholic?