kpmg award write up

2017 Global Network Security New Product Innovation Award

BEST PRACTICES RESEARCH

© Frost & Sullivan 2017 2 “We Accelerate Growth”

Contents

Background and Company Performance ........................................................................ 3

Industry Challenges .............................................................................................. 3

New Product Attributes and Customer Impact .......................................................... 3

Conclusion........................................................................................................... 4

Significance of New Product Innovation ......................................................................... 9

Understanding New Product Innovation ......................................................................... 9

Key Benchmarking Criteria .................................................................................. 10

Best Practices Award Analysis for KPMG ...................................................................... 10

Decision Support Scorecard ................................................................................. 10

New Product Attributes ....................................................................................... 11

Customer Impact ............................................................................................... 11

Decision Support Matrix ...................................................................................... 12

Best Practices Recognition: 10 Steps to Researching, Identifying, and Recognizing Best Practices ................................................................................................................. 13

The Intersection between 360-Degree Research and Best Practices Awards ..................... 14

Research Methodology ........................................................................................ 14

About Frost & Sullivan .............................................................................................. 14



Background and Company Performance

Industry Challenges

Servers and personal computers (PCs) sparked the Information Age. Computational

power, word processing, spreadsheets, and (later) direct communication to and from PCs

improved the depth, availability, and immediacy of information.

Of course, PCs also have been the source of deleterious behaviors. The computer itself

does not care if a person pushing sensitive files off of a network, copying intellectual

property, or initiating cyberattacks is a legitimate actor. For all of the wonderful

capabilities of PCs, in many ways the PC remains a dumb machine.

A miscreant is likely to cover his tracks. Files are deleted; external routing tables disguise

where content is sent; and software is installed that ostensibly wipes away an end user’s

activities on the computer. However, the PC holds all of the secrets.

Digital forensic and incident response is the formal analysis of what happened on a

computer.1 The computer’s hard drive is like the flight data recorder in an airliner. It

comprehensively records system and end-user activities, even those of an unscrupulous

end-user attempting to camouflage his or her criminal or policy-violating activities.

Therefore, digital forensic incident response must start with a thorough and high integrity

examination of the hard drive.

Digital forensic incident response investigations are, however, not easy as they involve a

physical object, the hard drive. For example if the handling of hard drive is compromised

in the chain of custody, then whatever evidence gleaned from a computer becomes

inadmissible in a court of law. A hard drive could be mishandled or lost. From a cost

perspective, if a digital forensic incident response investigator has to be in physically

proximity with the computer or server, on-site and travel costs mount. Another issue with

hard drives is that they are not the sole source of relevant information. To improve

investigations, the hard drive data must be extensible and combinable with contextual

data and intelligence from other sources.

The activity data on a hard drive could be quite voluminous and historically this may be

why digital forensic incident response has been an on-site activity. In a digital platform,

using filters and guided search criteria helps in the optimization in its collections and

provides the right type of information without being overwhelming or unwieldly.

New Product Attributes and Customer Impact

Distilled from its years of digital forensic incident response field investigations, KPMG

productized its honed processes and procedures into the KPMG Digital Responder, an

1 Please note that while the use cases for digital forensic and incident response are likely

investigations triggered because of a suspected breach or exfiltration of data, this is not

necessarily the case. Forensics can be used to prove compliant practices, or simply as

precautionary practice initiated when key personnel leave a company. While this Best

Practice focuses on PCs and servers, new use cases may emerge as M2M communications

become more common in the Internet of Things (IoT).



automated digital forensic incident response platform with the added capabilities of

portability and extensibility. KPMG Digital Responder was introduced in February 2017.

KPMG Digital Responder is an automated forensic collection, analysis and reporting

solution. KPMG Digital Responder can be remotely run on a computer through a small

executable file, with a USB drive, or from a network share. No software installations or

agents are required. (Note: this implementation method means that employer/law

enforcement can deploy the tool remotely and does not have to be in physical possession

of the device at the time of collection). The data collected is encrypted and then

transmitted back to the KPMG through secure file transfer protocol (SFTP).

Disaggregating the data from the device has a couple of desired effects. First, upon

receipt, KPMG automatically parses and normalizes the collected data into a database. The

solution is then able to do a combination of automated forensic tasks that would often

require an on-premises visit, an experienced examiner, and lots of time. Second, since the

data normalization process is separate from the initial collection, the customer or KPMG

can add customized filters to account for types of business/regulations, refine searches, or

narrow report criterion (an example, perhaps a customer does not see file sharing

applications as harmful and can choose to whitelist these applications).

Match to Needs

The output of this process is the customer receives a report based on the investigation

type, which range from detailing end user activities to understanding the impact of

malicious code that may have executed on the system. See example excerpt below from a

standard Departing Employee Report.

Figure 1. Excerpt of a KPMG Digital Responder (KDR) Report



In the image above, the major file headings (the white font in the light blue title bars)

include Removable Storage Device Activity, File Activity, and Internet Activity. Other

report major report headings include Program Activity, Email Activity, Mobile Activity, and

Other Activity (this includes sub headings for associated networks, user accounts in the

system, and volume shadow copies in the collection).

The cross reference fields are Filter on Results, Total, and Potential Risk. The value of

these cross reference fields is largely self-evident. For instance, each department in the

US federal government, and all vendors that are approved cyber contractors to the federal

government are bound by National Institute of Standards and Technology (NIST) 800-53

v.4 compliance standards. These agencies must provide a monthly inventory of all of the

equipment, software, and applications under their aegis. In this case, the KPMG Digital

Responder can be leveraged to prove NIST compliance to show a detailed inventory of

what software applications are currently or previously installed on the system.

The Potential Risk score is tabulated by KPMG against known vulnerabilities, user

activities, and other findings potentially indicative of malicious activity. KPMG can also

consider information from external threat feed services as a part of the risk score or tailor

risk scores based on organizational needs.

Quality

A major part of the value proposition of KPMG Digital Responder is that it can be used as a

preventative tool as well as an after-the-fact triage and investigation tool. The nuance is

subtle; if there is an exploit to a server, the forensic investigator might start with the

assumption that the breach is from Heartbleed (for example) and work backward. In May

2017, several PCs were held ransom in a global attack known as WannaCry; again the

investigator starts with an assumed or active breach scenario.

However, digital forensic incident response could be difficult if an investigator goes in

without any assumptions. A customer may question why they would want to conduct a

digital forensic incident response if there is no apparent cause, but there are actually

many use cases:

Compliance. The reporting fields can show activity on a device which proves

compliant practices.

An ounce of prevention is worth a pound of cure. In the aforementioned

Heartbleed, which exploited vulnerabilities in the configuration of OpenSSL,

derivative attacks were created to run through the same servers that could be

exploited in Heartbleed. Similarly, the fallout from WannaCry is likely to echo for

several months. Certain machines like the company’s CEO or a mail server should

probably be given extra attention.

Human nature. One of the use cases cited by KPMG for KPMG Digital Responder

is an investigation a customer asked KPMG to conduct on the PC of an outgoing VP

at an insurance firm. Employees are free to leave companies, but intellectual

property stays with the company. In the month before the VP left the company, a

report showed that there was usual amount of files sent to USB drives. Secondly,

the company found key word searches titled “how to hide file extractions.” The



human resources department was able to ask pointed questions to the outgoing

VP, and likely prevented an intellectual property or data breach.

Aside from the uses cases, data enrichment gives KPMG investigators real power over the

data. Data enrichment examples include compression tools, email files and email

Websites, virtual machines and virtualization tools, media file extensions, and lateral

movement tools. These processes are standardized and repeatable.

Design

A well-known story about ducks is often told. If you saw a mallard duck on the surface of

a lake, it would appear to be gliding along. In fact, not visible is the little duck legs

beneath surface thrashing underneath. The elegant and stylistic KPMG Digital Responder

reports are the results of data collection and enrichment, standardized and custom filters

(sometimes industry-specific), and event and threat correlation. See the illustration below

to see how KPMG Digital Responder processes are assembled to provide end user history,

visibility, and threat analysis of a reviewed system.

Figure 2. Conceptual Flow Chart – Streamline Reporting



Price/Performance

The KPMG Digital Responder is designed to mitigate hard and soft costs in the digital

forensic incident response.

In traditional digital forensic incident response, there are a myriad of hard costs involved

in support of the investigator. At times the investigator must travel to the machine, or the

hardware, and, in some cases, the storage must be sent to the forensic investigator. Often

a company’s key personnel accompany the investigator.

The soft costs in a forensic investigation include investigator’s time and the damage done

in the duration of an active threat. The soft costs are unpredictable and almost likely

outweigh the hard costs in a given investigation.

In the illustration on the left, there is

a brief representation of some of the

technologies that the KPMG Digital

Responder tool incorporates on the

platform. Traditional digital forensic

incident response searches often

involve event triage using multiple

cyber security tools and this is

coordination is problematic for even

the best investigators in the most

stable network environments.

KPMG estimates the average digital

forensic incident response starts at

$10,000 and goes up in complexity.

The KPMG Digital Response tool is

installed and a report over a single

asset costs roughly $5,000. Naturally, KPMG is willing to work the pricing down for

periodic reports generated on the same asset over time.

Brand Equity

Mentioned earlier, KPMG Digital Responder reports are the end result of a standardized

process. The reports are deliberately designed to help non-technical stakeholders.

Additionally, everything on the report is hyperlinked to the collection of artifacts if a person

needs to dig deeper.

KPMG Member firms employ over 2,500 cyber professionals around the globe who are

available to help you with your cyber needs. Many of these professionals are leaders in the

cyber community, helping to develop the tools and methodologies used to combat

cybercrime on a daily basis.

KPMG professionals have experience working on a variety of cybercrimes, including insider

threats, data breaches, hacktivism, and advanced persistent threat-style intrusions by

highly motivated adversaries. Our services include a variety of strategy and investigation

offerings to support your needs.



KPMG is also heavily involved in the information security community. This involvement

provides us with early insight into emerging issues, which we share with our clients and the

project support teams as a component of our advisory role. The pragmatic advice and the

services we can offer your organization are shaped from the experience we have gained and

relationships we have developed serving clients of various size, scope, and complexity.

In the context of KPMG Digital Responder, KPMG can help a client customize its report

based upon business needs and compliance/regulatory parameters. From inception-to-end

product, KPMG committed 18 months to systematize what had been manual processes, and

KPMG Digital Responder is the result.

Conclusion

Naturally, KPMG is known as a global enterprise with a commercial presence in almost

every country and in every industry type (literally). The three pillars of KPMG’s are

auditing, tax services, and consulting.

The challenge that consultants face is that they need a comprehensive understanding of

the client’s business while infusing expertise and processes to bring efficiencies to the

client’s environment. The KPMG Digital Responder tool provides visibility where traditional

computer forensics fall short; consistent and reliable investigatory processes; and

standardized reporting. Additionally, since KPMG Digital Responder gives portability to the

collected data, KPMG Digital Responder is extensible. As a positive outcome, the

productivity of digital forensic incident response investigators improves. They can reach

conclusions faster and with greater confidence (i.e., supported by other independent data

source) than when the collected data was virtually trapped in an isolated bubble. Plus,

with its remote data collection functioning, KPMG Digital Responder reduces investigators

travel and on-site time; time that can now be spent on additional investigations.

Finding the solution for what is problematic to a customer currently and then creating a

fabric for future solutions represents the best of what a consultancy can do.

With its strong overall performance, KPMG has earned Frost & Sullivan’s 2017 New

Product Innovation Award.



Significance of New Product Innovation

Ultimately, growth in any organization depends upon continually introducing new products

to the market and successfully commercializing those products. For these dual goals to

occur, a company must be best-in-class in three key areas: understanding demand,

nurturing the brand, and differentiating from the competition.

Understanding New Product Innovation

Innovation is about finding a productive outlet for creativity—for consistently translating

ideas into high-quality products that have a profound impact on the customer.



Key Benchmarking Criteria

For the New Product Innovation Award, Frost & Sullivan analysts independently evaluated

two key factors—New Product Attributes and Customer Impact—according to the criteria

identified below.

New Product Attributes

Criterion 1: Match to Needs

Criterion 2: Reliability

Criterion 3: Quality

Criterion 4: Positioning

Criterion 5: Design

Customer Impact

Criterion 1: Price/Performance Value

Criterion 2: Customer Purchase Experience

Criterion 3: Customer Ownership Experience

Criterion 4: Customer Service Experience

Criterion 5: Brand Equity

Best Practices Award Analysis for KPMG

Decision Support Scorecard

To support its evaluation of best practices across multiple business performance

categories, Frost & Sullivan employs a customized Decision Support Scorecard. This tool

allows our research and consulting teams to objectively analyze performance, according to

the key benchmarking criteria listed in the previous section, and to assign ratings on that

basis. The tool follows a 10-point scale that allows for nuances in performance evaluation.

Ratings guidelines are illustrated below.

RATINGS GUIDELINES

The Decision Support Scorecard is organized by New Product Attributes and Customer

Impact (i.e., These are the overarching categories for all 10 benchmarking criteria; the

definitions for each criterion are provided beneath the scorecard.). The research team

confirms the veracity of this weighted scorecard through sensitivity analysis, which

confirms that small changes to the ratings for a specific criterion do not lead to a

significant change in the overall relative rankings of the companies.



The results of this analysis are shown below. To remain unbiased and to protect the

interests of all organizations reviewed, we have chosen to refer to the other key

participants as Competitor 2 and Competitor 3.

Measurement of 1–10 (1 = poor; 10 = excellent)

New Product Innovation

New Product

Attributes

Customer

Impact Average Rating

KPMG 9.2 9.6 9.4

Competitor 2 6.0 8.0 7.0

Competitor 3 7.5 4.5 6.0


Criterion 1: Match to Needs

Requirement: Customer needs directly influence and inspire the product’s design and

positioning.

Criterion 2: Reliability

Requirement: The product consistently meets or exceeds customer expectations for

consistent performance during its entire life cycle.

Criterion 3: Quality

Requirement: Product offers best-in-class quality, with a full complement of features and

functionalities.

Criterion 4: Positioning

Requirement: The product serves a unique, unmet need that competitors cannot easily

replicate.

Criterion 5: Design

Requirement: The product features an innovative design, enhancing both visual appeal

and ease of use.

Customer Impact

Criterion 1: Price/Performance Value

Requirement: Products or services offer the best value for the price, compared to similar

offerings in the market.

Criterion 2: Customer Purchase Experience

Requirement: Customers feel they are buying the most optimal solution that addresses

both their unique needs and their unique constraints.

Criterion 3: Customer Ownership Experience

Requirement: Customers are proud to own the company’s product or service and have a

positive experience throughout the life of the product or service.



Criterion 4: Customer Service Experience

Requirement: Customer service is accessible, fast, stress-free, and of high quality.

Criterion 5: Brand Equity

Requirement: Customers have a positive view of the brand and exhibit high brand loyalty.

Decision Support Matrix

Once all companies have been evaluated according to the Decision Support Scorecard,

analysts then position the candidates on the matrix shown below, enabling them to

visualize which companies are truly breakthrough and which ones are not yet operating at

best-in-class levels.

High

Low

Low High

Cu

sto

mer I

mp

act


Award

Recipient

Competitor 2

Competitor 3



Best Practices Recognition: 10 Steps to Researching,

Identifying, and Recognizing Best Practices

Frost & Sullivan analysts follow a 10-step process to evaluate Award candidates and

assess their fit with select best practice criteria. The reputation and integrity of the

Awards are based on close adherence to this process.

STEP OBJECTIVE KEY ACTIVITIES OUTPUT

1 Monitor, target, and screen

Identify Award recipient candidates from around the globe

Conduct in-depth industry research

Identify emerging sectors

Scan multiple geographies

Pipeline of candidates who potentially meet all best-practice criteria

2 Perform 360-degree research

Perform comprehensive, 360-degree research on all candidates in the pipeline

Interview thought leaders and industry practitioners

Assess candidates’ fit with best-practice criteria

Rank all candidates

Matrix positioning of all candidates’ performance relative to one another

3

Invite thought leadership in best practices

Perform in-depth examination of all candidates

Confirm best-practice criteria Examine eligibility of all

candidates Identify any information gaps

Detailed profiles of all ranked candidates

4

Initiate research director review

Conduct an unbiased evaluation of all candidate profiles

Brainstorm ranking options Invite multiple perspectives

on candidates’ performance Update candidate profiles

Final prioritization of all eligible candidates and companion best-practice positioning paper

5

Assemble panel of industry experts

Present findings to an expert panel of industry thought leaders

Share findings Strengthen cases for

candidate eligibility Prioritize candidates

Refined list of prioritized Award candidates

6

Conduct global industry review

Build consensus on Award candidates’ eligibility

Hold global team meeting to review all candidates

Pressure-test fit with criteria Confirm inclusion of all

eligible candidates

Final list of eligible Award candidates, representing success stories worldwide

7 Perform quality check

Develop official Award consideration materials

Perform final performance benchmarking activities

Write nominations Perform quality review

High-quality, accurate, and creative presentation of nominees’ successes

8

Reconnect with panel of industry experts

Finalize the selection of the best-practice Award recipient

Review analysis with panel Build consensus Select recipient

Decision on which company performs best against all best-practice criteria

9 Communicate recognition

Inform Award recipient of Award recognition

Present Award to the CEO Inspire the organization for

continued success Celebrate the recipient’s

performance

Announcement of Award and plan for how recipient can use the Award to enhance the brand

10 Take strategic action

Upon licensing, company is able to share Award news with stakeholders and customers

Coordinate media outreach Design a marketing plan Assess Award’s role in future

strategic planning

Widespread awareness of recipient’s Award status among investors, media personnel, and employees



The Intersection between 360-Degree Research and Best

Practices Awards

Research Methodology

Frost & Sullivan’s 360-degree research

methodology represents the analytical

rigor of our research process. It offers a

360-degree-view of industry challenges,

trends, and issues by integrating all 7 of

Frost & Sullivan's research methodologies.

Too often companies make important

growth decisions based on a narrow

understanding of their environment,

leading to errors of both omission and

commission. Successful growth strategies

are founded on a thorough understanding

of market, technical, economic, financial,

customer, best practices, and demographic

analyses. The integration of these research

disciplines into the 360-degree research

methodology provides an evaluation

platform for benchmarking industry

participants and for identifying those performing at best-in-class levels.

About Frost & Sullivan

Frost & Sullivan, the Growth Partnership Company, enables clients to accelerate growth

and achieve best-in-class positions in growth, innovation and leadership. The company's

Growth Partnership Service provides the CEO and the CEO's Growth Team with disciplined

research and best practice models to drive the generation, evaluation, and implementation

of powerful growth strategies. Frost & Sullivan leverages more than 50 years of

experience in partnering with Global 1000 companies, emerging businesses, and the

investment community from 45 offices on six continents. To join our Growth Partnership,

please visit http://www.frost.com.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

360-DEGREE RESEARCH: SEEING ORDER IN

THE CHAOS

http://www.frost.com/