My overly ambitious attempt to cover “Le FIC”.
It is not all sweetness and light, but a fair analysis. Well, I think it is.
The presentations were plentiful …
The hacking competitions and “red team” events challenging …
And the food and drink limitless …
28 APRIL 2023 (Crete, Greece) – As far as cybersecurity event coverage, this has been an almost impossible month. After the Cybersecurity Forum in Lille, France the team was off to Florida to attend the annual U.S. National Cyber Crime Conference (another “must attend” event for the cybersecurity industry), and then the mega RSAC 2023 which wrapped up in San Francisco, California yesterday. Lots to digest, lots to write about.
It started earlier this month when we attended the International Cybersecurity Forum in Lille, France (popularly known as “Le FIC”) – a combination cybersecurity tradeshow and education event. And this post will be my overly ambitious attempt to cover a large part of it, with my personal thoughts about the topics I found interesting, as well as why this is such a well-managed event. But it is not all sweetness and light. There were some negatives which I will mention.
And this is a long post. So get a cup of coffee (or your favorite beverage).
NOTE TO MY READERS: and I’ll begin by thanking two people (with many others as I proceed) and that’s Christelle Klein who was on-site with me and arranged several delightful interviews with key cybersecurity vendors, and Steve King (Master Sensei Cyber Guy) who offered advice and comment before the event as well as during the event, from afar – his base in Arizona. More from both in a moment.
“Le FIC” is an intense event, a yearly cybersecurity tradeshow/education event that brings together the French cybersecurity community and most of the other European cybersecurity communities, with an ever-expanding presence of the U.S. cybersecurity community. And it is intense by nature of its size, as measured by several metrics:
– attendees: over 20,000 people participated: 16,000+ visitors and 4,000+ program members)
– the number of panels/formal presentations/educational sessions: 300+
– the number of cybersecurity vendors: 650+
“Le FIC” was a showcase for the cybersecurity industry and its growing ecosystem with many, many stakeholders. And so well managed which I’ll discuss as this post continues:
– The exposition center itself. The event is held on one enormous floor in a professional conference center with neatly arranged/marked security vendors from software publishers, to SaaS companies, to consulting services to service businesses.
– Startups are given ample space within an “Innovation Village”
– The conference has “pitch centers” surrounding the vendor section, and also inside the vendor section itself, so vendors can easily show off their latest initiatives or technology in these specially seated areas, or make special pre-set presentations. Keynote speeches and special panels are held in several special theatres just off the main floor. You never need to leave the exposition center.
– The European Cyber Cup hosted an event (I think this was the third time they did it) where college students participate in a hacking challenge. More on that below.
– Researchers had a conference track dedicated just to them. They presented a “masterclass” on a whole range of advanced cybersecurity topics. Each research presentation lasted 30 minutes. More information below.
– The event organizers issued every vendor a Nespresso machine and starter pack so you could grab a coffee during every visit, and there were coffee/drink/food vendors scattered throughout the event. Plus, almost all vendors had their own food trays throughout the day, and the event organizers set-up a “food court” just off the main floor. All of this because you just do not want visitors to be forced to leave the site to eat/drink.
Before I get to my take-aways and comments and my vendor chats, a few words from Steve King and Christelle Klein. I spoke to Steve before I headed off to “Le FIC”. He had a lot to say (he always does; polymaths do that). A few of his thoughts:
“When I look at events like Le FIC I view it from the lens of our commitment … the business community commitment … to plow ahead with business-driven digitalization initiatives. I look to cybersecurity vendors and what they might contribute to regulatory frameworks, but most especially to third-party risk testing, or standards that vendors need to comply with.
If we start demanding more testing, or regulators step in and mandate better controls, then the costs of these audits are likely to drop and we will also see more innovation, such as bringing us back to the beginning in automated testing and orchestration. As you know, our launch of CyberEd.io [Steve’s company] we have dedicated a lot of work to the issues around supply chain vulnerability exposures, and it is our intent to keep the spotlight focused on this threat vector until we close the gap between the traps and the designs.
I often use Levi Strauss as an example, a company that vets its software vendors today by requiring them to have demonstrable, auditable proof that they have implemented a security framework and can demonstrate compliance with that framework, while taking a dim view of leveraging open source supply chain options. If only all companies did that.
But it is all really a function of your risk appetite and understanding your capabilities in context. JP Morgan Chase will have a different view of each than a Levi Strauss. And there is no Galaxy, where on Mars, software works one way and on Venus, it works another. This should represent a huge advantage to folks trying to defend against incoming, but the problem is in the ecosystem, the complexity, and the way it’s put together.
We are enthusiastic proponents of Zero Trust and firmly believe that a campaign that starts with the identification of critical assets and the establishment of a small protect surface around those assets through network microsegmentation and rigorous least privilege access with continual MFA, while limiting Internet facing software to minimal web access permissions is the path toward resetting our existing network environments within that Zero Trust context over time.
Many attack simulation experiments in the space have proven a 50% improvement in breach prevention, just from executing those few design principles, and it caused no one to rip and replace anything.
I’d be interested to know how vendors at Le FIC look at this.
Oh, and ChatGPT which you have written about extensively. I noted a security researcher has tricked ChatGPT into building sophisticated data-theft malware that signature and behavior-based detection tools cannot spot, ignoring and eluding the chatbot’s anti-malicious-use protections.
Without writing a single line of code, the researcher, who admits he has no experience developing malware, walked ChatGPT through multiple, simple prompts that ultimately yielded a malware tool capable of silently searching a system for specific documents, breaking up and inserting those documents into image files, and shipping them out to Google Drive.
Out and available for only a few months, the ChatGPT LLM is maturing daily and expanding its energy by leaps and bounds. I am sure you’ll cover that at Le FIC”.
I did cover ChatGPT and I have some comments below. And Steve has just written what might be the definitive book on zero trust, “Losing the Cybersecurity War And What We Can Do to Stop It” which I will be reviewing very shortly.
Christelle Klein is a cybersecurity marketing maven whom I have also known for years (last year we finally sat down and did a video interview which you can watch by clicking here) and we spoke briefly before “Le FIC”. She noted:
“I try to take a wide-lens view of ‘Le FIC’. I represent a number of vendors presenting, each in their own niche speciality of cybersecurity. I enjoy the event because it is a platform for reflection, exchange, and business. I think the event organisers try to keep to their two primary objectives: (1) to strengthen the cooperation and the capabilities of all stakeholders to respond to the operational urgency of the fight against cyber threats, and (2) present possibilities toward constructing a stable and open cyberspace. I am well aware of the challenges and difficulties of both objectives.
And “Le FIC’s” theme this year … ‘In Cloud we trust?’ … will address both the operational challenges of cloud security and sovereignty issues. The event will be an opportunity to see the rise of Europe in cybersecurity with the presence of many European pavilions and personalities. It will bring together the entire cybersecurity ecosystem including solution and service providers, customers, governmental bodies agencies, and academia. I will be very, very busy networking”.
I will start with a few take-aways, move on to summarize some of the more intense topics/presentations, and then finish with some brief vendor profiles (with more extensive profiles to come in a seroes of separate posts that will zero in on each one).
1. Laurent Hausermann is a European entrepreneur who I bumped into at the event. He and I agreed: the “Research Corner” was a great place. You could spend a few hours listening to all the scientists present their latest research. The most interesting topic was the discussion around functional encryption. It might be a set of algorithms key for establishing trust relationships over the Internet and unlocking some uses of cloud computing where privacy and security are material. As Laurent noted on his blog: “Functional encryption is a generalization of public-key encryption, where possessing a secret key allows one to learn a function of what the ciphertext is encrypting. The researcher educated the audience with pragmatic use cases and discussed homomorphic encryption and other techniques”.
2. The relationship between cloud computing and security is now more mature. The perception that the cloud is an automatic “security risk” has changed, and it is no longer viewed as “the enemy” of Chief Information Security Officers (CISOs). Cloud technology has become an indispensable tool for many businesses, allowing them to leverage the power of the cloud to boost productivity, enhance collaboration and streamline operations. It has also provided new opportunities for CISOs and vendors to develop innovative security solutions specifically designed for cloud environments, addressing the unique challenges of cloud-based systems. Cloud security has developed into a collection of procedures and technology designed to address external and internal threats to business security.
3. I watched the keynote by EU Commissioner Thierry Breton. Yes, “cyberspace is increasingly contested” and yes, “Europe must protect it for sovereignty reasons”. And yes, “EU nations need to unite their forces to be more effective in detection, defense, and deterrence as the threats increase”. But his aim to create a “European cyber shield” to better detect attacks upstream by investing more than one billion euros in constructing operational security centers (SOC) seemed a bit far fetched. And I do not think he (or his speech writers) fully grasp how far, how fast we have moved from a world where it was mainly necessary to defend computers and critical infrastructures to a world where all everyday connected objects are potential vulnerabilities. I have seen the EU Commission proposed plans “to obligate” IoT devise manufactuers to integrate protection measures from the design stage, ban certain risky suppliers.
But has anybody in the EU Commission gone into a Fnac or MediaMarkt store (or gone on-line) to see the range and country source of IoT devises? Is this even remotely manageable?
Breton’s biggest point was about managing cyber crises, saying “it is essential to exchange a maximum of information in a minimum of time” and pushes stakeholders to adopt a logic of mutual assistance. He proposes that the EU will need to create a European cyber reserve comprising several thousand volunteers and professionals working in concert with national authorities and forces, which can be mobilized in the event of a cyber attack. EU states “must also invest jointly in the indispensable effort of training”. Finally, Breton reminded us that the EU had established a cyber diplomatic framework allowing solid sanctions after attribution – which is interesting because just about every vendor at “Le FIC” could recite, in detail, why cyber attribution will become more and more difficult because the underlying architecture of the internet offers numerous ways for attackers to hide their tracks with incredibly sophisticated tools.
4. There seems to be a constant, almost unstoppable stream of relatively inexpensive commercial software can remotely infiltrate the most intimate spaces of a target’s digital life to steal their information and secrets.
In conclusion, FIC 2023 showcased Europe’s vibrant and growing cybersecurity industry, with a diverse range of attendees from startups, large companies, and researchers. But many cybersecurity vendors do need to improve their marketing and messaging, focusing on differentiation and unique value propositions.
Given the huge scope of “Le FIC”, it is impossible to cover all of the presentations and sessions (especially the myriad interactive sessions, brilliant though they were), and all of the “45 minutes of fame” sessions where almost every vendor present had a chance to make its case at the various stages set up throughout the event venue.
But there were some big themes/issues covered by many presenters and vendors, and the following are just a few of them as covered by me and my team.
Relatively inexpensive commercial software can remotely infiltrate the most intimate spaces of a target’s digital life to steal their information and secrets
This was a topic relayed by many presenters and vendors. In really blew up in July 2021, when journalists, activists and dissidents the world over were reminded of how their communication devices can be turned against them. 8 years after American whistle-blower Edward Snowden leaked the National Security Agency files, exposing mass surveillance programs being run at the time by the US government, the NSO “Pegasus Project” revealed its ugly head, showing us the stunning ways spyware tools had evolved and spread since then.
No longer must state security agencies sift through broad metadata dragnets to monitor persons of interest. Instead, relatively cheap commercial software programs can remotely infiltrate the most intimate spaces of a target’s digital life to steal their information and secrets, all while marking their exact location. And that technology keeps evolving, getting more sophisticated – and cheaper and more, more easily available.
Government authorities routinely insist these tools “are only used to apprehend criminals and terrorists“. But the ease with which perceived adversaries can be covertly tracked outside legal due process is inflating definitions of who qualifies as a malign actor worth watching. Increasingly lumped into that category are journalists, human rights advocates and opposition groups, lawyers, environmentalists, academics and businesspeople. Even the family members of VIPs and heads of state are not immune.
The fragmented, slow-footed response by law makers to the Pegasus Project’s revelations continues to enable the opaque commercial hacking software industry to reach almost unimaginable levels of sophistication.
The NSO Group Rises Again?
The development of the Pegasus software that triggered the investigation into its use began in 2011 by an Israeli cyber surveillance company, the NSO Group. By 2021, after a decade of iterations, Pegasus could be implanted on a target’s Apple or Android device without requiring any phishing attempts or errant action by the device’s owner — what’s known as zero-click capability. At this point, most user privacy and security backstops are instantly bypassed, including some encryption protections. Pegasus operators gain full control to download images and files, eavesdrop on calls, change settings, activate audio and video recording functions, access messaging and email accounts, collect passwords and authentication keys, turn on Global Positioning System location tracking, and more.
The NSO Group has always denied any wrongdoing. The company says its products are meant solely for law enforcement and counterterrorism purposes and that it has no control over hidden intentions of end-users. It also has a policy of not disclosing who its customers are. Since the release of the Pegasus Project findings, eight countries and the European Union have launched judicial and parliamentary probes into its use. The NSO Group itself has been hit by multiple lawsuits, including from Apple and Meta-owned encrypted messaging platform WhatsApp. In January, the US Supreme Court struck down a petition by NSO Group to have WhatsApp’s complaint dismissed.
NSO Group’s co-founder and former CEO, Shalev Hulio, resigned in August 2022 after the company was blacklisted by the United States and had accumulated nearly half a billion dollars of debt. Under Hulio’s watch, the company also failed that year to pivot toward servicing the North Atlantic Treaty Organization (NATO) military alliance via an agreement to have American defence contractor L3Harris purchase the NSO Group’s collection of surveillance technology. The deal was blocked by the Biden administration on the basis of national security concerns — mainly that America’s rivals would find a way to acquire those tools from other NATO member countries.
And yet, in his first public comments since taking the helm of the company in 2022, CEO Yaron Shohat (he was previously chief operating officer) defended the NSO Group’s products as vital to public safety. Shohat also hinted that the company had crawled back from the brink of insolvency and is now attracting new customers.
But at “LeFIC”, vendors told me spyware and other services akin to Pegasus have been marketed by many rival companies, including the infamous Hacking Team. And that will continue, one told me, due to the
“the revolving door between veterans of Israel’s military and intelligence branches and its domestic tech sector, constantly generating new surveillance start-ups”.
Aside from the NSO Group and the Hacking Team there is Intellexa and its constellation of associated vendors; its “intelligence solutions” include Predator software. And companies like Cognyte, founded in 2020, which describes itself as “a market leader in investigative analytics software”. And S2T Unlocking Cyberspace, whose products are known to have been used by Colombia’s military, which also has an active office in Singapore.
Indeed, the proliferation of these technologies and the demand for them by government and non-government clients alike have given rise to a mercenary spyware industry worth an estimated US$12 billion per year, according to one cybersecurity industry analyst at “Le FIC” this year.
The upshot of all this spreading spyware?
The most rewarding parts of a conference like “Le FIC” (actually any good conference) are the dinners where you can have more in-depth chats with the community (and sometimes off-the-record chats) that you cannot have on the event floor.
At one dinner we discussed the higher-level impact of all this spreading software: the profound chilling effect it is having on press freedoms and civil society across the globe. Surveillance-for-hire offerings are enhancing the scope of authoritarian efforts to apply transnational repression – which US-based democracy watchdog group Freedom House defines as “governments reaching across borders to silence dissent among diasporas and exiles, including through assassinations, illegal deportations, abductions, digital threats, Interpol abuse, and family intimidation”. We certainly see it here, across Europe.
But similar to ethical dilemmas around lethal autonomous weapons, efforts to regulate invasive hacking software are fragmented and lack urgency. This partly comes down to autocracies prizing their newfound capacity for social control. China and Iran, for example, have already developed their own state-pioneered spyware, which they are surely promoting to their allies. Dozens of countries in the Global South are already participating in Beijing’s Digital Silk Road initiative, whereby Chinese tech firms provide everything from telecommunications and artificial intelligence systems to cloud-computing, e-commerce infrastructure, population surveillance and the wiring of smart cities.
Elsewhere, new algorithmic programs used for catching welfare fraud and the rise of workplace surveillance tech, which stems from an increase in remote employment, are shifting some mainstream opinions in favor of using technology to micromanage individuals’ behavior. One vendor here told me
“We talk about malware and bad actor nation-states, but rarely do we talk about what I call ‘surveillance for productivity’ which has become part of the norm in the workplace. And similarly to how private-sector advances in AI may spur development of lethal autonomous weapons, advances in commercial workplace surveillance are bound to spur innovation within the spyware industry”.
And at the same dinner we talked about reining in all of this “cutting-edge” spyware – which most attendees at this dinner called a hopeless task. Said one:
“Oh, let’s be honest. Spyware is yet another technology being developed at a greater speed and scale than bureaucracy and parliaments can grapple with. Anyone currently concerned about being targeted by spyware is thus left to use existing tools and techniques to safeguard their devices. I think that is a major role here at Le FIC. I mean, we have all read the Citizen Lab and Amnesty International reports which document the existence and capabilities of cutting-edge hacking tools and to alert possible victims. But in the absence of a unified state response or global moratorium on spyware, what can you do? And worse, as we discussed earlier, media investigations are at least invaluable in unmasking many of the commercial operations aiming to profit from the stealthy manipulation of democratic processes, something I find much more threatening than malware used to make some money”.
And so the major benefit of “Le FIC” : spending time with the cybersecurity industry to find and understand unique ways to counter malicious activity – of all types.
And given the huge scope of “Le FIC”, it is just as impossible to cover all of the vendors as it is all of the presentations and sessions. Herein a few vendor highlights, all random, pulled from the 70 or so conversations we had at “Le FIC”. After we post our detailed coverage of RSAC 2023 (which wrapped up in San Francisco, California yesterday) we’ll be posting some individual profiles of several vendors at “Le FIC”.
The increasingly dynamic and dispersed nature of enterprise workloads has resulted in the hybrid multi-cloud environments being endemic in most enterprises. As a result Zero Trust has become an influential and highly regarded design principle within a variety of computing environments. Steve King will get you into all the nuts and bolts in his book “Losing the Cybersecurity War: And What We Can Do to Stop It“. Brilliant read. I highly recommend it.
What Illumio has done is to develop a system, a program, to secure data centres, private and public cloud environments and become a market leader in Zero Trust, providing an elegant means to solve the problem of securing diverse and complex environments effectively. It employs “micro segmentation and alignment” to the Zero Trust approach.
I need to be brief in these summaries and hopefully as time permits I will return to this concept of “micro segmentation and alignment”. But for now visit their website for more particulars: www.illumio.com
Horrible to say. “Fun” at a cybersecurity event. But I did have fun chatting with folks at Sophos, discussing how the threat landscape has become too big and too complex and what Sophos … “cybersecurity as a service” … provides organisations to mitigate threats as much as they can. And the timing was nice. Cyberattacks aren’t a roll of the dice for organizations, but rather a near certainty. Almost all organizations, 94%, experienced a cyberattack of some form during the last year, as Sophia discussed in their well-timed research report. All companies should assume they will be a target in 2023, the researchers warned.For more about Sophos click here: www.sophos.com/en-us
Ping Identity is always one of my favorite stops. About 5 years ago it was the first company I video interviewed at “Le FIC” when I was doing video interviews across the cybersecurity industry. And they were the only company that took the time (had the patience, maybe) to explain to me the intricacies of identity management, identity access management, web identities, access controls, and the whole metasystem architecture of such identity management system tools. And this is across web applications, apps on mobile devices, VPN, etc., etc. It is the reason they are considered best-in-brand for this critical cyber area. For more click here: www.pingidentity.com
Mandiant is an American cybersecurity firm, now a subsidiary of Google. It rose to prominence in February 2013 when it released a report directly implicating China in cyber espionage. And it is still the recognized leader in dynamic cyber defense, threat intelligence and incident response services.
As regards the Google acquisition, David Grout (Mandiant’s CTO EMEA and Senior Director, who I have known for years) told me Mandiant’s role is not going to change fundamentally. It will continue to do threat intelligence, incident response, consulting for its customers and technology sales.
And David and I had a brief chat about the lessons can we learn from the cyberwar in Ukraine. At “Le FIC” he made a special presentation on that issue. He told me “there is always a link between geopolitics and cyber. Cyber tools are now an integral part of some states’ doctrine. But we don’t see anything new in terms of the technicality of attack. However, there is always a parallel between ground operations and cyber attacks. We have seen that during the different phases of the war, cyber has always been present”.
I hope to conduct a more detailed review with him on that issue. In the meantime, for more on Mandiant click here: www.mandiant.com
Keeper Security was not a company I knew (imagine). But while I was at “Le FIC” I had read a review in PC Magazine that it is “the ideal cybersecurity and productivity application for protecting all remote employees on all their devices from password-related cyber threats and data breaches”. And when I visited their booth I found a user-friendly platform that unifies the essential components of identity and access management and enables zero-trust transformation. Its interface is simple and easy to navigate. Quite interesting.
And as I dug in I found out the reason it was recommended is because by utilizing the PBKDF2 and HMAC-SHA256 encryption, all passwords and sensitive information will continuously be protected. And it is available on multiple platforms, so the right choice for companies of all sizes.
We all need a password manager to create and store varied, strong passwords for every website and app we use. And it’s also important that you can access your passwords from every one of your devices without difficulty.
So Keeper is something to check out. For more click here: www.keepersecurity.com
I spent a lot of time with Lookout because one of the company’s I own staffs knowledge workers for law firms and corporations, and 75% of them work remote.
Lookout was founded in Boston in 2009, and originally began as a consumer-focused smartphone security and data backup business, attracting millions of users and hundreds of millions in funding from respected investors including Andreessen Horowitz, Accel, Greylock, Morgan Stanley, Deutsche Telekom Funding, and even Jeff Bezos.
But over the past 10 years, Lookout has gradually expanded its reach into the business sector, pursuing enterprise partnerships with technology giants such as Samsung. And a few years ago, Lookout made the most effort toward strengthening its B2B credentials when it spun off cloud-native cybersecurity startup CipherCloud, a company focused on the growing Secure Access Service Edge (SASE) security segment. Now, its long-running transition to becoming an enterprise security company is all but complete, recently selling its consumer mobile security business to Finland’s F-Secure in a deal valued at around $223 million.
Lookout is taking full advantage of digital transformation and the significant adoption of the cloud have accelerated remote work and the use of mobile and unmanaged devices, which in turn exposes organizations to new security gaps that are ripe for exploitation from bad actors. So Lookout’s mission is to secure and empower the digital future where mobility and cloud are essential to all that we do for work and play. Its endpoint to cloud security platform ensures that your data is protected – regardless of device, user or location.
And this is huge. As a Gartner survey (released during “Le FIC”) noted, 60% of knowledge workers are remote. In addition, a report released by Zippia highlights that 75% of employees use their personal cell phones for work. As organizations continue to enable their employees to work remotely, either 100% of the time or in a hybrid model, the use of mobile devices to access corporate applications, regardless of user or location, is on the rise. Workers based outside of the traditional perimeter of the data center who are accessing apps that are in the cloud, and using devices not managed by corporate IT, accelerates the need for a security solution designed for the flexible workforce that “follows” and protects corporate data wherever it flows or resides.
For more please click here: www.lookout.com
Intigriti was my most interesting find this year at “Le FIC” and they’ll get a special profile piece in the coming weeks.
Founded in 2016, Intigriti connects organizations with ethical hackers to continuously test and improve their security through bug bounty programmes and other crowdsourced techniques. By creating a community of white hat hackers who think like real hackers, the company delivers agile, continuous security testing in a cost-effective and simple way.
I had a quick look and what the company’s interactive platform features is real-time reports of current vulnerabilities, enabling organizations to get visibility over their attack surface. Intigriti claims that on average companies receive 53 reports within one week of launching on the platform, and 71 per cent receive high to critical reports within 48 hours. The company has released a hybrid pentest offering in which the solution enables companies to work with selected researchers in individual engagements within an agreed timeframe but following a result-based rate, like bug bounty programmes.
It also comes with triage services, a vital in-house validation process that ensures clients only receive valid, unique, and in-scope vulnerability reports. It also has a very intriguing “bug bounty platform”.
It is a facinating concept: companies working with the ethical hackers community. But, the cyber security landscape is constantly changing, meaning some businesses are having trouble keeping bad actors out of their systems. This is coupled with the fact that hackers are also becoming increasingly smarter, finding new ways to access data every day, which means cyber security is having to be stepped up. So Intigriti is a pretty cool, European-leading platform for bug bounty and ethical hacking which you should consider.
Lots more to write but now, for more information, please here: www.intigriti.com
TO CONCLUDE ….
I think “Le FIC”, now a leading event on cybersecurity, performed its role as a platform for reflection, information exchange, and business promotion. It certainly offered the opportunities of cooperation and to demonstrate the capabilities of so many vendors and stakeholders.
The operational urgency of the fight against cyber threats will accelerate, and the battle more brutal. Having a combination cybersecurity trade show and education event makes the preparation easier.