So tell me a bit about your role here at Nuix and the services you offer.
Sure, so my name is Chris Pogue. I was formerly the Chief Information Officer. I am now the Global Head of Security Services and Partner Integrations. So basically anything that has human beings involved in it that isn’t selling or building new solutions falls under my remit. So that’s office of the CISO, our cyber-threat analysis team, IT, partnerships, training, customer support, and knowledge management. I’ve been here at Nuix for three years now and prior to that I was at Trustwave’s SpiderLabs. I used to run SpiderLabs in the America’s and prior to that I was IBM and US Army.
So the product suite that Nuix has what we really call the ‘incident life-cycle’, so it’s from initial contact with an adversary all the way through post breech litigation, or compliance actions in conjunction with either GRC – Governance Risk Compliance regime – or legislation. We have a product that lands in each one of the stages of the incident life-cycle. We have an adaptive security systems that sit on the machines themselves that can do monitoring, that can take action against specific activity – you can build in rule sets, it’s very dynamic. And then there’s a collections component where we can aggregate data in suspicion of an incident. We can analyse that data then in our analytics and intelligence product and our investigation product. We can then transmit that data then into our eDiscovery product to prepare for post-breach litigation, or you can buy each one of those components individually. So if you are just let’s say a law firm and you just deal with electronic discovery and litigation, then you can just buy that piece, or if you’re a police department or law enforcement agency you just buy the investigations piece. Or you can buy the whole Voltron robot and add all the pieces to it.
And which product seem to be most popular on an individual basis? Are there particular sectors reaching out for these services?
So historically, eDiscovery has been our rice and beans. But as we’ve evolved as an organisation we’ve taken the capabilities of the engine, which is our underlying, multi-threaded processing capability to flatten data and to make it usable – predominantly unstructured and semi-structured data. So things like emails, database contents, office 365 vaults, stuff like that, but as we’ve evolved, it’s moved more into investigations – well I don’t want to say ‘more’ – its moved into investigations and now into cyber-security. So we identify threats, take action against threats, and then provide an opportunity to investigate those at a higher level. We’re trying to address the skills gap. The number of organisations that are experiencing incidents but don’t have advanced security teams, they have stuff happening them too. So they are in a position where they have to build or buy, so we’re trying to give them a solution that they can use that’s easy to use but still effective.
— Nuix (@nuix) July 22, 2017
The rate at which offensive agents – ‘hackers’ for lack of a better term – are adapting and using different methodologies seem to be on the increase. Do you think it’s hard for those on the defensive side to keep up with these adaptations?
So I think it’s fair to say that offensive technologies and methodologies have outpaced defensive. Now the evolution of that is arguable, because in the media it makes for great stories. It’s very sensational to say that its nation state hackers and it’s super complicated but after being an investigator myself for fifteen years, usually there’s no evidence to support that, right, its fish in a barrel. Like we’re working a case today – the guys on the cycle threat analysis team – where the organisation is just using poor IT hygiene. Bad passwords, network segregation, most people just don’t have a good handle on what they have. So when an attacker comes in it’s sort of like a messy house. There’s good stuff and bad stuff lying around everywhere. So I put organisations that are advanced enough to really mount a respectable defense in single digits. From a percentage perspective.
— Chris Pogue (@cpbeefcake) July 24, 2017
Going back to your time in the US Intelligence Service, what trends did you observe when it came to cyber-attacks? Could you determine motive – whether fiscal gain, political disruption, ‘sending a message’, and how does that compare against attacks on more commercial or corporate entities?
Yes, and there’s kind of pillars to it. There’s the predominantly Eastern European organised crime groups that go after financial data. Credit card information is still king on the black market because you can still steal it and sell it and it’s easy to monetise. So that would be one pillar. Then you have hostile nation states, failed nation states that are going after intelligence data. Let’s say they want to know what the Irish government is doing, they want to know what your strengths are, how many soldiers do you have, how many sailors do you have, what’s the positioning of your ships, what’s the positioning of your air force, how it all works. And then there’s business intelligence, which is again more hostile nation states, going after ‘what’s the next model of the Ford F-150, what does the Raptor exhaust system look like?’ – going after business intelligence. And then there’s geopolitical, ‘I don’t like you for what you stand for, what you represent, who’s on your staff, what you said in a media interview, what religion you are, what race, what creed’, etc., so those are the buckets, and from a trending perspective, they all sort of move like at the same time. The better we get at detection, they more we realise most organisations have either suffered or are currently compromised. And so, ‘what do you have that’s valuable?’ – then understand that there’s probably somebody there trying to steal it.
Nuix has played a key part in resolving some of the more recent and most notable breaches – such as the infamous Panama Papers – and the company itself has been experiencing significant growth over the last few years, so in terms of market share and competition in the sector, how do you feel ye place in the cyber-security ecosystem?
Yeah it’s a huge market and lots of organisations are hanging on a shingle and saying ‘Hey, we do cyber-security’ and so it becomes a bit of a ‘me too’ and how do you distinguish yourself from other organisations? And so where we kind of hang our hat is our engine – it’s faster and more effective to get data into the hands of analysts that is unmatched. There is nothing that is fast as our tool is. So that’s sort of our distinguishing characteristic. And then so you have a lot of folks here who… see there’s been this pendulum swing, where you had pure play security companies sort of stand up maybe ten years ago, so the likes of Mandiant, Trustwave, SecureWorks, organisations like that, who then get snatched up. So they’ve established themselves, they build up, they get a reputation, Telco’s come in or other organisations and they buy them. Right so Dell buys SecureWorks, Singtel buys Trustwave, FireEye buys Mandiant, etc., So you have some pure play security companies that are now part of larger companies. Well most security folks, pen-testers – which are ethical hackers, forensics investigators, researchers – they don’t necessarily like working for big companies, so unless you sort of hit that sweet spot and want to move to Silicon Valley and work for Apple or Google or something like that, you like working for smaller companies where you have influence and where you have the ability to impact the organisation, you’ve got freedom with how you work and where you work, so the pendulum has now swung the other way where we’re back to the smaller companies, mid-sized around 500 people or less who are really showing that they have expertise in security, so that pendulum will swing back and someone will buy us or we’ll go public. It’ll just keep going back and forth. Right now the real brain trust is in the small companies.
— Nuix (@nuix) July 23, 2017
Does being part of a smaller group increase the likelihood of working in more adaptive ways? For example, could you talk a bit about the Nuix Black Report where ye left the data aside and sourced information directly from individuals capable of perpetrating such attacks?
Sure, so we had an idea that idea, because there’s lots of cyber-security reports, right I googled it and there was like fifty to sixty. So we read twenty of them or so and said ‘OK, what are the common themes?’ because we want to write one, but we want ours to be different, and we want being different to make a difference, and so we saw two commonalities. We saw that most of the reports were written from the perspective of the victim, so ‘what bad things happened to me’, etc., and then they were limited by the client base of that author. So what we did with ours which we called the Black Report is that we went to DEF CON in Black Hat which is the world’s largest – we call it hacker summer camp right – it’s three conferences back to back to back, DEF CON, BSlidesLV and Black Hat, all in one week, all in the same area, in Las Vegas. You could have up to 25,000 computer security enthusiasts-slash-hackers – white hat, black hat, grey hat, and everyone in between descend on the Las Vegas strip for a one week period so we said ‘Hey let’s late advantage of this and offer them booze right’? So we had a party, we invited them in and we said ‘Hey fill out this survey and there’s the open bar for 5 hours’, and so we got them to fill it out and what we found through the results of the survey was really quite interesting, because when we juxtapose what is being stated in some of the bigger reports with what we found, they weren’t lining up. So what CISO’s and CIO’s were thinking were effective counter-measures, aren’t effective.
— Nuix (@nuix) July 17, 2017
When we looked at what things were good, you know non-technical countermeasures, things like training employee awareness, a lot of CISO’s and CTO’s or CIO’s thought that was not effective where the hackers said that was completely effective, they said ‘that wrecked my day when you have a good administrative assistant at the front of the office who doesn’t let people in, who tells people on the phone to buzz off, who doesn’t click on emails with strange attachments or links, so what we’re trying to do is level set what the hackers know to be true and what the CIO’s, CTO’s and decision makers in organisations think is true. And so the theme last year and the theme this year is ‘perception vs. reality’. So for our rookie year we had about 10,000 reads, which is pretty good for the first time we’ve done it, you know we’re relatively unknown in this space, so this is our second year, we’ve expanded the remit or the report, we included authors from all over the world, we’ve included law enforcement agencies from all over the world, we’ve included respondents from the US, from Australia, from Asia, from the Philippines, from anywhere we met folks throughout the course of the year to give a more global perspective of what the trends are.