Event Recording

Dr. Andreas Knäbchen - The Cyber Paradox

Log in and watch the full video!

Keynote at the European Identity & Cloud Conference 2014

May 13-16, 2014 at Munich, Germany

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Thank you, Andrew for the warm welcome. Good afternoon, ladies and gentlemen, let's get back to work. Let's now focus on our playing field enterprise security. I will discuss a couple of challenges and solutions. Finally, I will offer you a free gift. So stay tuned. I would like to start with a rhetoric question. We all agree on. Does cybersecurity matter for enterprises? Yes, of course this. Despite the ambiguity of secret services, I like a statement given by robot Miller director, FBI, he said back in 2012, I am convinced that there are only two types of companies. Those that have been hacked and those that will be, and even they are converging into one category companies that have been hacked and will be hacked again. So why are enterprises such an easy prey? Surprisingly global cyberspace has proved resilience to resilient to disruption. So far, Martin Kuppinger will, will argue with me, but we haven't seen frequent airplane crashes. We haven't seen massive interruptions of power supply. So why are attacks against enterprises so successful? There is one obvious reason. The attacker Haitian has an edge over the defender. The attacker needs to find one weakness. At one point in time, the defender needs to protect all vulnerabilities forever.
It's like a penalty kick. The goalkeeper does know where the ball will hit upper right angle, lower left angle. You might disagreement with me and argue and experienced. Goalkeeper will anticipate where the ball hits. So we need to ask ourself what causes resistance to improving cybersecurity. The answer is the cyber paradox. On the one hand, security is high in the media and senior management is exposed to it. As professor push that overload of information. On the other hand, providing structured actionable information to management gets increasingly harder. I give you a simple example. Imagine a senior manager at breakfast. He reads the news, the newspaper reports on hacked email accounts, similar to the massive incident we faced in Germany a couple of weeks ago. What does it mean to him? Nothing. He can't take a decision on it. He doesn't know whether to improve his security organization or to buy some of defensive products that we can look at at the fair upstairs. The paradox does not only apply to senior management, but also to business HR legal compliance, cyber is not only a technical issue. It involves many business functions. So how to resolve the cyber paradox.
There are two parts to the answer. First use credible sources of information to engage senior management, second implement defense measures that are appropriate for your risk environment. In a nutshell first, be aware of latest risk. Second prepare to be robust. What are credible sources of information? I will give you three examples. All of them is common that say not only provide road data on incidences, let's say provide pre-processed aggregated information, which focuses on the, so what world economic forum, its annual risk report discusses global risks. In general, you might wonder what the top two technology risks look like first escalation in large scale, cyber attacks, second breakdown of critical information, infrastructure and networks, three massive incident of data fraud and data theft. So cyber risks are much more prominent than other technology risks like nuclear power Biosciences or nanotechnology. Why does this report work so well with senior management? So a couple of differentiating factors to start with its input from business leaders, for business leader. So it's credible. Then it provides a correlation among different global risks. There are 31 global risks in total. Martin mentioned supply chain, risks, manufacturing companies care foremost about supply chain stability sets a primary risk.
So these guys are interested in understanding what or how cyber can impact supply chains. And they will find an answer in this report. Finally, the report discusses development over time in scenarios. So how does the world, may the world look like in 10 years from now, that's important information to decide on investments. One of the three scenarios of this report deals with cyber dis fact alone, underpins importance of our topic. Let me get to a second example. Quantum Dawn is the code name for an exercise in the financial services. This exercise simulates attacks to disrupt the us equities market. The rehearsal is intentionally designed to close the market. At the end of the exercise, the exercise haul in 2013 involved about 500 people from 50 organizations ranging from banks to brokers, asset management firms to governmental agencies. Of course it provided a wealth of information about weaknesses and strengths and recommendations to senior management. These recommendations include topics like incidents, response, risk management, and information sharing information sharing brings me to the next slide. Information sharing is best done among peers. And indeed there are many more or less formalized working groups. When I talk about information sharing, I mean, discussions, discussions about threat landscape, specific issues or good practices,
A couple of examples on working groups, the German federal police runs the global player initiative. This initiative engages about 50 mid-sized and large German companies. It's by invitation only the third EU kicked off an initiative with about 10 participants currently. So you see there are various levels of interaction and trust the small or a group that more opens the discussion, but what it's key to select maybe one or two working groups that provide useful information to you, the right information at the right level of detail. Once senior management is now engaged, you are ready to take tangible defense measures. Let, let me give you three examples. Two of them are rather new developments.
Cyber simulation is about rehearsing incidents response in an enterprise. You do it with a cross-functional team, with management, with it, with security, public relations. There are various levels of intensity. You can start with a small out of the box simulation or you run customized exercises, taking your specific environment and your it into account. Anyway, cyber simulations have a great advantage. They provide you a status about your cyber preparedness areas, which are doing well in areas with need to action. If you just collect your action items, you can start working on them right after the exercise. In this sense, a cyber simulation is a powerful alternative to the traditional approach as is analysis to be modeling roadmap development. Let me come to another measure. We are all familiar with security operation centers. They use tons of data provided by DLP, by IDs, by networks away systems. They deal effectively with simple cyber incidences. However they haven't familiar disadvantage. They often fail to detect advanced threats in near real time. Leading organizations are addressing the challenge of making security data action enabled by management. A metered sock is just about this. It's about analyzing data, the discovery of hidden patterns, intergeneration of management input.
Interestingly, almost all building blocks are already there. We have got the hardware. We have got the analytics software. We have got visualization software and we have got the performance except for one critical increment. That's that scenarios scenarios. Tell us what to look for, how to correlate data from various sources. And how does the signature of an evolving attack looks like this is still work in progress. And I'm personally very excited about what's coming up in the next few years, finally, identity and access management. You may argue with me back to basics. I personally call it an evergreen I identity and access management is inventing reinventing itself again and again, for the sake of this presentation, let me focus on one trend. That's the combination of S O D and re-certification so D focuses on the business processes and toxic combinations of access rights. For example, create a financial account and do cash advancements, procure goods and goods received front office and back office in a bank. Recertification is about the role an employee has. So what business processes he or she is involved in only the combination of these two prevents effectively fraud. So where is the challenge? Sod is well done within SAP environments. Recertification is well done for Sox applications. What's opened what's. The challenge is the combined approach of sod and recertification enterprisewide across heterogeneous applications.
We will present on this topic more in a breakout session, and I look forward to controversial discussions with you eventually after having
Got the buy-in of senior management, after having implemented defense measures, we are now ready to ensure sustained quality, how to measure cyber readiness. I have one recommendation for you do a comprehensive pist pest will provide honest feedback to you where you are, where you are doing well. And where is room for improvement? It does not only address what's implemented, but what's effective in closing. Let me get back to the free gift. Deloitte is the winner of the Olympics. That's a global competition among the world's best P if you beat us, you will get your next cyber assessment for free. So just give me a call and I'm waiting for it. Thank you for your attention.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00