According to the Ponemon Institute - cyber incidents that take over 30 days to contain cost $1m more than those contained within 30 days. However, less than 25% of organizations surveyed globally say that their organization has a coordinated incident response plan in place. In the UK, only 13% of businesses have an incident management process in place according to a government report. This appears to show a shocking lack of preparedness since it is when not if your organization will be the target of a cyber-attack.

Last week on January 24th I attended a demonstration of IBM’s new C-TOC (Cyber Tactical Operations Centre) in London. The C-TOC is an incident response centre housed in an 18-wheel truck. It can be deployed in a wide range of environments, with self-sustaining power, an on-board data centre and cellular communications to provide a sterile environment for cyber incident response. It is designed to provide companies with immersion training in high pressure cyber-attack simulations to help them to prepare for and to improve their response to these kinds of incidents.

The key to managing incidents is preparation. There are 3 phases to a cyber incident, these are the events that led up to the incident, the incident itself and what happens after the incident. Prior to the incident the victim may have missed opportunities to prevent it. When the incident occurs, the victim needs to detect what is happening, to manage and contain its effects. After the incident the victim needs to respond in a way that not only manages the cyber related aspects but also deals with potential customer issues as well as reputational damage.

Prevention is always better than cure, so it is important to continuously improve you organization’s security posture, but you still need to be prepared to deal with an incident when it occurs.

The so-called Y2K (Millenium) bug is an example of an incident that was so well managed some people believe it was a myth. In fact, I like many other IT professionals, spent the turn of the century in a bunker ready to help any organization experiencing this problem. However, I am glad to say that the biggest problem that I met was when I returned to my hotel the next morning, I had to climb six flights of stairs because the lifts had been disabled as a precaution. There were many pieces of software that contained the error and it was only through the recognition of the problem, rigorous preparation to remove the bug as well as planning to deal with it where it arose that major problems were averted.

In the IBM C-TOC I participated in cyber response challenge involving a fictitious international financial services organization called “Bane and Ox”. This organization has a cyber security team and so called “Fusion Centre” to manage cyber security incident response. This exercise started with an HR Onboarding briefing welcoming me into the team.

We then were then taken through an unfolding cyber incident and asked to respond to the events as they occurred with phone calls from the press, attempts to steal money via emails exploiting the situation, a ransom demand, physical danger to employees, customers claiming that their money is being stolen, a data leak and an attack on the bank’s ATMs. I then underwent a TV interview about the bank’s response to the event with hostile questioning by the news reporter, not a pleasant experience!

According to IBM, organizations need a clear statement of the “Commander’s Intent”. This is needed to ensure that everyone works together towards a common goal that everyone can understand when under pressure and making difficult decisions. IBM gave the example that the D Day Commander’s Intent statement was “Take the beach”.

The next priority is to collect information. “The first call is the most important”. Whether it is from the press, a customer or an employee. You need to get the details, check the details and determine the credibility of the source.

You then need to implement a process to resolve where the problems lie and to take corrective action as well as to inform regulators and other people as necessary. This is not easy unless you have planned and prepared in advance. Everyone needs to know what they must do, and management cover is essential to ensure that resources and budget are available as needed. It may also be necessary to enable deviation from normal business processes.

Given the previously mentioned statistics on organizational preparedness for cyber incidents, many organizations need to take urgent action. The preparation needed involves the many parts of the organization not just IT, it must be supported at the board level and involve senior management. Sometimes the response will require faster decision making with the ability to bypass normal processes - only senior management can ensure that this is possible. An effective response need planning, preparation and above all practice.

KuppingerCole advice:

• Obtain board level sponsorship for your incident response approach;
• Identify the team of people / roles that must be involved in responding to an incident;
• Ensure that it is clear what constitutes an incident and who can invoke the response plan;
• Make sure that you can contact the people involved when you need to;
• You will need external help – set up the agreement for this before you need it;
• Planning, preparation and practice can avoid pain and prosecution;
• Practice, practice and practice again.

KuppingerCole Advisory Note: GRC Reference Architecture – 72582 provides some advice on this area.

This week I had an opportunity to visit the city of Tel Aviv, Israel to attend one of the Microsoft Ignite | The Tour events the company is organizing to bring the latest information about their new products and technologies closer to IT professionals around the world. Granted, the Tour includes other cities closer to home as well, but the one in Tel Aviv was supposed to have an especially strong focus on security and the weather in January is so warm, so here I was!

I do have to confess however that the first day was somewhat boring– although I could imagine that around 2000 visitors were enjoying the show, for me as an analyst most of the information presented in sessions wasn’t really that new. But on the second day, we have visited the Microsoft Israel Development Center in nearby Herzliya and had a chance to talk directly to people leading the development of some of the most interesting products from Microsoft’s security portfolio.

At this moment some readers would probably ask me: wait a minute, are you suggesting that Microsoft is really a security vendor, let alone the best one? Well, that’s where it starts getting interesting! In one of the sessions, the speaker made a strong point for the notion of “good enough security”, explaining that most end-user companies do not really need the best of breed security products, because they’ll eventually end up with a massive number of disjointed tools that need to be managed separately.

Not only does it further increase the complexity of your corporate IT infrastructure that is already complex enough without security; these disconnected tools fail to deliver a unified view into everything happening within it and thus are unable to detect the most advanced cyber threats. Instead, he argued, a perfectly integrated solution covering multiple areas of cybersecurity would be more beneficial for most, even if it’s not the best of breed in individual areas. And who was the best opportunity to offer such an integrated solution? Well, Microsoft of course, given their leading positions in several key markets like on endpoints with Windows, in the cloud with Azure and, of course, in the workplace with Office 365.

Now, I’m not sure I like the term “good enough security” and I definitely do not believe that market domination in one area automatically translates into better opportunities in others, but there is actually a grain of truth behind this bold claim. First of all, being present on so many endpoints, cloud computers, mail servers, and other connected systems, Microsoft is able to collect vast amounts of telemetry data that end up in their Intelligent Security Graph – a single database of security events that can provide security insights and threat intelligence.

Second, even though many people still do not realize it, Microsoft has been a proper security vendor for quite some time already. Even though the company was a late starter in many areas, they are quickly closing the gaps in areas like Endpoint Protection or Cloud Security and in others, like Information Protection, they are already ahead of competitors. In recent years, the company has acquired a number of security startups, primarily here in Israel, and making these new products work together seamlessly has been one of their top priorities. This will certainly not happen overnight but talking to the actual developers gave me a strong impression of their motivation and commitment.

Now, Microsoft has an interesting history of working hard for years to win a completely new market, with impressive successes (like Azure or Xbox) and spectacular failures (remember Windows Mobile?). It seems also that technology excellence plays less of a role here than quality marketing. Unfortunately, this is where the company is still falling short – for example, how many potential customers are even considering Windows Defender Advanced Threat Protection for a shortlist of EDR solutions? Do they even know that Windows Defender is a full-featured EPP/EDR solution and not just a basic antivirus it used to be?

It seems to me that the company is still exploring their marketing strategy, judging by the number of new product names and licensing changes I’ve seen during the last year. We’re down to 4 product lines now, but I really wish they’d choose one name and stick to it. In the end, do I think that Microsoft is the best security vendor of them all? Of course not, they still have a very long way to go towards that, and there is no such thing as the single “best” security vendor anyway. But they are definitely already beyond the “good enough” stage.

Last week I attended the Oracle Open World Europe 2019 in London. At this event Andrew Sutherland VP of technology told us that security was one of the main reasons why customers were choosing the Oracle autonomous database. This is interesting for two reasons firstly it shows that security is now top of mind amongst the buyers of IT systems and secondly that buyers have more faith in technology than their own efforts.

The first of these reasons is not surprising. The number of large data breaches disclosed by organizations continues to grow and enterprise databases contain the most valuable data. The emerging laws mandating data breach disclosure, such as GDPR, have made it more difficult for organizations to withhold information when they are breached. Being in a position of responsibility when your organization suffers a data breach is not a career enhancing event.

The second reason takes me back to the 1980s when I was working in the Knowledge Engineering Group in ICL. This group was working as part of the UK Government sponsored Alvey Programme which was created in response to the Japanese report on 5th generation computing. This programme had a focus on Intelligent Knowledge Based Systems (IKBS) and Artificial Intelligence (AI). One of the most successful products from this group was VCMS a performance advisor for the ICL mainframe. This was commercially very successful with a large uptake in the VME customer base. However, one interesting observation was that it boosted customers to upgrade their mainframes. It became apparent that the buyers of these systems were more ready to accept the advice from VCMS than from the customer service representatives.

From an AI point of view managing computer systems is relatively easy. This is because computer systems are deterministic, and their behaviour can be described using rules. These rules may be complex and there may be a wide range of circumstances that need to be considered. However, given the volume of metered data available and the rules an AI system can usually make a good job of optimizing performance. Computer systems manufacturers also have the knowledge needed.

That is not to diminish the remarkable achievements by Oracle to make their database systems autonomous. Mark Hurd, CEO of Oracle (who had to present via a satellite link because he had been unable to renew his passport because of the US government shutdown) described how the Net Suite team had spent 15 years creating 9,000 specialized table indexes for performance. The autonomous database created 6,000 indexes in a short time, and which improved performance by 7%.

Oracle’s strategy for AI extends beyond the autonomous database. Melissa Boxer, VP Fusion Adaptive Intelligence, described how Oracle Adaptive Intelligent Apps (Oracle AI Apps) provide a suite of prebuilt AI and data-driven across Customer Experience (CX), Human Capital Management (HCM), Enterprise Resource Planning (ERP), and Manufacturing. These use a shared data model to provide Adaptive Intelligence and Machine Learning across all the different pillars. They include a personalized user experience OAUX and intelligent chat bots.

So, to return to the original question – can Autonomous Systems (as defined by Oracle) improve security posture? In my opinion the answer is both yes and no. The benefits of autonomous systems are that they can automatically incorporate patches and implement best practice configuration. Since many data breaches stem from these areas this is a good thing. They can also automatically tune themselves to optimize performance for an individual customer’s workload and, since they discover what is normal, they can potentially identify abnormal activity.

The challenge is that AI technology is not yet able to defend against adversarial activity. Machine Learning is only as good as its training and, at the current state of the art, it is does not provide good explanations for the conclusions reached. This means that sometimes, the learnt behavior contains flaws that can be exploited by a malicious agent to trick the system into the wrong conclusions. Given that cyber crime is an arms race and we must assume that the cyber adversaries are working with the same technology we must assume that this will be deployed against us as well as for us.

For security – AI can help to avoid the simple mistakes – to defend against a concerted attack still needs a human in the loop.

2019 started off with a very noteworthy acquisition in the identity and security space: the purchase of Janrain by Akamai. Janrain is a top vendor in the Consumer Identity market, as recognized in our recent Leadership Compass: https://www.kuppingercole.com/report/lc79059. Portland, OR-based Janrain provides strong CIAM functionality delivered as SaaS for a large number of Global 2000 clients. Boston-based Akamai has a long history of providing web acceleration and content delivery services. Last year, they entered into a partnership whereby Akamai provided network layer protection for Janrain assets.

Akamai has lately been focusing on increasing its market share of web security services in order to grow revenue. This acquisition will add identity layer functionality and increase visibility for the infrastructure company.

New account fraud and account takeover fraud are two of the chief concerns that companies in many industries, particularly finance and retail, must guard against. Bot management has been one of Akamai’s fastest growing services. The further integration of Akamai’s threat intelligence capabilities with Janrain’s CIAM solution has the potential to enhance consumer security for their clients.

As with all such acquisitions, there are two major possible routes their combined service roadmap can take:

1. Integrate Janrain's CIAM functionality into Akamai services in a purely supportive way, or
2. Integrate Janrain's CIAM functionality into Akamai services while continuing to promote and sell the CIAM services as a standalone solution

In many cases, purchasers in the IT business take the first option. The second option is more difficult to execute, but often offers a better long-term investment for both the purchaser and their clients. Akamai has a defined, well thought-out plan to pursue option 2, to extend the Janrain solution and continue to market it as a CIAM SaaS branded under Akamai.

Given the size of the CIAM market, KuppingerCole expects to see additional M&A activity as well new entrants in this space in the next 12-18 months. Keep up to date with the latest developments and research in cybersecurity and identity management by watching our blog: https://www.kuppingercole.com/blog.

It wasn't too long ago that discussions and meetings on the subject of digitization and consumer identity access management (CIAM) in an international environment became more and more controversial when it came to privacy and the personal rights of customers, employees and users. Back then the regulations and legal requirements in Europe were difficult to communicate, and especially the former German data protection law has always been belittled as exaggerated or unrealistic.

However, in the past three years, during which I have given many talks, workshops and advisory sessions on the subject of the European General Data Protection Regulation (EU-GDPR), perception has shifted. Many companies, especially large ones, have adopted the concepts of privacy, data security and data protection and have embraced the principles behind them.

Of course, this is especially true for European and German companies, as the implementation phase of the GDPR is finally over since the end of May 2018 and the GDPR and its obligations are fully effective and enforceable. This also includes the applicability to all companies processing data of European citizens. Thus, this important milestone of data protection regulation has had considerable effects on international enterprises as well, in particular on large US companies.

I myself, as a consumer, an online services user and a customer, have in the meantime perceived the first positive changes toward a new appreciation of trust and respect as the basis of a customer-supplier relationship (instead of “Hands up, give me all your personal data” as before). That went hand-in-hand with the desire and the expectation that the GDPR as a precedent could also act as a role model.

This is exactly what's happening right now. The first important example is the California Consumer Privacy Act (CCPA). The CCPA was passed at the end of June 2018 and will come into force on January 1, 2020, with actual implementation scheduled to begin sometime between January 1, 2020 and July 1, 2020.

CCPA is surely no 1:1 copy of the GDPR, for it it is considerably slimmer, a little more readable, leaves out some central demands of the GDPR and surely benefits from the experiences that have already been made elsewhere.

One thing is obvious: This puts companies in California and the US in a situation comparable to that in which EU companies were at the beginning of the implementation period, May 25, 2015. Those who have already adjusted their business to accommodate the GDPR probably might be better off, because they only have to deal with the differences between the requirements of GDPR and CCPA. Those enterprises, to which the GDPR was perhaps too "far away", must deal now with the requirements of their national legislation and initiate profound changes in their systems, processes and their organization...

If CCPA is relevant for you, right now is exactly the right time to embark on this journey.

Beware, this is where the promotional section of this blog post kicks in: Wouldn't it be good if you were able to draw on the experience of an international analyst company with extensive experience in this area? With a local team in the US that has international experience in handling personally identifiable information (PII) from customers, consumers, employees and citizens? That has been incorporating privacy, security and trust into the design of complex (C)IAM systems for years? Do you want to be prepared for the implementation of the CCPA? Do you want to meet the GDPR and CCPA requirements in equal measure and define a strategic path for implementation? Then get in touch with us to have a first chat with our US team.