kpmg award write up
TRANSCRIPT
2017 Global Network Security New Product Innovation Award
BEST PRACTICES RESEARCH
© Frost & Sullivan 2017 2 “We Accelerate Growth”
Contents
Background and Company Performance ........................................................................ 3
Industry Challenges .............................................................................................. 3
New Product Attributes and Customer Impact .......................................................... 3
Conclusion........................................................................................................... 4
Significance of New Product Innovation ......................................................................... 9
Understanding New Product Innovation ......................................................................... 9
Key Benchmarking Criteria .................................................................................. 10
Best Practices Award Analysis for KPMG ...................................................................... 10
Decision Support Scorecard ................................................................................. 10
New Product Attributes ....................................................................................... 11
Customer Impact ............................................................................................... 11
Decision Support Matrix ...................................................................................... 12
Best Practices Recognition: 10 Steps to Researching, Identifying, and Recognizing Best Practices ................................................................................................................. 13
The Intersection between 360-Degree Research and Best Practices Awards ..................... 14
Research Methodology ........................................................................................ 14
About Frost & Sullivan .............................................................................................. 14
BEST PRACTICES RESEARCH
© Frost & Sullivan 2017 3 “We Accelerate Growth”
Background and Company Performance
Industry Challenges
Servers and personal computers (PCs) sparked the Information Age. Computational
power, word processing, spreadsheets, and (later) direct communication to and from PCs
improved the depth, availability, and immediacy of information.
Of course, PCs also have been the source of deleterious behaviors. The computer itself
does not care if a person pushing sensitive files off of a network, copying intellectual
property, or initiating cyberattacks is a legitimate actor. For all of the wonderful
capabilities of PCs, in many ways the PC remains a dumb machine.
A miscreant is likely to cover his tracks. Files are deleted; external routing tables disguise
where content is sent; and software is installed that ostensibly wipes away an end user’s
activities on the computer. However, the PC holds all of the secrets.
Digital forensic and incident response is the formal analysis of what happened on a
computer.1 The computer’s hard drive is like the flight data recorder in an airliner. It
comprehensively records system and end-user activities, even those of an unscrupulous
end-user attempting to camouflage his or her criminal or policy-violating activities.
Therefore, digital forensic incident response must start with a thorough and high integrity
examination of the hard drive.
Digital forensic incident response investigations are, however, not easy as they involve a
physical object, the hard drive. For example if the handling of hard drive is compromised
in the chain of custody, then whatever evidence gleaned from a computer becomes
inadmissible in a court of law. A hard drive could be mishandled or lost. From a cost
perspective, if a digital forensic incident response investigator has to be in physically
proximity with the computer or server, on-site and travel costs mount. Another issue with
hard drives is that they are not the sole source of relevant information. To improve
investigations, the hard drive data must be extensible and combinable with contextual
data and intelligence from other sources.
The activity data on a hard drive could be quite voluminous and historically this may be
why digital forensic incident response has been an on-site activity. In a digital platform,
using filters and guided search criteria helps in the optimization in its collections and
provides the right type of information without being overwhelming or unwieldly.
New Product Attributes and Customer Impact
Distilled from its years of digital forensic incident response field investigations, KPMG
productized its honed processes and procedures into the KPMG Digital Responder, an
1 Please note that while the use cases for digital forensic and incident response are likely
investigations triggered because of a suspected breach or exfiltration of data, this is not
necessarily the case. Forensics can be used to prove compliant practices, or simply as
precautionary practice initiated when key personnel leave a company. While this Best
Practice focuses on PCs and servers, new use cases may emerge as M2M communications
become more common in the Internet of Things (IoT).
BEST PRACTICES RESEARCH
© Frost & Sullivan 2017 4 “We Accelerate Growth”
automated digital forensic incident response platform with the added capabilities of
portability and extensibility. KPMG Digital Responder was introduced in February 2017.
KPMG Digital Responder is an automated forensic collection, analysis and reporting
solution. KPMG Digital Responder can be remotely run on a computer through a small
executable file, with a USB drive, or from a network share. No software installations or
agents are required. (Note: this implementation method means that employer/law
enforcement can deploy the tool remotely and does not have to be in physical possession
of the device at the time of collection). The data collected is encrypted and then
transmitted back to the KPMG through secure file transfer protocol (SFTP).
Disaggregating the data from the device has a couple of desired effects. First, upon
receipt, KPMG automatically parses and normalizes the collected data into a database. The
solution is then able to do a combination of automated forensic tasks that would often
require an on-premises visit, an experienced examiner, and lots of time. Second, since the
data normalization process is separate from the initial collection, the customer or KPMG
can add customized filters to account for types of business/regulations, refine searches, or
narrow report criterion (an example, perhaps a customer does not see file sharing
applications as harmful and can choose to whitelist these applications).
Match to Needs
The output of this process is the customer receives a report based on the investigation
type, which range from detailing end user activities to understanding the impact of
malicious code that may have executed on the system. See example excerpt below from a
standard Departing Employee Report.
Figure 1. Excerpt of a KPMG Digital Responder (KDR) Report
BEST PRACTICES RESEARCH
© Frost & Sullivan 2017 5 “We Accelerate Growth”
In the image above, the major file headings (the white font in the light blue title bars)
include Removable Storage Device Activity, File Activity, and Internet Activity. Other
report major report headings include Program Activity, Email Activity, Mobile Activity, and
Other Activity (this includes sub headings for associated networks, user accounts in the
system, and volume shadow copies in the collection).
The cross reference fields are Filter on Results, Total, and Potential Risk. The value of
these cross reference fields is largely self-evident. For instance, each department in the
US federal government, and all vendors that are approved cyber contractors to the federal
government are bound by National Institute of Standards and Technology (NIST) 800-53
v.4 compliance standards. These agencies must provide a monthly inventory of all of the
equipment, software, and applications under their aegis. In this case, the KPMG Digital
Responder can be leveraged to prove NIST compliance to show a detailed inventory of
what software applications are currently or previously installed on the system.
The Potential Risk score is tabulated by KPMG against known vulnerabilities, user
activities, and other findings potentially indicative of malicious activity. KPMG can also
consider information from external threat feed services as a part of the risk score or tailor
risk scores based on organizational needs.
Quality
A major part of the value proposition of KPMG Digital Responder is that it can be used as a
preventative tool as well as an after-the-fact triage and investigation tool. The nuance is
subtle; if there is an exploit to a server, the forensic investigator might start with the
assumption that the breach is from Heartbleed (for example) and work backward. In May
2017, several PCs were held ransom in a global attack known as WannaCry; again the
investigator starts with an assumed or active breach scenario.
However, digital forensic incident response could be difficult if an investigator goes in
without any assumptions. A customer may question why they would want to conduct a
digital forensic incident response if there is no apparent cause, but there are actually
many use cases:
Compliance. The reporting fields can show activity on a device which proves
compliant practices.
An ounce of prevention is worth a pound of cure. In the aforementioned
Heartbleed, which exploited vulnerabilities in the configuration of OpenSSL,
derivative attacks were created to run through the same servers that could be
exploited in Heartbleed. Similarly, the fallout from WannaCry is likely to echo for
several months. Certain machines like the company’s CEO or a mail server should
probably be given extra attention.
Human nature. One of the use cases cited by KPMG for KPMG Digital Responder
is an investigation a customer asked KPMG to conduct on the PC of an outgoing VP
at an insurance firm. Employees are free to leave companies, but intellectual
property stays with the company. In the month before the VP left the company, a
report showed that there was usual amount of files sent to USB drives. Secondly,
the company found key word searches titled “how to hide file extractions.” The
BEST PRACTICES RESEARCH
© Frost & Sullivan 2017 6 “We Accelerate Growth”
human resources department was able to ask pointed questions to the outgoing
VP, and likely prevented an intellectual property or data breach.
Aside from the uses cases, data enrichment gives KPMG investigators real power over the
data. Data enrichment examples include compression tools, email files and email
Websites, virtual machines and virtualization tools, media file extensions, and lateral
movement tools. These processes are standardized and repeatable.
Design
A well-known story about ducks is often told. If you saw a mallard duck on the surface of
a lake, it would appear to be gliding along. In fact, not visible is the little duck legs
beneath surface thrashing underneath. The elegant and stylistic KPMG Digital Responder
reports are the results of data collection and enrichment, standardized and custom filters
(sometimes industry-specific), and event and threat correlation. See the illustration below
to see how KPMG Digital Responder processes are assembled to provide end user history,
visibility, and threat analysis of a reviewed system.
Figure 2. Conceptual Flow Chart – Streamline Reporting
BEST PRACTICES RESEARCH
© Frost & Sullivan 2017 7 “We Accelerate Growth”
Price/Performance
The KPMG Digital Responder is designed to mitigate hard and soft costs in the digital
forensic incident response.
In traditional digital forensic incident response, there are a myriad of hard costs involved
in support of the investigator. At times the investigator must travel to the machine, or the
hardware, and, in some cases, the storage must be sent to the forensic investigator. Often
a company’s key personnel accompany the investigator.
The soft costs in a forensic investigation include investigator’s time and the damage done
in the duration of an active threat. The soft costs are unpredictable and almost likely
outweigh the hard costs in a given investigation.
In the illustration on the left, there is
a brief representation of some of the
technologies that the KPMG Digital
Responder tool incorporates on the
platform. Traditional digital forensic
incident response searches often
involve event triage using multiple
cyber security tools and this is
coordination is problematic for even
the best investigators in the most
stable network environments.
KPMG estimates the average digital
forensic incident response starts at
$10,000 and goes up in complexity.
The KPMG Digital Response tool is
installed and a report over a single
asset costs roughly $5,000. Naturally, KPMG is willing to work the pricing down for
periodic reports generated on the same asset over time.
Brand Equity
Mentioned earlier, KPMG Digital Responder reports are the end result of a standardized
process. The reports are deliberately designed to help non-technical stakeholders.
Additionally, everything on the report is hyperlinked to the collection of artifacts if a person
needs to dig deeper.
KPMG Member firms employ over 2,500 cyber professionals around the globe who are
available to help you with your cyber needs. Many of these professionals are leaders in the
cyber community, helping to develop the tools and methodologies used to combat
cybercrime on a daily basis.
KPMG professionals have experience working on a variety of cybercrimes, including insider
threats, data breaches, hacktivism, and advanced persistent threat-style intrusions by
highly motivated adversaries. Our services include a variety of strategy and investigation
offerings to support your needs.
BEST PRACTICES RESEARCH
© Frost & Sullivan 2017 8 “We Accelerate Growth”
KPMG is also heavily involved in the information security community. This involvement
provides us with early insight into emerging issues, which we share with our clients and the
project support teams as a component of our advisory role. The pragmatic advice and the
services we can offer your organization are shaped from the experience we have gained and
relationships we have developed serving clients of various size, scope, and complexity.
In the context of KPMG Digital Responder, KPMG can help a client customize its report
based upon business needs and compliance/regulatory parameters. From inception-to-end
product, KPMG committed 18 months to systematize what had been manual processes, and
KPMG Digital Responder is the result.
Conclusion
Naturally, KPMG is known as a global enterprise with a commercial presence in almost
every country and in every industry type (literally). The three pillars of KPMG’s are
auditing, tax services, and consulting.
The challenge that consultants face is that they need a comprehensive understanding of
the client’s business while infusing expertise and processes to bring efficiencies to the
client’s environment. The KPMG Digital Responder tool provides visibility where traditional
computer forensics fall short; consistent and reliable investigatory processes; and
standardized reporting. Additionally, since KPMG Digital Responder gives portability to the
collected data, KPMG Digital Responder is extensible. As a positive outcome, the
productivity of digital forensic incident response investigators improves. They can reach
conclusions faster and with greater confidence (i.e., supported by other independent data
source) than when the collected data was virtually trapped in an isolated bubble. Plus,
with its remote data collection functioning, KPMG Digital Responder reduces investigators
travel and on-site time; time that can now be spent on additional investigations.
Finding the solution for what is problematic to a customer currently and then creating a
fabric for future solutions represents the best of what a consultancy can do.
With its strong overall performance, KPMG has earned Frost & Sullivan’s 2017 New
Product Innovation Award.
BEST PRACTICES RESEARCH
© Frost & Sullivan 2017 9 “We Accelerate Growth”
Significance of New Product Innovation
Ultimately, growth in any organization depends upon continually introducing new products
to the market and successfully commercializing those products. For these dual goals to
occur, a company must be best-in-class in three key areas: understanding demand,
nurturing the brand, and differentiating from the competition.
Understanding New Product Innovation
Innovation is about finding a productive outlet for creativity—for consistently translating
ideas into high-quality products that have a profound impact on the customer.
BEST PRACTICES RESEARCH
© Frost & Sullivan 2017 10 “We Accelerate Growth”
Key Benchmarking Criteria
For the New Product Innovation Award, Frost & Sullivan analysts independently evaluated
two key factors—New Product Attributes and Customer Impact—according to the criteria
identified below.
New Product Attributes
Criterion 1: Match to Needs
Criterion 2: Reliability
Criterion 3: Quality
Criterion 4: Positioning
Criterion 5: Design
Customer Impact
Criterion 1: Price/Performance Value
Criterion 2: Customer Purchase Experience
Criterion 3: Customer Ownership Experience
Criterion 4: Customer Service Experience
Criterion 5: Brand Equity
Best Practices Award Analysis for KPMG
Decision Support Scorecard
To support its evaluation of best practices across multiple business performance
categories, Frost & Sullivan employs a customized Decision Support Scorecard. This tool
allows our research and consulting teams to objectively analyze performance, according to
the key benchmarking criteria listed in the previous section, and to assign ratings on that
basis. The tool follows a 10-point scale that allows for nuances in performance evaluation.
Ratings guidelines are illustrated below.
RATINGS GUIDELINES
The Decision Support Scorecard is organized by New Product Attributes and Customer
Impact (i.e., These are the overarching categories for all 10 benchmarking criteria; the
definitions for each criterion are provided beneath the scorecard.). The research team
confirms the veracity of this weighted scorecard through sensitivity analysis, which
confirms that small changes to the ratings for a specific criterion do not lead to a
significant change in the overall relative rankings of the companies.
BEST PRACTICES RESEARCH
© Frost & Sullivan 2017 11 “We Accelerate Growth”
The results of this analysis are shown below. To remain unbiased and to protect the
interests of all organizations reviewed, we have chosen to refer to the other key
participants as Competitor 2 and Competitor 3.
Measurement of 1–10 (1 = poor; 10 = excellent)
New Product Innovation
New Product
Attributes
Customer
Impact Average Rating
KPMG 9.2 9.6 9.4
Competitor 2 6.0 8.0 7.0
Competitor 3 7.5 4.5 6.0
New Product Attributes
Criterion 1: Match to Needs
Requirement: Customer needs directly influence and inspire the product’s design and
positioning.
Criterion 2: Reliability
Requirement: The product consistently meets or exceeds customer expectations for
consistent performance during its entire life cycle.
Criterion 3: Quality
Requirement: Product offers best-in-class quality, with a full complement of features and
functionalities.
Criterion 4: Positioning
Requirement: The product serves a unique, unmet need that competitors cannot easily
replicate.
Criterion 5: Design
Requirement: The product features an innovative design, enhancing both visual appeal
and ease of use.
Customer Impact
Criterion 1: Price/Performance Value
Requirement: Products or services offer the best value for the price, compared to similar
offerings in the market.
Criterion 2: Customer Purchase Experience
Requirement: Customers feel they are buying the most optimal solution that addresses
both their unique needs and their unique constraints.
Criterion 3: Customer Ownership Experience
Requirement: Customers are proud to own the company’s product or service and have a
positive experience throughout the life of the product or service.
BEST PRACTICES RESEARCH
© Frost & Sullivan 2017 12 “We Accelerate Growth”
Criterion 4: Customer Service Experience
Requirement: Customer service is accessible, fast, stress-free, and of high quality.
Criterion 5: Brand Equity
Requirement: Customers have a positive view of the brand and exhibit high brand loyalty.
Decision Support Matrix
Once all companies have been evaluated according to the Decision Support Scorecard,
analysts then position the candidates on the matrix shown below, enabling them to
visualize which companies are truly breakthrough and which ones are not yet operating at
best-in-class levels.
High
Low
Low High
Cu
sto
mer I
mp
act
New Product Attributes
Award
Recipient
Competitor 2
Competitor 3
BEST PRACTICES RESEARCH
© Frost & Sullivan 2017 13 “We Accelerate Growth”
Best Practices Recognition: 10 Steps to Researching,
Identifying, and Recognizing Best Practices
Frost & Sullivan analysts follow a 10-step process to evaluate Award candidates and
assess their fit with select best practice criteria. The reputation and integrity of the
Awards are based on close adherence to this process.
STEP OBJECTIVE KEY ACTIVITIES OUTPUT
1 Monitor, target, and screen
Identify Award recipient candidates from around the globe
Conduct in-depth industry research
Identify emerging sectors
Scan multiple geographies
Pipeline of candidates who potentially meet all best-practice criteria
2 Perform 360-degree research
Perform comprehensive, 360-degree research on all candidates in the pipeline
Interview thought leaders and industry practitioners
Assess candidates’ fit with best-practice criteria
Rank all candidates
Matrix positioning of all candidates’ performance relative to one another
3
Invite thought leadership in best practices
Perform in-depth examination of all candidates
Confirm best-practice criteria Examine eligibility of all
candidates Identify any information gaps
Detailed profiles of all ranked candidates
4
Initiate research director review
Conduct an unbiased evaluation of all candidate profiles
Brainstorm ranking options Invite multiple perspectives
on candidates’ performance Update candidate profiles
Final prioritization of all eligible candidates and companion best-practice positioning paper
5
Assemble panel of industry experts
Present findings to an expert panel of industry thought leaders
Share findings Strengthen cases for
candidate eligibility Prioritize candidates
Refined list of prioritized Award candidates
6
Conduct global industry review
Build consensus on Award candidates’ eligibility
Hold global team meeting to review all candidates
Pressure-test fit with criteria Confirm inclusion of all
eligible candidates
Final list of eligible Award candidates, representing success stories worldwide
7 Perform quality check
Develop official Award consideration materials
Perform final performance benchmarking activities
Write nominations Perform quality review
High-quality, accurate, and creative presentation of nominees’ successes
8
Reconnect with panel of industry experts
Finalize the selection of the best-practice Award recipient
Review analysis with panel Build consensus Select recipient
Decision on which company performs best against all best-practice criteria
9 Communicate recognition
Inform Award recipient of Award recognition
Present Award to the CEO Inspire the organization for
continued success Celebrate the recipient’s
performance
Announcement of Award and plan for how recipient can use the Award to enhance the brand
10 Take strategic action
Upon licensing, company is able to share Award news with stakeholders and customers
Coordinate media outreach Design a marketing plan Assess Award’s role in future
strategic planning
Widespread awareness of recipient’s Award status among investors, media personnel, and employees
BEST PRACTICES RESEARCH
© Frost & Sullivan 2017 14 “We Accelerate Growth”
The Intersection between 360-Degree Research and Best
Practices Awards
Research Methodology
Frost & Sullivan’s 360-degree research
methodology represents the analytical
rigor of our research process. It offers a
360-degree-view of industry challenges,
trends, and issues by integrating all 7 of
Frost & Sullivan's research methodologies.
Too often companies make important
growth decisions based on a narrow
understanding of their environment,
leading to errors of both omission and
commission. Successful growth strategies
are founded on a thorough understanding
of market, technical, economic, financial,
customer, best practices, and demographic
analyses. The integration of these research
disciplines into the 360-degree research
methodology provides an evaluation
platform for benchmarking industry
participants and for identifying those performing at best-in-class levels.
About Frost & Sullivan
Frost & Sullivan, the Growth Partnership Company, enables clients to accelerate growth
and achieve best-in-class positions in growth, innovation and leadership. The company's
Growth Partnership Service provides the CEO and the CEO's Growth Team with disciplined
research and best practice models to drive the generation, evaluation, and implementation
of powerful growth strategies. Frost & Sullivan leverages more than 50 years of
experience in partnering with Global 1000 companies, emerging businesses, and the
investment community from 45 offices on six continents. To join our Growth Partnership,
please visit http://www.frost.com.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
360-DEGREE RESEARCH: SEEING ORDER IN
THE CHAOS