Security Experts:

The Practical Effects of GDPR on Security Operations and Incident Response

The European Union’s General Data Protection Regulation (GDPR) goes into effect on May 25, 2018.  The regulation is primarily designed to protect the private data of EU citizens.  Its ramifications will be felt far beyond the continent of Europe, however, as EU citizen data is to be protected even if the entity collecting or processing it is based outside of Europe.

Although the regulation has many different components and covers several different areas, there is one area that seems particularly relevant to the field of security operations and incident response.  As many of you are likely aware, once GDPR goes into effect, organizations will need to report data breaches within 72 hours of becoming aware of them.  As I’m sure you’ve already concluded, 72 hours is not very much time at all.  Especially given all of the information that needs to be gathered to assess the extent of a breach and report it appropriately.

GDPRI am certainly not a lawyer or a privacy expert, but this 72 hour time window creates a number of interesting operational challenges for organizations.  Let’s take a look at a few of the ways in which GDPR may impact the day-to-day operations of security organizations.

Visibility

Visibility becomes more important under GDPR than many people may realize.  Complete visibility across the enterprise infrastructure, cloud infrastructure, endpoints, mobile, and Software-as-a-Service will be critical to daily life under GDPR.  Why?  The answer to that question is relatively straightforward.  If you can’t see it, you can’t detect it.  And if you can’t detect it, you can’t report it.  Unless a third party detects it for you, of course, which is obviously an undesirable situation for a number of reasons.

Detection

Detection is another important aspect of life under GDPR, for a few different reasons.  First, if an organization does not manage their content development process properly, they will not be able to effectively create a high signal, low noise, reliable, reasonable volume stream of alerts.  After ensuring visibility, having that alert stream under control and working effectively is the first step in meeting the GDPR 72 hour requirement.

Once the alert stream is properly populated, the organization needs to focus on being able to quickly vet and qualify alerts.  This allows an organization to determine which alerts may indicate that data protected under GDPR has been breached and need to be investigated further.

Lastly, timely and accurate detection of a compromise or other attacker activity inside the organization may eliminate the need to report entirely.  How so?  If the activity is caught early enough that it can be eradicated before any protected data is compromised, it may not need to be reported at all.  This is a benefit that can save organizations time and money, and it is one that shouldn’t be overlooked or underestimated.

Investigation

As I mentioned above, some alerts will need to be investigated further to fully understand the nature of the activity that occurred.  This includes whether or not there was a breach involving the compromise of data protected under GDPR.  There are really two angles to consider here at a high level.

First, organizations need to ensure that they have the necessary infrastructure to support the investigation phase.  That requires both the visibility across the organization discussed above, as well as the ability to query across all of that data rapidly.  After all, just collecting all of the required telemetry data without the ability to retrieve and analyze it isn’t going to help satisfy the requirements of GDPR.

Second, it becomes critical for an organization to determine precisely what happened under GDPR.  Why is this the case?  Say we had a breach, and we know that the attacker accessed a database containing protected data for 3,000,000 EU citizens.  Now, if we have gaps in visibility, telemetry, and logging, we may not be able to determine how many of those 3,000,000 records were actually compromised.  In these cases, we may have to err on the side of caution and report that all 3,000,000 were potentially compromised.  But what if only 30 of those records were actually compromised?  That would cost the organization a lot less.  A little investment in visibility for investigative purposes goes a long way.

Response Process

Of course, if we do encounter any kind of breach, whether reportable under GDPR or not, we need to respond to it appropriately.  This requires having a mature incident response process and training staff on how to follow this process when required.  It’s important to remember that reporting is just one aspect of incident response.  Just reporting a breach doesn’t absolve us of our responsibility to contain and remediate it, as well as to take lessons learned and follow-up actions to ensure that the organization improves its security posture.

GDPR is a complex regulation that will affect a large number of organizations around the globe when it goes into effect in May of 2018.  Organizations should, of course, consult with legal and privacy experts regarding the full impact of GDPR.  At the same time, organizations can benefit from some thinking ahead on how GDPR will affect security operations and incident response.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.