Is the cybersecurity industry in an arms race with the cybercriminals?
We haven’t even got into the race yet says one computer forensics CEO.
Eddie Sheehy, CEO at forensics outfit Nuix says the criminals currently have so many advantages that calling it an arms between the good guys and the bad is to paint a picture that’s not true.
"At the moment the bad guys have so many advantages, it is not funny. To give you the idea that we are anywhere near the level of sophistication of the cybercriminals,would not be true. When it becomes an arms race is when we’re more on an equal footing with the criminals. We as an industry haven’t provided organisations yet [with the technology] just to stop the most basic threats. If we were, this conversation would be slightly different. It is so easy to breach virtually any organisation, it is that one sided."
Nuix, he says, have penetration testers on staff who over the last decade say they’ve never had an example of an organisation that they failed to breach.
"I’ve come across industry players who advised their clients not to bother getting penetration tested because they know they will fail. They attitude is one of knowing they can’t fix the issues so don’t bother finding out how bad it is. This is happening across the board."
The arms race isn’t simply around repelling attacks. Sheehy says it is difficult to grasp just how innovative the bad guys are. They are constantly thinking up new ways of getting at your information and stealing it.
And this will continue forever because it is a really cheap crime to undertake. Anyone with a laptop and web connection can try it.
Cybersecurity has changed massively over a very short time. It is the most efficient industry ever created.
Market Efficiencies
Sheehy says it breaks down as follows.
"There are cyber criminals who are real experts at identifying weak networks. And there’s a black market of sellers and buyers. Sellers saying these networks can be breached based on these characteristics. And there are experts who specialise in breaching those networks. Then there are those who sell the information that for example six different companies in Sydney were breached and ask ‘does anyone want to buy those from me?’"
"Another criminal organisation will say, ‘ok, I want to buy those from you and I want to buy a bunch of malware which can be targeted to identify certain types of information from those groups – let’s say credit card information.’"
"And there’s a fourth group, who will monetise that information those credit card numbers and get them out into the street in three hours."
Unlike in normal markets all of this that can happen incredibly quickly.
And, says Sheehy, there’s a lot of trust inside these markets. There are money back guarantees with offers such as: "If you don’t monetise this information, I’ll give you your money back in 30 days."
So as a supply chain and market it is exceptionally efficient.
The situation today is that a target organisation is perfectly stable and happy with itself and within six hours it can be breached and have a bunch of its customer credit card information stolen and distributed.
Eddie Sheehy, CEO Nuix
Organised Crime versus Computer Forensics
"It is not just the guys in the garages anymore. – the guys in the garages have come to the notice of the guys in organised crime. So it’s a knock on the door that says ‘your’re making money so we want you to work for us.’ So you have a choice, work for them or not work at all. It is the same organised criminal who is doing human trafficking and drug dealing who wants to drive this because it is easy money."
Computer forensics has changed a lot in the last ten years. Back in 2007-08 there were one or two tool sets that would look at a hard drive and with a lot of human manpower and knowledge it would be possible to be able to pull that apart and tell what happened. But there weren’t enough experts to go around so cases got dealt with slowly or late.
The second iteration was not just being able to look at one hard drive at a time but 10 or 20.
Today, now that the world runs on multiple phones, tablets, laptops, file shares and cloud environments, the forensic solutions must look at all that data holistically.
There was a realisation, and it should have happened a lot earlier, that we are all much more complex than just using a laptop, says Sheehy.
That led to further developments. Enterprise environments are complex and the players and stakeholders involved in forensics vary according to the type data being examined.
"I have it all in the one place and can examine it but you need experts to look at it. It might be a tax case or a legal case, and it might need various people to examine the data. A tax specialist, a couple of lawyers and a computer forensics expert, and that information may need to be pushed to more domain experts."
There will be more need for this investigatory approach as firms will continue to be breached and data will continue to be stolen.
"But the next iteration is pushing that information in real time to stop bad things from happening as opposed to auditing things after the fact," he says.
Nuix has a platform engine deployed in various ways across corporations.
"Some customers use it for investigating data breaches, or for stopping data breaches, they use it for information governance to make themselves small targets. They want to identify all the information that is valuable and that if they were breached would be safe under lock and key, we can do that."
The firm’s clients include law enforcement, regulatory organisations, litigation support organisations, most of the world’s biggest banks, big pharma, tech companies, regulated industries, anyone who has a lot of data and wants to interrogate it.
Vodafone UK is a client adn the firm’s technology was used in the examination of the Mossack Fonseca Panama Papers investigation.
The Code
Nuix has three distinct sets of code bases. The core processing engine is developed in Sydney Australia, and its mission is to break down file types to ones and zeros, so that we can structure it and put into a database which allows us to effectively search that database.
The second element is the collection layer, with an end point solution which lives in memory of our computers so ‘we can watch and monitor at the current level of your laptops and servers in order to identify malware and bad activities, not just from the cybersecurity perspective but also from the insider threat.’
"The third level is the web layer, on top of a series of java apis and restful apis, we have instituted an analyst platform that allows people who don’t understand bits and bytes who are not computer forensic experts to interrogate that data. And that data could be the Ed Snowden insider threat or the sales director who has just left of the unwitting person who has been socially engineered to allow others to access their system. It’s the last line of defence. It has to be out on laptops and devices."
It is about watching the behaviours of malware and normal software. Malware has a serious of characteristics, typically. It needs resources to undertake its activity and once you understand those you can stop it.
There’s good software, there’s bad software and software you’re not certain about. So there’s whitelisting, blacklisting and sandboxing the stuff you don’t understand. It is part of the solution but also recording the information so when something new happens you have it to refer back to. You look back and say this is the characteristic of the breach that has happened in customer x, can you see in any other customer that same pattern."
"We’re extending what we can do with our engine. We’re not leaving electronic discovery or forensic investigation. The extension is another use case that we can put our technology to. When it comes to instant response and cyber security the people who get breached are not just big banks and agencies. It is everyone with IP that can be monetised which is pretty much all of us," he says.
Nuix is privately held and Sheehy doesn’t rule out an IPO. "We’re a fast growing organisation. It is not impossible that we could IPO within two years."
"The Ed Snowden thing made it all front of mind. There are a finite number of methodologies for getting data out of an organisation. That number will increase – someone will have new ideas for accessing of data. What we bring to market is not just looking for malware but the behaviour of individuals who could be or are stealing your IP.