You have to wonder why, at show that is one of the world’s most successful security exhibitions in terms of actual leads gotten and deals done, so many vendors still resort to babes in nurses’ getups or wearing shirts that say, ‘I’ve Been Penetrated’. Flacks here tell me that attendance is up 40% over last year (the show moves from the greenhouse that is Kensington Olympia to the Uglydome at Earl’s Court next year) and vendors giddily speak of lead after lead. This is a great show - in fact it’s my favorite every year.
I spoke with the folks at Core, who tell me that the attitude towards pen testing here is vastly different from that in the states, and I have to agree - in the US, you either do it or you’re scared of it; here you just do it. Actually overall there is a sense in Europe that the security products that you buy should, you know, work as promised, and buyers come prepared to ask serious questions and demand serious answers. A little feud between Sophos, Kaspersky, Trend and McAfee (pronounced, over here, correctly - it’s mc-AFF-ee, not ‘mack-uh-fee’ for God’s sake - yes, I’m telling the founder that he pronounces his name wrong) resulted in a blaring propaganda-fest that I steered well clear of.
Here’s who I met with and a sentence or two about what they do (or at least, what I think they do).
Howard Schmidt sits on the boards of Fortify and Codenomicon and he was in town to talk about secure code training, code testing in development stage and, while he was at it, protocol fuzzing and testing. I also later met with Ounce Labs and talking pretty much about the same thing, sans the fuzzing plus a bit more about the training and then finding out that Jeremiah Grossman was in town - we met on the second floor of the F5 booth - yes, the second floor. Of a booth.
I really enjoyed meeting with Jan Hichert, the CEO of Astaro Internet Security, which makes a cheap and cheerful and good quality unified threat management box from mostly open source stuff (it used to be called Astaro Linux). It started with SuSe then stripped out everything and built up with a mess of open source stuff, now it’s a nice, juicy plug and play box or VM image that shoves commodity stuff into small and mid-sized businesses. They make money.
Along those same lines, I met with three of the folks from GFI - there’s a company I really like, cause they make everything, cheaply and well, a small business might need, and they’re raking in the cash - they did a bit more than $60m last year and say their profit margins are in the 30% range - and now they’ve cut prices from 20 to 45% on everything they sell. Aggressive and cunning in how they approach the problem of getting small businesses the stuff they need.
Udi Mokady from Cyber-Ark and I discussed how his product line is expanding from privileged password management to identity management and some of the directions that that can go - they’re doing well with Israeli banks - not known to buy rubbish very often - and expanding their US operations.
Avishai Wool, the co-founder and CTO iof AlgoSec, showed off his firewall management system that does a kind of Skyboxy, Red Sealy, Tufiny kind of thing, he says, better than Skybox, Red Seal or Tufin, and his technology and approach to managing heterogeneous firewall configurations looked very interesting indeed, especially including a pre-generated firewall audit feature that you will like and your auditor will grudgingly respect.
Spanish vendor S21Sec was probably one of the mot interesting companies I spoke with - they started several years ago taking log management software developed by a Spanish bank, then moved into security assessments and consulting, legal advisory, digital protection of the ‘horse-has-left-the-barn’ type done by folks like Cyveillance and others, which chase down digital intellectual property around the world. They do lots more, and we look forward to speaking with them at length.
I’m excited to meet back up with Secerno, which does database transaction anomaly detection, a key thing we’ve been looking at - but it seems that they may be doing it a bit differently from competition such as Guardium, Tizor, Imperva and Application Security Inc. I’m going back to the show to meet with Secerno today.
Bradford Networks was at the show showing off its new Guest and Contractor only lite version of its NAC, and the booth was packed. Looked as if Bradford was having a good time - I also ran into Ray from ForeScout but didn’t get a chance to stop by the booth.
Last year I spent time at the worst product demo of what looked to be the most interesting product at the show, the Swiss strong encryption vendor InfoGuard. This year it’s got its act totally together, a new look and a stonking great, absolutely awesome encryption product which I am now going to take a long look at. Speaking of encryption, I had dinner last night with two of the Thales e-Security, which likes to refer to itself as the biggest security company that no one has ever heard of. They’re serious people with serious stuff that costs a serious amount of money and I really liked what I heard. We spent a great deal of time talking around the issue of securing information in the cloud - around it because they had to speak slowly to me and use very simple words - they’re on-another-planet smart, and we’re pleased to say that they will be joining us at our Enterprise Computing Strategies Europe show, and appearing in a panel I am moderating on that subject - should be awesome because, after all, cloud is all about security.
More later - I’m heading back to the show.