Harlan, tell us about your job role and your background.
My title at Nuix is “Director, Intelligence Integration”. What this means is that my role is to help our own team, as well as clients, look for ways to incorporate intelligence, in its various forms and from various sources into our products, and by extension, workflows using our products. This includes, but is not limited to, the Security & Intelligence products.The Nuix S&I products augment the entire Nuix product line, extending their coverage over client issues, and providing the ‘single pane of glass’ to meet the investigative challenges our clients face. By adding the S&I product line, Nuix is not leaving its bread-and-butter behind; quite the opposite, in fact.
Rather than moving away from ediscovery, the Security & Intelligence products are a simply a natural extension to the capabilities offered by products for which Nuix has been known from the beginning. I see my role as one of bringing the power of the Nuix S&I products to bear to help clients address real world problems faster, and in a more timely manner.
What interested you most about the forensics and digital investigations industry?
I first became interested in the information security field while I was in graduate school in 1995. There were a number of challenges in the field that were interesting to me, some technical, some involving people and their “culture”. That interest remained with me when I left active military service and stepped into an information security consulting role.
One of my first tasks was running ‘war dialing’ scans, looking for open modems, and from there I moved into vulnerability scanning on the enterprise level. This then naturally led to the digital forensics and incident response (DFIR) work I’ve been doing for almost 20 years.
Early on, I opted to focus specifically on Windows systems, for two reasons; one was because they were so pervasive. Every client I worked with was at least a 90% Windows shop, with many being 100% reliant upon the Microsoft product line. The second reason was due to the fact that at the time, none of the analysts I worked with focused much attention on those systems; everyone on our team had their own favorite variant of Linux, and some of the analysts specialized in firewall platforms, routers, etc. We needed a deep knowledge of Windows systems, and I stepped in to fill that role.
What was the industry like when you were first starting out your career in comparison to now?
Looking back, perhaps the biggest difference is the training and certification options that are available now. Twenty years ago, there were not the options that we have available today. There are so many more options available today, not only for training at various levels (i.e., entry, intermediate, etc.), but some of the training options go beyond vendor-specific training and do deep dives into the use of open source and freely available tools.
Another difference I’ve seen is the move from forensic analysis of specific systems to incident response involving the entire enterprise. This is due in part to the adversary naturally evolving and extending beyond single systems. This also involves a push from compliance and regulatory bodies, which have imposed oversight and asked questions that require a good hard look at the enterprise in order to develop an accurate response.
Finally, I think a really big change I’ve seen over the years is the adversary’s development of economic and business models pertinent to what they do, and this activity has really shown the value of what consultants have been saying about information security from the beginning. Information or cyber security has always been an “arms race”, of sorts, with the good guys seemingly always a step or two behind. If the last decade has shown us anything at all, it’s the value of the visibility provided by EDR instrumentation on the endpoint, coupled with the application of the appropriate intelligence, to allow organizations to achieve early detection and to respond to breaches before sensitive data is accessed.
What was your biggest goal for Nuix in 2017?
I started with Nuix at the end of August in 2017, so I can’t say that I really had any “goals” for Nuix. Rather, the goals I had for myself included learning more about the Nuix products, and look for ways that the products could be leveraged to build out professional services provided by partners. However, one interesting task that we were able to achieve was to develop two extensions to the Nuix Workbench product, to provide investigators with a greater level of capability.
What do you hope to accomplish in 2018 and beyond?
I’ve spent over two decades in cybersecurity, and I’ve seen regulatory bodies develop standards for “compliance”, in order to bring a modicum of security to organizations. I’ve seen breaches occur with organizations found to be compliant with those standards. Compliance is not enough, particularly when dedicated adversaries are driven and supported by an economy. As such, organizations need to start looking at the security of not just their information, but their brand, in a different way.
Logging in operating systems and applications is, for the most part, not designed with incident response in mind. SEIMs are only as effective as the information logged and forwarded to that central location. We know that breaches are an inevitable fact of life in the online world; as such, defenders need to have a new perspective on what it takes to detect, respond to and mitigate breaches much earlier in the adversary’s cycle.
Further, breaches are expensive, in more than just the monetary sense. Breaches are often discovered by a third party external to the compromised organization, which means that the extent of the damage had gone unnoticed for what is often a significant period of time. Breaches result in direct costs with respect to the investigation, remediation, and notification, as well as indirect costs, such as a significant impact to the organization’s brand, losses in productivity and sales, etc.
My hope for 2018 and beyond is to help organizations realize the value of “living left of breach”, and understanding that the cost associated with a “left of breach” posture is not only much less than living “right of breach”, but it is also programmable in budgets, and in the long run, significantly reduces (if not obviates) the costs associated with recovering from breach. If an adversary is detected early in their cycle of activity, and the proper responsive action is taken, then costs of notification, fines, and having to have former CEOs testify before Congress are obviated.
What do you like to do in your spare time?
Ha! “Spare time”…that’s a good one. At the moment, I’m still writing books, working on completing the manuscript for number 9. The title is “Investigating Windows Systems”, and it’s due to be delivered to the publisher in April, 2018.
Aside from that, I enjoy horseback riding, working around the farm, and brewing my own beer.
Harlan Carvey is Director of Intelligence Integration at Nuix, a full-service digital forensics company with customers in more than 70 countries.