IT security: strategic intelligence instead of flying blind

E3 Magazine: Hello, Ralf Kempf, as CEO of Pathlock Germany, do you have a status quo of IT security for us? What will move the market in 2024?

Ralf Kempf, CEO, Pathlock Germany: I think that a recent survey of over 150 German user companies is telling: it is not surprising that the majority expect cyber attacks to become more frequent and more dangerous in 2024. The fact that more than half of them see a need for improvement in order to be able to react quickly and remain operational also shows a certain degree of insight. What is striking, however, is that in our experience this realization hardly leads to a prioritization of IT security in the company, let alone to urgently recommended measures. Our impression is that companies are simply overwhelmed and don't know how and where to start to meet the challenges of complex IT systems and hybrid SAP/non-SAP landscapes.

E3 Magazine: Raphael Kelbert, what do you think are the causes?

Raphael Kelbert, Product Manager Threat Detection, Pathlock GermanyUltimately, this is often due to a lack of internal know-how to meet such massive and constantly changing requirements. When we hear that more than two thirds admit that they have not implemented a holistic security solution, this is simply worrying and shows where the homework has not yet been done. And this does not even take into account the serious requirements of the new NIS 2 directive for critical companies and their supply chain.

E3 Magazine: We'll come to NIS-2 later. But what "homework" do you mean?

Kempf: Well, at the top of the list is certainly achieving transparency. Although ERP system landscapes are a core element of many companies, they often do not know how many SAP, Oracle or other ERP systems are actually in use. As a rule, the productive systems are taken into account, but supposedly non-critical systems such as development, QA or training systems are rarely considered. And legacy systems often form a veritable shadow IT system with different versions and unknown configurations, some of which contain highly sensitive data but have been unpatched as inactive systems for years.

KelbertAnd even productive systems often remain unpatched because they are involved in business-critical core processes that do not allow maintenance windows for extensive updates. Paradoxically, this means that the most important systems also have the highest risk of attack. In addition, there is often a lack of human resources to set up adequate protection. This is a dangerous game, as an attack on the heart of the company not only jeopardizes data protection, business continuity and reputation, but can also threaten the very existence of the company. These challenges can only be overcome in the future if IT security is given appropriate importance throughout the company.

E3 Magazine: And what can you recommend to companies that want to implement this?

Kempf: Continuous security audits are important: they strengthen resilience and significantly reduce the attack surface of the entire IT system landscape. In view of the monthly release of security patches, it should be obvious that an annual audit of a production system is merely a snapshot that says little or nothing about the actual security for the rest of the year. Clear recommendation: Automated security processes and specialized software tools ensure continuous transparency, are always technically up to date and make it easier for IT and security teams to make informed decisions.

KelbertIn addition to such automatic, closely timed audits of all systems, permanent log monitoring helps to detect suspicious activities. This is because an alarm must be raised immediately so that suitable countermeasures can be initiated quickly and the effects contained.

E3 Magazine: Are there any attack scenarios that are currently becoming more frequent?

KelbertMany attacks are based on the theft of privileged account data because this is the easiest and fastest way for cyber criminals to gain access to an IT system. Super users usually have extensive administrator and root rights, which are necessary for tasks such as system updates and maintenance. Good privileged access management is therefore crucial for the security of IT systems: that there are clear rules and controls on who is granted emergency user rights and how these are used. Traditional security solutions do not offer reliable protection here.

KempfAuditors are now paying all the more attention to ensuring that superuser controls are integrated into the company's internal SoD concepts. The complexity of IT systems is often no longer monolithic, but hybrid, and is growing rapidly, meaning that SoD concepts are also becoming more extensive and opaque. It is essential to keep them up to date, present them transparently and harmonize them. Contingency concepts can no longer be viewed in isolation. It is important to consider the auditors' perspective. They are fundamentally critical of superuser concepts because they could affect both the integrity of the systems and financial data.

E3 Magazine: And what do you think are frequently underestimated security gaps?

KelbertIn any case, custom code is an often neglected attack vector. Custom code management is the central entry point for all functions that can be used to monitor and manage the lifecycle of custom developments. Kempf: "It is crucial here to recognize security-critical changes to the custom code just as quickly as unwanted changes to the system configurations. This not only allows risks to be classified in good time and ideally avoided, but also prevents compliance breaches. Assuming the attackers were successful despite everything.

KempfIn this case, considered action is always required and I recommend consulting external IT forensics experts. A complete shutdown can be life-threatening, especially as the recovery of complex application landscapes could take months. The damage caused by a hasty shutdown can ultimately be greater than that caused by data theft, industrial espionage or blackmail. Not including loss of reputation, higher insurance premiums, additional working hours and catching up on production. This can be very expensive.

E3 Magazine: Speaking of expensive: The new EU directive NIS-2 - what's in store for us?

KelbertWell, this will be a real game-changer for many companies: back in 2016, the EU defined the first cybersecurity standards for operators of critical infrastructures with the Network and Information Security (NIS) Directive. As the security situation has worsened dramatically since then, the amendment has come just in time. NIS-2 must be transposed into national law as early as October. In Germany, too, it is clear that the NIS-2 requirements will be significantly tightened and extended to many more companies: In addition to existing Kritis operators such as energy and water suppliers or hospitals, they will then also apply to their supply chains and many other sectors such as postal service providers, software suppliers and waste management. Medium-sized companies will then also be subject to the strict Kritis requirements, as long as they are essential and important facilities, such as logistics companies, managed service providers or some mechanical engineering companies.

E3 Magazine: Many people are now asking themselves whether they belong. What is expected of them?

KempfFirstly, they should use the NIS 2 directive to check whether they belong to the added industries and sectors. And secondly, they should check whether they have customers in the Kritis scope whose supply chain they belong to. It would be fundamentally wrong to wait idly until your customer gets in touch. NIS-2 places a strong technical and organizational obligation on everyone, particularly in terms of risk analysis and protection of information systems. This involves business continuity such as crisis and emergency management, for example with breach and attack simulations. NIS-2 also demands much more when it comes to protecting information systems. In addition to encryption, for example, multi-factor authentication and stricter reporting obligations of a new quality: every significant security incident must be reported within 24 hours.

E3 Magazine: And if a company does not comply with these obligations?

KelbertThen there will be no mere threatening gestures, but fines of up to 10 million euros or 2 percent of the previous year's global turnover. And these fines are serious. One thing is unmistakably clear: companies can definitely no longer afford to sit back and wait. The measures to be implemented for NIS-2 are considerable: the establishment of company-wide risk management and the introduction of multi-factor authentication cannot be realized in just a few weeks, not to mention the inclusion of supply chains.

E3 Magazine: That all sounds like an enormous challenge.

KelbertDefinitely, especially for those who have not yet done their homework. And for some, this is not the only serious change in the law: the Digital Operational Resilience Act (DORA), for example, is a special law for NIS-2 with additional security regulations for the financial and insurance sectors and their service providers. These are comprehensive requirements for risk management, documentation and audits, explicitly also for third-party service providers such as cloud and software providers.

E3 Magazine: So how do you rate NIS-2 and its consequences?

KempfThe directive comes not a moment too soon and its consequences are unavoidable, as there is no other way to achieve Europe-wide resilience. It is finally forcing cybersecurity to become an essential part of corporate culture, as a matter for the boss. In future, management that can afford to merely delegate and otherwise remain clueless will no longer be able to shirk its responsibilities. Those who neglect cybersecurity will not only expose their company to an increased risk of attack in the future, but also to enormous fines for violations. The recommendation is therefore clear: prioritize the issue, keep an eye on the implementation deadlines and, above all, get the right partners on board promptly for implementation.

E3 Magazine: Thank you! And on the subject of the buzzwords cloud and AI: what relevance does the cloud have for cyber security?

KelbertBefore the cloud boom, protecting a company's infrastructure was much easier. Networks were clearly demarcated, the firewall stood between the internal network and a clearly defined, potentially dangerous outside world. And just as employees and external service providers can now easily access systems and data within the network remotely, criminals can also gain access much more easily. The decisive factor is that every company is still responsible for its own security and cannot leave this to its cloud provider or hyperscaler in good faith.

E3 Magazine: And how is the use of artificial intelligence changing the situation?

KempfThere is light and shade. AI has fundamentally changed the rules of the game and the new threat situation is certainly a cause for concern. All the latest studies show that attack techniques are improving rapidly. While many companies are finally getting clear security guidelines with NIS-2, which first need to be implemented, they are already facing the next hurdle due to new attack vectors using generative AI. It is therefore high time to raise defensive measures to a new level.

E3 Magazine: So AI also poses a major threat in security scenarios?

KempfBy no means, that's what I meant by light and shadow: AI can advance IT security by leaps and bounds, but it must be used carefully. This requires in-depth security expertise. As our CEO Piyush Pandey recently emphasized, cybersecurity experts are now becoming even more valuable as they provide the in-depth practical knowledge needed to manage the use of AI sensibly and train it correctly. Otherwise, AI systems will learn, for example, to simply classify a frequently occurring critical situation as normal and no longer raise the alarm.

KelbertThere are already solutions that utilize the advantages of AI, and we can proudly point to a new in-house development: Threat Intelligence. Threat Intelligence is the answer to many of the questions we have discussed today and will become an absolute security must-have as AI-supported real-time protection. It is a combination of established threat detection solutions supplemented by automated individual responses that are adapted to the respective risk situation.

E3 Magazine: Can you explain what the strengths of this combination are?

KempfOf course. Until now, the reaction to an identified risk was to first assess the situation and then initiate measures in a company's security team, for example in the Security Operation Center. But what if this was not staffed around the clock or the assessment of a risk took a long time? Then valuable time elapsed before countermeasures could be taken, even though response time is the absolutely decisive factor in damage limitation.

KelbertBy integrating intelligently automated processes that form an additional layer of security, we can now solve this dilemma. For example, access to critical transactions is restricted or even completely blocked if necessary on the basis of known threats, data fields are masked precisely and based on attributes, downloads are prevented or users with critical behavior are logged out of the system. All of this is done fully automatically, in real time and around the clock. These immediate reactions in the event of a situation classified as a risk protect highly sensitive information immediately and precisely. Our set of rules is fully configurable and can be individually adapted for each data field, function or user interface. In this way, we have taken threat detection using artificial intelligence a decisive strategic step further.