44con and Uncon

It’s been a busy week again.

I helped out  a few weeks ago on the panel choosing speakers for the Infosec track for 44con and subsequently got roped in / volunteered to run that track during the days of the con. A week before 44con happened one of the speakers failed to get a visa and I volunteered to fill the gap and spoke on ‘Intelligence-Led Cybersecurity’. It was an interesting process working out what I could talk about, how I could squeeze it into a 45 minute slot (With questions)  and then convincing my employers to let me talk publicly.

I have to admit I wasn’t expecting the video cameras and having the content live-tweeted by a journalist (@timesjoanna) was a real wake-up call for me. I haven’t presented at a public conference for over 3 years (since joining my current employer) and the world has noticeably changed and I just need to learn to relax and accept it.

I met a lot of guys I know at 44con but more than a few of these were people I hadn’t run across for a few years. Definitely an interesting and expert crowd I wished I could have spent more time in the corridors chatting too. Adrian (@alien8) and Steve (@stevelord) did an amazing job putting this con together.

The con itself was hard work but clearly a great con for everyone involved. We’ll get the speaker feedback and the survey forms and work out what can be improved nex year.My initial impressions are we hit the mark incredibly well for some of the Infosec track but we need a more thematic approach and more consistency in the level of presentation on offer. We varied from over the horizon big ideas, practical advice for practitioners and introduction to risk management which was hard for people to predict from the programme which they were getting into.

I’m sure the feedback forms will tell us the truth but my stand-outs from the track were:

  1. Michael Colao on Cyber Insurance. Michael is always a good value speaker, full of fire, passion and knowledge. I’m not ashamed to admit I learnt a lot from Michael in this talk and I thoroughly recommend him to talk on this to other conferences. I too had missed that point that cyber-insurance is not about transferring the risk of run of the mill attacks, rather it’s about transferring the risk of the cost of cleaning up the cataclysmic attacks.
  2. Steve Armstong on Communicating with the Boss. Steve was an excellent speaker, well received by all. He gave an enlightening talk on how security specialists can understand and talk the language of the business. Preaching to the converted for most of the Infosec attendees but this one was full of pen testers from the technical track and they lapped it up. I’ve seen an incredible hunger from technical security specialists for training in ‘getting’ the business in the past and is probably an area that needs a lot more work through mixed cons like 44con.
  3. Gareth Watkin-Jones (@angriac) on Compliance. Again Gareth is good value, cares deeply about compliance and manages to make you care about it too 🙂  He is down to earth and clearly an expert in the field. Some great points about how compliance is not all of securty but is definitely part of security. Also some great ideas about how to make security compliance more joined up and keep it alive in the business.
  4. Alex Lucas (@lucas_thoughts) on Science in the Microsoft SDL {EDIT: Completely forgot this talk on my first post – too tired..} Alex is a confident speaker and a clear expert. He exudes experience in a difficult area few have managed to get right in small scale let alone at Microsoft scale. I’ve been impressed with the openness from Microsoft in the last few years around their internal processes.

As I was hosting the Infosec track I missed all of the technical track apart from Roelof Temmingh demonstrating his open source intelligence tool ‘Maltego‘. It’s a great tool and highlights the massive opportunities from Open Source Intelligence. When he started live mapping Uncon to 44con I got a little worried, pretty pleased when he stopped that demo 🙂

Uncon 19.5 was great fun, a quick out of sequence Uncon (hence the .5) to take advantage of the presence of some of our foreign members who were attending 44con. I had to leave early but it looked like Even and Etamo pulled victory from the jaws of hangover defeat as many of the best Uncons happened. Good to see traditions continuing on. Also good to Meta4 reappear, there are fewer of the old founders active in Uncon these days.

I reinforced the message that 44con IS NOT Uncon and that just because the same people attend both that the Uncon is private and the material is not public unlike 44cn. If we lose that circle of trust we will lose the core value of Uncon to the members.

Uncon did give me the chance to catch a re-run of Haroon Meer (@haroonmeer) giving his talk from 44con that I missed there. It looks like we share many of the same concerns about the security industry not meeting the needs of the people who are paying our increasingly expensive bills. Definitely a conversation I need to continue with him. He has a different viewpoint on the solution and we need a lot more viewpoints. Too many people would rather not see a problem and keep billing for the same old easy to sell and deliver services.

With Bsides London, dc4420, Uncon and 44con all running regularly in London, groups like the Northern UK Security Group and the out of London Uncons we have an embarrassment of riches in top quality security meetings in the UK now. Maybe it’s time we started to think about how we want to change the UK industry and start using these forums to spread the word.