In The Matter Of:
`
`THE TRUSTEES OF COLUMBIA UNIVERSITY IN THE CITY OF
`NEW YORK
`v.
`SYMANTEC CORPORATION
`
` ___________________________________________________
`NACHENBERG, CAREY, 30(b)(6) ‐ Vol. 1
`September 26, 2014
`
` ______________________________________________
`
` HIGHLY CONFIDENTIAL
`ATTORNEYS' EYES ONLY
`
`-1-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`THE TRUSTEES OF COLUMBIA UNIVERSITY IN THE CITY OF
`NEW YORK
`v.
`SYMANTEC CORPORATION
`
` ___________________________________________________
`NACHENBERG, CAREY, 30(b)(6) ‐ Vol. 1
`September 26, 2014
`
` ______________________________________________
`
` HIGHLY CONFIDENTIAL
`ATTORNEYS' EYES ONLY
`
`-1-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`CAREY NACHENBERG, 30(b)(6) - 9/26/2014
`
`Page 1
`
` IN THE UNITED STATES DISTRICT COURT
` FOR THE EASTERN DISTRICT OF VIRGINIA
` RICHMOND DIVISION
`
`THE TRUSTEES OF COLUMBIA )
`UNIVERSITY IN THE CITY OF )
`NEW YORK, )
` Plaintiff, ) Case No.
` vs. ) 3:13-cv-00808
`SYMANTEC CORPORATION, ) JRS
` Defendant. )
` )
`
` HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`
` 30(b)(6) DEPOSITION OF CAREY NACHENBERG
` TAKEN ON
` FRIDAY, SEPTEMBER 26, 2014
`
`Reported by: PHILIP D. NORRIS
` CSR NO. 4980
`
`Merrill Corporation
`800-826-0277
`www.deposition.com/southern-california.htm
`
`-2-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`CAREY NACHENBERG, 30(b)(6) - 9/26/2014
`
`Page 2
`
` 30(b)(6) Deposition of Carey Nachenberg,
`taken on behalf of Plaintiff, at 1800 Avenue of the
`Stars, Los Angeles, California, on Friday, September
`26, 2014, at 9:01 a.m., before Philip D. Norris, CSR
`No. 4980, pursuant to Notice.
`
`APPEARANCES:
`FOR THE PLAINTIFF:
` IRELL & MANELLA
` BY: JASON SHEASBY, ESQ.
` 1800 Avenue of the Stars
` Suite 900
` Los Angeles, California 90067-4276
` (310) 277-1010
`FOR THE DEFENDANT:
` QUINN EMANUEL
` BY: DAVE NELSON, ESQ.
` 500 West Madison Street
` Suite 2450
` Chicago, Illinois 60661
` (312) 705-7465
`ALSO PRESENT:
` THOMAS W. BARR
` ADAM D. SPERRY (Videographer)
` DAVID MAJORS, ESQ.
`
`1
`2
`3
`4
`5
`
`6 7
`
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`Merrill Corporation
`800-826-0277
`www.deposition.com/southern-california.htm
`
`-3-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`CAREY NACHENBERG, 30(b)(6) - 9/26/2014
`
`Page 7
`
` LOS ANGELES, CALIFORNIA; FRIDAY, SEPTEMBER 26, 2014
` 9:01 A.M.
`
` THE VIDEOGRAPHER: Here begins Volume I,
`Videotape No. 1, in the deposition of Carey
`Nachenberg, in the matter of Trustees of Columbia
`University of the City of New York versus Symantec
`Corp, et al., in U.S. District Court, Eastern
`Division of Virginia, Richmond Division. The case
`number is 3:13-cv-00808. Today's date is 26
`September, 2014. And the time on the video monitor
`is 9:01 a.m.
` The video operator today is Adam D. Sperry,
`a notary public contracted by Merrill Legal
`Solutions at 20750 Ventura Boulevard, Woodland
`Hills, California. This video deposition is taking
`place at 1800 Avenue of the Stars, Los Angeles,
`California, and was noticed by Jason Sheasby of
`Irell & Manella.
` Counsel, please voice identify yourselves
`and state whom you represent.
` MR. SHEASBY: Jason Sheasby. With me is
`Thomas Barr.
`
`08:33:03
`08:39:01
`08:39:01
`08:39:01
`09:00:58
`09:00:59
`09:01:08
`09:01:12
`09:01:17
`09:01:19
`09:01:23
`09:01:23
`09:01:31
`09:01:35
`09:01:38
`09:01:41
`09:01:43
`09:01:47
`09:01:50
`09:01:53
`09:01:58
`09:01:59
`09:02:00
`09:02:01
`09:02:04
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`Merrill Corporation
`800-826-0277
`www.deposition.com/southern-california.htm
`
`-4-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`CAREY NACHENBERG, 30(b)(6) - 9/26/2014
`
`Page 8
`
` MR. NELSON: David Nelson on behalf of
`Symantec and the witness. And with me is David
`Majors from Symantec.
` THE VIDEOGRAPHER: The court reporter today
`is Philip Norris of Merrill Legal Solutions.
` Would the reporter please swear in the
`witness.
`
` CAREY NACHENBERG,
` having been first duly sworn, was
` examined and testified as follows:
`
` EXAMINATION
`
`BY MR. SHEASBY:
` Q. Good morning, sir.
` A. Good morning.
` Q. I'm handing you Exhibit 1 --
` A. Okay.
` Q. -- to your deposition, which is a Notice of
`Deposition of Symantec Corporation, dated August
`5th.
` (The document referred to was marked by the
`reporter as Exhibit 1 for identification and is
`attached hereto.)
`
`09:02:05
`09:02:08
`09:02:11
`09:02:11
`09:02:18
`09:02:20
`09:02:22
`09:02:34
`
`09:02:35
`09:02:35
`09:02:36
`09:02:36
`09:02:37
`09:02:39
`09:02:41
`09:02:43
`09:02:45
`09:02:45
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
`Merrill Corporation
`800-826-0277
`www.deposition.com/southern-california.htm
`
`-5-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`CAREY NACHENBERG, 30(b)(6) - 9/26/2014
`
`Page 82
`
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` Q. What's an anomaly detector?
` A. To my knowledge, an anomaly detector is a
`system that baselines a set of usage. For instance,
`how many logins are made at what times of day from a
`computer system. Okay? How many sensitive
`documents are accessed by a particular user at a
`particular time of the day or in a particular day of
`the week.
` And then based on making a -- a model of
`what normal behavior looks like, the anomaly
`detector would then look for deviations to that
`model, to that, you know, that normal behavior that
`are outside of statistical likelihood, and, you
`know, then alert a user or administrator or other
`system that there's a deviation from the norm.
` Q. And by "deviation from norm" you mean
`
`10:41:03
`10:41:05
`10:41:10
`10:41:13
`10:41:18
`10:41:22
`10:41:25
`10:41:27
`10:41:28
`10:41:33
`10:41:37
`10:41:39
`10:41:42
`10:41:48
`10:41:51
`10:41:54
`
`Merrill Corporation
`800-826-0277
`www.deposition.com/southern-california.htm
`
`-6-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`CAREY NACHENBERG, 30(b)(6) - 9/26/2014
`
`Page 83
`
`1
`2
`3
`4
`5
`6
`
`deviation from what is defined as normal or good;
`correct?
` A. So by "deviation from the norm" I mean
`deviation from what is measured over time for the
`system and what is typical for the system over a
`particular time period.
`
`10:42:05
`10:42:08
`10:42:08
`10:42:11
`10:42:18
`10:42:20
`
`Merrill Corporation
`800-826-0277
`www.deposition.com/southern-california.htm
`
`-7-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`CAREY NACHENBERG, 30(b)(6) - 9/26/2014
`
`Page 84
`
`24
`25
`
` Q. So you're able to distinguish whether
`something is an anomaly detector or not?
`
`10:44:47
`10:44:50
`
`Merrill Corporation
`800-826-0277
`www.deposition.com/southern-california.htm
`
`-8-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`CAREY NACHENBERG, 30(b)(6) - 9/26/2014
`
`Page 85
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`
` A. I would say in most cases, yes.
` Q. So maybe you are an expert in the field.
` A. Maybe.
` Q. Can anomaly detectors use rule sets?
` MR. NELSON: Objection. Vague.
` THE WITNESS: I am not aware of anomaly
`detectors using rule sets. But I guess anything is
`possible.
` Typically, as I said, anomaly detectors
`build a baseline model up for -- for legitimate,
`average, you know, day-to-day usage and then look
`for deviations that are statistically relevant in
`that usage.
`
`10:44:53
`10:44:54
`10:44:57
`10:44:58
`10:45:06
`10:45:07
`10:45:11
`10:45:17
`10:45:17
`10:45:20
`10:45:25
`10:45:27
`10:45:29
`
`Merrill Corporation
`800-826-0277
`www.deposition.com/southern-california.htm
`
`-9-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`CAREY NACHENBERG, 30(b)(6) - 9/26/2014
`
`Page 89
`
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` Q. So when you measure normal system activity
`for anomaly detector, you could be measuring
`activity that's performed by good programs, you
`could be measuring activity that's performed by bad
`programs, you could be measuring activity that's
`performed by in between programs; correct?
` A. So when anomaly detector runs on a computer
`system, generally it runs on a computer system, for
`instance, yours or mine, that would be considered
`a -- you know, used for legitimate purposes, and if
`in collecting that information about the activities
`on the system, which we would detail -- it's called
`normal activities -- it is possible that, yes,
`malicious software could be running on that system
`
`10:50:00
`10:50:04
`10:50:08
`10:50:10
`10:50:13
`10:50:16
`10:50:22
`10:50:26
`10:50:28
`10:50:31
`10:50:33
`10:50:37
`10:50:39
`10:50:41
`
`Merrill Corporation
`800-826-0277
`www.deposition.com/southern-california.htm
`
`-10-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`CAREY NACHENBERG, 30(b)(6) - 9/26/2014
`
`Page 90
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`
`unbeknownst to the operator or -- or, you know, in
`between software it could be running on the system
`unbeknownst to the operator.
` But generally speaking, in the field we
`would say that we want a system to not have any
`malicious software running while we're actually
`baselining the system activity, because otherwise
`that would taint the baseline of the system
`activity, and we would include bad behavior along
`with good behavior, normal behavior, you know, on
`the system.
`
`10:50:43
`10:50:47
`10:50:49
`10:50:51
`10:50:52
`10:50:55
`10:50:58
`10:51:01
`10:51:03
`10:51:06
`10:51:10
`
`Merrill Corporation
`800-826-0277
`www.deposition.com/southern-california.htm
`
`-11-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`CAREY NACHENBERG, 30(b)(6) - 9/26/2014
`
`Page 96
`
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` Q. In anomaly detection, what you do is you
`try to construct a model of normal behavior;
`correct?
` A. I agree with that.
` Q. And as part of that model of anomaly
`behavior what you try to model is what you described
`as a set of good programs that would be running on
`that normal system; correct?
` A. So generally speaking, anomaly detector, it
`is the desire of a practitioner, who is trying to
`learn a set of normal behaviors, to learn that set
`of normal behaviors without malicious software
`running on the system. But it is possible, and, in
`fact, happens all the time, that anomaly detector
`will run on a system where there are both good and
`
`11:00:33
`11:00:37
`11:00:40
`11:00:40
`11:00:41
`11:00:44
`11:00:48
`11:00:51
`11:00:53
`11:00:56
`11:01:00
`11:01:05
`11:01:07
`11:01:11
`11:01:13
`
`Merrill Corporation
`800-826-0277
`www.deposition.com/southern-california.htm
`
`-12-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`CAREY NACHENBERG, 30(b)(6) - 9/26/2014
`
`Page 97
`
`1
`2
`3
`4
`
`bad behaviors because unbeknownst to the operator,
`there's malicious software running on that system,
`and the set of normal behavior for that system will
`include both malicious and legitimate behaviors.
`
`11:01:16
`11:01:19
`11:01:21
`11:01:24
`
`Merrill Corporation
`800-826-0277
`www.deposition.com/southern-california.htm
`
`-13-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`CAREY NACHENBERG, 30(b)(6) - 9/26/2014
`
`Page 98
`
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`
` Q. So moving back. You spoke about the fact
`that the goal in anomaly detection when you're
`creating this model of normal behavior is to
`understand the behavior of the system when only good
`programs are running on it, although there's a risk
`that there could be bad programs filtered in there?
` A. Yes.
` Q. And so in anomaly detection, when you're
`creating this model, you're at least trying to make
`sure that the system that you're modeling is a
`system running good programs, not bad programs?
` A. That's right, although the -- otherwise the
`baseline of normal behavior would include both
`behaviors from good software as well as behaviors
`from bad software.
` Q. Sure. And when you're creating this
`anomaly detector and your goal was to model how the
`system is behaving when good programs are running on
`it, as part of that you would or you can define what
`you believe are good programs; correct?
` A. No. Typically, you would install an
`anomaly detector on a computer system and allow it
`
`11:02:09
`11:02:12
`11:02:18
`11:02:20
`11:02:25
`11:02:27
`11:02:31
`11:02:31
`11:02:37
`11:02:40
`11:02:44
`11:02:47
`11:02:49
`11:02:51
`11:02:54
`11:02:55
`11:03:00
`11:03:03
`11:03:07
`11:03:13
`11:03:17
`11:03:19
`
`Merrill Corporation
`800-826-0277
`www.deposition.com/southern-california.htm
`
`-14-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`HIGHLY CONFIDENTIAL - ATTORNEYS' EYES ONLY
`CAREY NACHENBERG, 30(b)(6) - 9/26/2014
`
`Page 99
`
`1
`2
`3
`
`to run with the hope that the system didn't have any
`malicious software on it that would taint, you know,
`taint the definition of normal.
`
`11:03:21
`11:03:23
`11:03:25
`
`Merrill Corporation
`800-826-0277
`www.deposition.com/southern-california.htm
`
`-15-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
`
`
`
`!(\J
`
`HIGHLY CONFIDENTIAL - ATTORNEYS‘ EYES ONLY
`
`CAREY NACHENBERG, 30(b)(6)
`
`- 9/26/2014
`
`Page 328
`
`STATE OF CALIFORNIA
`
`COUNTY OF LOS ANGELES
`
`I, Philip D. Norris, a Certified Shorthand
`
`Reporter for the State of California, do hereby
`
`certify:
`
`I am the deposition officer that
`
`stenographically recorded the testimony in the
`
`foregoing deposition;
`
`Prior to being examined the deponent was
`
`first duly sworn by me;
`
`The foregoing transcript is a true record
`
`of the testimony given;
`
`Before completion of the deposition,
`
`review
`
`of the transcript
`
`[ x ] was
`
`[
`
`] was not requested.
`
`If requested, any changes made by the deponent
`
`(and
`
`provided to the reporter) during the period allowed
`
`are appended.
`
`Dated
`
`5”» 80”.’
`
`Philip D. Norris
`CSR NO. 4980
`
`800-8E§fl8&flgaEx;2010
`_
`.
`-16-
`.
`Merrill Corporation I
`www.deposit1on.com/southern-California.htm
`_
`Symantec V. Columbla
`IPR2015-00375
`
`-16-
`
`Columbia Ex. 2010
`Symantec v. Columbia
`IPR2015-00375
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
