Fighting the person should be cybersecurity best practice: Nuix

When it comes to tackling an insider threat, Keith Lowry, senior vice president at Nuix, has said that organisations need to focus on the person, rather than attempting to block them with more technology.
Written by Asha Barbaschow, Contributor

One major mistake organisations and governments are making in protecting their systems is neglecting the importance of focusing on the person at the end of the attack, according to Keith Lowry, senior vice president at Sydney-based intelligence, analytics, and cybersecurity software firm Nuix.

The 25-year cyber-veteran said that the majority of all insider threat programs he has been privy to begin with the foundation of technology, and that in reality, the foundation of a counter-insider threat program needs to start with recognising there is a person at the other end.

"It's about people using technology -- it's not about technology by itself -- and too many people focus on the fact that it's all technology and therefore the answer to it must be a piece of technology," Lowry said.

"If you build the foundation from that premise, I believe that's why we're not doing very well."

When it comes to tackling cybersecurity, Lowry said organisations worldwide are struggling, confused why the amount of money they are spending is not resulting in them winning the battle against the bad guys.

Before he took up his current role at Nuix, Lowry served as Chief of Staff to the Deputy Under Secretary of Defense for Human Intelligence, Counterintelligence and Security at the Pentagon; was a former law enforcement officer and High-Technology Crime Unit detective with the City of San Jose California; and also worked at the US Food and Drug Administration.

Speaking with journalists in Sydney, Lowry said the definition of what constitutes an insider threat changes with who you ask, noting that even within the US government, just about every agency has a different idea of what an insider threat means.

"My definition of an insider threat is, strictly speaking, once you penetrate the outside perimeter and defensive walls and you are inside, to me it's irrelevant how you got there or what your position is; once you got inside, and if you've decided you're going to do damage, then to me that's an insider threat," he said.

"That's the problem with our current system, everybody is focused on the perimeter and the defensive and when those perimeters fail then everybody points fingers at each other and says somebody else is responsible."

Lowry said that once someone is inside, they know they can do whatever they want because the organisation and the country's justice system often do not have any jurisdiction to go after them.

One of the major challenges Lowry said organisations and governments are facing is keeping up with technology, noting that often policies and procedures from a technological standpoint cannot keep up with the intricacies in the development.

"The development lifecycle in the commercial world cradle-to-grave of a new technology is 18 months, so that means three years from today whatever is going to be in the market hasn't been invented yet," he explained. "From a technological standpoint, it's just too difficult to keep up with it."

Speaking of his time at the US Department of Defense, Lowry said that if an individual wanted to write a policy that was an absolute emergency, fast tracking the policy would take 18 months, compared to the three-year period it takes for a standard policy to be put into place.

"It meant that policy was totally outdated ... for commercial stuff," he added. "Technology goes far beyond and so much faster than governments are able to ingest and protect against."

Another challenge is malware. Likening the perimeter protection concept of keeping malware at bay to the Great Wall of China, Lowry highlighted there was about 20 million instances of malware in 2007 and approximately 140 million now.

"If the Great Wall of China was created to keep out 7 million [people] ... and all of a sudden 140 million showed up, would the Great Wall of China been effective? Because it wasn't designed for 140 million attacking it," he said.

Lowry also pointed to a recent study of 5,000 people across Europe, the United States, and Australia that revealed 23 percent would be willing to sell information about their company for as little as $150.

"So what that's really saying is that there's a trend -- the population mindset is changing," he said. "This isn't about technology, it's about the movement of the population and what their thought processes are."

In Australia to conduct high-level security briefings with government agencies and businesses to help implement, manage, and direct insider threat, counterintelligence, and intelligence collection programs, Lowry disclosed briefly what it was like working on the damage assessment team that was investigating one of the most infamous insiders, Edward Snowden.

Restricted from divulging too much information, Lowry did say that very few people actually know what it is Snowden took.

"Basically in his process, he stole somewhere around 15,000 documents that belonged to the Australian government, highly classified; he stole about 60,000 documents that belonged to the United Kingdom, all classified; he took about 200,000 documents from the US government that were highly classified; and about 90,000 documents from the US Department of Defense that were highly classified," Lowry said.

"What's amazing is that less than 1 percent of the documents he's taken have ever been revealed, and the documents he did reveal may or may not have had anything to do with the metadata collection program."

Taking it back to his notion of the insider, Lowry said to him it is irrelevant whether Snowden was an insider who wanted to do "good".

"The problem is he made a choice to do something he agreed not to do, so he was the ultimate insider because he was a systems administrator. He had the keys to the kingdom ... and there was nobody there to oversee him," he said.

"Was that a problem? Yes it was, because in my opinion they had built a program around the technology and not watching the person.

"We have forgotten the essence of people in all of this."

Editorial standards