Blog posts by Christopher Schuetze

Preparation Is Key: Where Prevention Ends, and Business Continuity and Incident Response Management Begins

Ensuring the availability of processes and services in the event of an incident or a cyber attack is a fundamental part of a company’s cybersecurity approach. Commonly used phrases when it comes to such cybersecurity strategies, are Incident Response Management (IRM) and Business Continuity Management (BCM). Both should be part of a company's cybersecurity strategy, but what is the difference, how are they connected, and at what point in time do they start?

Identification and prevention are fundamental

Every organization is under attack, and there is the risk of being hit by a major attack at any time. Therefore, it is important to have the necessary plans and strategies in place. And to to that, you first need to know where your most critical risks are. Figure 1 shows what this process usually looks like, and that IRM and BCM should start in the “Respond & Recover” phase.

Defining Incident Response

Figure 1: The integrated process for a company's cybersecurity approach

There are processes that are unique to the “Prevent” phase. A company’s IT Risk Management team should identify and rate risks in a global approach as part of the Corporate Risk Management process in order to understand the risks. Prevention mechanisms should be implemented by the IT Security Operations & Configuration team for the highly rated risks. Current threats that are shared by vendors or have been identified in actual breaches are typically fixed by the Computer Emergency Response Team (CERT), for instance, through the installation of patches or hotfixes. The goal in the prevention phase is to prevent attacks and continually learn about new vectors.

Detection could be made months after the attack

In the “Detection” phase, Cyber Defense Center (CDC) actively tracks current and older log files and orchestrates Information to detect potential attacks or data breaches that may have been missed by the mechanisms used by the CERT and IT Security Operations team. If the CDC detects an anomaly, they start an in-depth analysis. If an incident is verified, they hand it over to Incident Response Management and Business Continuity Management teams, where the “Respond & Recover” phase begins.

It is essential for a company to Respond & Recover after an attack

Incident Response Management’s first step is to rate the criticality of an incident and collect more details of the attack to inform further action. At this point in time two parallel streams jump into action: The Incident Response Management (IRM) and the Business Continuity Management (BCM) streams.

IRM is responsible for mitigating the effects of the attack. After the evaluation, a team of experts is usually formed to collect and evaluate further forensic details. Any affected systems are isolated, and in the event of data loss, these are evaluated, and recovery measures are initiated to return to normal operations. An important part of IRM is also internal and external communication. Especially in the case of a data breach, information must be forwarded to the relevant data protection supervisory authority, depending on the country.

Business Continuity Management, in turn, takes care of the continued availability of business functions in the event of a system failure or loss of data. In the case of a data breach, for example, this can be the provision of backups, which means the creation of regular backups as part of the BCM strategy is required. In case of a ransomware attack, alternative systems or devices can be provided or, in the worst case, business operations can even be switched to manual analog processes. BCM is always only a temporary measure for emergencies.

Use the knowledge after an attack to improve your security

To ensure that a company improves its security in the long term and that incidents with the same cause cannot recur, regular review and improvement after an incident is necessary.

What can a company do to sustainably improve security?

Clearly, a company must invest in a process for Incident Response Management and be prepared for an attack. If an incident occurs, it is too late to deal with “who is responsible for what” and “who needs to be informed”. The same applies to Business Continuity Management: once data is lost or no longer accessible, it is too late to worry about data backups or a plan B.

A good point to start could be KuppingerCole’s Master Class about Incident Response Management, which also covers some topics of Business Continuity Management. Meeting, networking, and discussing topics like BCM with peers will be possible at EIC 2020, May 12th to 15th, in Munich.

KuppingerCole is specialized in offering advisory services for cybersecurity, artificial intelligence, and identity and access management. If your company needs assistance finding the right toolset, architecture or what to focus on, KuppingerCole Analysts is happy to support you.

Related Research:

Top 5 Recommendations for Reducing Cyber Risks in 2020

The turn of the year has been an occasion for many cybersecurity news outlets to talk about trends and challenges in cybersecurity. Despite the importance of knowing what the trends and challenges are, we want to give you some hands-on recommendations to increase security for your company. Of course the following recommendations are just a selection out of many possible measures. We are happy to discuss with you in more detail the implications for your concrete business model.

1. Beyond detect, prevent, respond: recovery & Incident Response Management

While AI helps in increasing cyberattack resilience, there is one more thing to look at: Recovery. Every organization is under attack, and there is the risk of being hit by a major attack at some time. The most important things then are, in that order: Recover your IT, at least core functions, to become operational again. The time window for a business to survive when being hit by a severe attack can be very short, sometimes in the range of very, very few days. Be able to recover and integrate your cybersecurity efforts with Business Continuity Management. The second thing to do is preparing for communication and resolution: Incident Response Management. This must be prepared. Thinking about it when the disaster occurred will be too late. Join the brand-new KC Master Class Incident Response Management starting on February 18 to learn how to define an incident response strategy to protect your company.

2. Define your Identity & Security Fabric for serving both agility & security

Beyond API Security, you need to ensure that your IT can serve the needs of the teams creating the new digital services. That all is then about agility, about time-to-value. You need to provide consistent, easy-to-use identity and security services via APIs. It is time to build your Identity & Security Fabric that delivers to both the digital services and the need for managing and protecting your legacy IT.

3. Go Adaptive Authentication

Put Adaptive Authentication and Passwordless Authentication to the top of your to-do-list. Everything you change and add around authentication must fit to these paradigms. Build a central authentication platform, and ensure that you also can work seamless with other Identity Providers (IdPs) and understand the authentication assurance level they provide.

4. Build on Managed SOC & SOC as a Service

It is hard to run your own SOC. Look for managed services or a SOC as a Service. There are many providers out there already. While it is hard to build and run your own SOC independently, despite all technology improvements, it is not that hard to find a strong partner supporting you.

5. Define your IIoT and OT security approach - together

The biggest challenge in IIoT and OT security is the one of understanding and accepting each other. IT Security and OT Security have different challenges, starting with the difference between security and safety. Thus, to make progress, it is overly important to find a common understanding of targets, terminology, requirements, and to understand that both sides can provide to better solutions. It is about people and organization first, then technology.

There would be many more recommendations to give, beyond the five key challenges, the top technology trends, and the related recommendations. Let me look at just three more:

1. PAM: Implement a strong PAM for the future

PAM (Privileged Access Management) remains a central technology, not only for identity but also for cybersecurity – it sits somewhere in the middle. You need a strong PAM, and PAM is evolving beyond the traditional PAM into areas such as PAM for DevOps and cloud-integrated PAM. Understand what you need and ensure that you have a strong PAM in place for the future. For a deeper understanding, join the KC Master Class PAM for the 2020s.

2. Portfolio Management. The right tools, not many tools

As indicated at the beginning: Tools don’t help, if they are not fostered by people, organization, policies, and processes. And many tools don’t help better than a good selection of the right tools. Given that budgets are limited, picking the right portfolio is essential. Understand which tools help really in mitigating which risks, and redefine your portfolio, focusing on the tools that really help you mitigating risks. KuppingerCole’s Portfolio Compass provides a proven methodology for optimizing your cybersecurity tools portfolio.

3. C-SCRM: Understand and manage the risks of your Cybersecurity Supply Chain

Finally, there is a new theme to look at closely: C-SCRM or the Cybersecurity Supply Chain Risk Management. This involves both hardware and software (including cloud services) you procure, and your suppliers that might affect your security posture. Pick up this topic, with well-thought-out supplier (cyber) risk management at all levels. For a start, check out this blog post which looks at why C-SCRM is becoming essential for your digital business.

There would be far more information to provide. The good news is: While challenges are increasing, there are ways to keep a grip on the risk. Focus on the major risks, focus your investments, and work with the experts as well as your peers. A good place to meet your peers will be EIC 2020, May 12th to 15th, in Munich.

KuppingerCole is specialized in offering advisory services for cybersecurity, artificial intelligence, and identity and access management. If your company needs assistance finding the right toolset, architecture or what to focus on, KuppingerCole Analysts is happy to support you.

Quantum Computing and Data Security - Pandora's Box or a Good Opportunity?

Not many people had heard of Schroedinger's cat before the CBS series "The Big Bang Theory" came out. Dr. Sheldon Cooper used this thought experiment to explain to Penny the state of her relationship with Lennard. It could be good and bad at the same time, but you can't be sure until you've started (to open) the relationship.

Admittedly, this is a somewhat simplified version of Schroedinger's thoughts by the authors of the series, but his original idea behind it is still relevant 100 years later. Schroedinger considered the following: "If you put a cat and a poison, which is randomly effective in time, into a box and seal it, as an observer you cannot tell whether the cat is alive or not. Therefore, it will be both until someone opens the box and checks.”

Superposition states lead to parallel calculations

This is a metaphor for superposition as it applies to quantum mechanics. One bit (the cat) can have several states at the same time and is therefore fundamentally different from the classical on/off or 0/1 representation in today's computer science, which is based on physical laws. Due to this possibility of superposition states, parallel computing operations can also be performed according to the laws of quantum mechanics, which accelerates the time of complex calculations. Google announced a few months ago that they have managed to build a quantum computer with 53 (Q)bits, capable of handling computations much faster than current supercomputers can; it can solve a selected problem in 3 minutes instead of 10,000 years, for example.

The way we decrypt data actually is in danger

This is precisely where the dangers for our current IT lie. Almost all encryption of data at rest and in transit is based on complex calculations that can only be efficiently decrypted with the right "key". If quantum computers become able to efficiently calculate, our current security concept for data collapses entirely.

Moreover, it would also have a massive impact on cryptographic currencies. Their added value is based on complex calculations in the blockchain, which requires a certain amount of computing power. If this could from now on be done in milliseconds, this market would also suddenly become obsolete.

Quantum based calculations offer a lot of potential

Of course, quantum computing also has advantages, because the biggest disadvantage (as it stands today) is also the biggest advantage: Complex calculations can be completed in a very short time. Everything that is based on many variables and various parameters can be calculated efficiently and with a realistic forecast. Good examples are environmental events and weather forecasts. These are based on an extremely large number of variables and are currently predicted using approximate algorithms rather than correct calculation. The same applies to traffic data. Cities or navigation systems could use all parameters and thus calculate the perfect route for each participant and adjust signal circuits if necessary. This is a dream come true from an environmental and traffic planning perspective: fewer traffic jams, fewer emissions and faster progress.

We need to change the way we encrypt

But what remains, despite all the enthusiasm for the potential, is the bland aftertaste regarding the security of data. However, scientists are already working on this as well, developing new algorithms based on other paradigms such as complex calculations. For example, instead of today's private keys, an encryption based on the value system itself can be defined. For example, if the algorithm does not know what value the number 4 really represents, it cannot decipher it easily. The key to encrypt is the underlying coordinate system. Future algorithms with the use of artificial intelligence will emerge and of course there are also considerations on how to use quantum computing for encryption.


In the end, quantum computing is just one more step towards more efficient computers, which might be replaced by artificial brains in another 100 years, bringing mankind another step forward in technology.


Benchmarking Cybersecurity Environments

Addressing cybersecurity within a company often occurs in response to an incident which impacts a business’ operations. A cyber incident could be a data breach or malicious disclosure of internal information to the public. Ideally a company starts thinking about cybersecurity before they are forced to act by an incident. Preparations for a cyber incident can be made through an internal or external benchmarking of the cybersecurity landscape.

What to expect from a benchmarking exercise

To ensure a benchmarking preparation offers real value to the company, the expectations and outcome of the exercise should be clearly defined. An initial step should be to establish a standardized process for a company which allows it to repeat the process and to measure improvements. Benchmarking should provide an indication whether the current environment is ready for a future cyber incident or not. Being ready means having an open architecture which uses standards and is extensible. But it is not sufficient for a company to only look at technological aspects; the benchmarking exercise should provide a deeper insight into organizational topics. Every assessment should show if there are some organizational gaps and help to create a roadmap to fix them soon.

Benchmarking should focus on technology and organization

From our experience, discussions between KuppingerCole representatives and the many relevant stakeholders within an organization improve the quality of the resulting benchmarking tool. Stakeholders are architects, managers, developers, (internal) customers up to the C-Levels, because they all have different perspectives on cybersecurity and other requirements that need to be united. Bringing the varied stakeholders together means discussing various areas of the company. Usually we use our 12 categories for that - 6 organizational aspects and 6 technological aspects.

Focusing on these areas ensures that cybersecurity is seen from the beginning to the end and gaps within a single or multiple areas can be discovered.

Collect information, compare, and define concrete measures

After knowing the relevant areas that are decisive for benchmarking, the next step is to collect the information. There are various documents and guidelines to be evaluated, but also many interviews with teams and stakeholders must be carried out. The best result can be achieved with a set of good questions covering the various areas, with answers from different people, which can be rated by each category.

A graphical visualization with a spider graph allows an easy and fast overview of strengths and weaknesses. One goal of the benchmarking exercise is to create comparable results. This could be done with peers, between maturity levels, or with old benchmarking results. Quality comparative data is quite difficult to generate internally, and it is recommended to have external support.

Understand the result and define a roadmap

The spider graph and the documented benchmarking gives a good insight into the weaknesses of a company. In this example the company has weaknesses in Network Security, Application Security and Risk Management, so the next step should be to prioritize the open topics in those areas. This company should take a deeper look into what is missing and what needs to be improved while also focusing on future requirements. Doing this allows a company to create both a general and a detailed roadmap for planning the next steps to improve the cybersecurity within your company.

Benchmarking the cybersecurity landscape is a complex process and it is difficult to define a metric internally where you can compare yourself to. If you want to benefit from the experience and knowledge of KuppingerCole, our methodology, and our comparable data, feel free to ask for assistance. We can support you!

Cyber-Attacks: Why Preparing to Fail Is the Best You Can Do

Nowadays, it seems that no month goes by without a large cyber-attack on a company becoming public. Usually, these attacks not only affect revenue of the attacked company but reputation as well. Nevertheless, this is still a completely underestimated topic in some companies. In the United Kingdom 43% of businesses experienced a cybersecurity breach in the past twelve months, according to the 2018 UK Cyber Security Breaches Survey. On the other hand, 74% say that cybersecurity is a high priority for them. So where is the gap, and why does it exist? The gap exists between the decision to prioritize cybersecurity and the reality of handling cyber incidents. It is critical to have a well-prepared plan, because cyber incidents will happen to you. Only 27% of UK businesses have a formal cyber incident management process. Does your company have one?

How do cyber-attacks affect your business?

To understand the need for a formal process and the potential threats, a company must be aware of the impact an incident could have. It could lead to a damage or loss of customers, or in the worst case to insolvency of the whole company. In many publicly known data breaches like the ones Facebook or PlayStation Networks had, the companies needed significant time to recover. Some would say, they still haven’t recovered. The loss of brand image, reputation and trust of a company can be enormous. To prevent your company from experiencing such critical issues and be able to handle incidents in a reasonable way, a good cyber incident plan must be implemented.

The characteristics of a good plan for cyber incidents

Such a plan should describe the processes, actions and steps which must be taken after a cyber-attack incident. The first step is categorization, which is essential to handle an incident in a well-defined way. If an incident is identified, it must be clear who will be contacted to react to this incident. This person or team is then responsible to categorize the incident and estimate the impact for the company.

The next step is to identify in detail which data has been compromised and what immediate actions can be taken to limit the damage. Subsequently, the plan must describe how to contact the staff needed and what they must do to prevent further harm and to recover. Responsibilities have to be allocated clearly to prevent a duplication of efforts when time is short. In a recent webinar KuppingerCole Principal Analyst Martin Kuppinger made the point, that IT teams responsible for cybersecurity should shift their focus from protection to recovery. While a lot of investments in cybersecurity nowadays still go into protection, this is not enough anymore. “You need to be able to restart your business and critical services rapidly,” Martin explained.

Cyber-attacks are not an IT-only job

Apart from the necessary actions described above which will be executed by IT and cybersecurity professionals, a process must be defined which lays out how corporate communications deals with an attack. In big companies there is an explicit top-down information chain. If a grave cyber-attack occurs, the Chief Communications Officer (CCO) has to be informed. Imagine the CCO not knowing anything about the incident being called in the morning by a journalist. This puts the company into a weak place where it loses control over crisis communication. Depending on the severity of the incident, a press release must be send out and customers must be informed. It is always better when companies are confident and show the public that they care instead of waiting until public pressure urges them to act.

Can companies deal with cybercrime all by themselves?

When it comes to personal user data being compromised, cyber-attacks can have legal consequences. Then it is wise to consult internal or external lawyers. External support from dedicated experts for specific cyber incidents are usually part of an action plan, too. To react as quickly as possible, a list with experts for external support categorized by topic should be created, containing contact persons and their availability.

Since cyber-attacks can never be entirely prevented, it is of utmost importance to have a plan and to know exactly how to react. This can prevent a lot of potential mistakes which are often made after incident has already been identified. In the end, it can prevent the company from losing customer confidence and revenues.

To understand and learn this process, to build necessary awareness and know how to deal with cybercrime in detail, you can attend our Incident Response Boot Camp on November 12 in Berlin.

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Subscribe to our Podcasts

KuppingerCole Podcasts - watch or listen anywhere

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00