The European Union’s General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. The regulation is primarily designed to protect the private data of EU citizens. Its ramifications will be felt far beyond the continent of Europe, however, as EU citizen data is to be protected even if the entity collecting or processing it is based outside of Europe.
Although the regulation has many different components and covers several different areas, there is one area that seems particularly relevant to the field of security operations and incident response. As many of you are likely aware, once GDPR goes into effect, organizations will need to report data breaches within 72 hours of becoming aware of them. As I’m sure you’ve already concluded, 72 hours is not very much time at all. Especially given all of the information that needs to be gathered to assess the extent of a breach and report it appropriately.
Visibility
Visibility becomes more important under GDPR than many people may realize. Complete visibility across the enterprise infrastructure, cloud infrastructure, endpoints, mobile, and Software-as-a-Service will be critical to daily life under GDPR. Why? The answer to that question is relatively straightforward. If you can’t see it, you can’t detect it. And if you can’t detect it, you can’t report it. Unless a third party detects it for you, of course, which is obviously an undesirable situation for a number of reasons.
Detection
Detection is another important aspect of life under GDPR, for a few different reasons. First, if an organization does not manage their content development process properly, they will not be able to effectively create a high signal, low noise, reliable, reasonable volume stream of alerts. After ensuring visibility, having that alert stream under control and working effectively is the first step in meeting the GDPR 72 hour requirement.
Once the alert stream is properly populated, the organization needs to focus on being able to quickly vet and qualify alerts. This allows an organization to determine which alerts may indicate that data protected under GDPR has been breached and need to be investigated further.
Lastly, timely and accurate detection of a compromise or other attacker activity inside the organization may eliminate the need to report entirely. How so? If the activity is caught early enough that it can be eradicated before any protected data is compromised, it may not need to be reported at all. This is a benefit that can save organizations time and money, and it is one that shouldn’t be overlooked or underestimated.
Investigation
As I mentioned above, some alerts will need to be investigated further to fully understand the nature of the activity that occurred. This includes whether or not there was a breach involving the compromise of data protected under GDPR. There are really two angles to consider here at a high level.
First, organizations need to ensure that they have the necessary infrastructure to support the investigation phase. That requires both the visibility across the organization discussed above, as well as the ability to query across all of that data rapidly. After all, just collecting all of the required telemetry data without the ability to retrieve and analyze it isn’t going to help satisfy the requirements of GDPR.
Second, it becomes critical for an organization to determine precisely what happened under GDPR. Why is this the case? Say we had a breach, and we know that the attacker accessed a database containing protected data for 3,000,000 EU citizens. Now, if we have gaps in visibility, telemetry, and logging, we may not be able to determine how many of those 3,000,000 records were actually compromised. In these cases, we may have to err on the side of caution and report that all 3,000,000 were potentially compromised. But what if only 30 of those records were actually compromised? That would cost the organization a lot less. A little investment in visibility for investigative purposes goes a long way.
Response Process
Of course, if we do encounter any kind of breach, whether reportable under GDPR or not, we need to respond to it appropriately. This requires having a mature incident response process and training staff on how to follow this process when required. It’s important to remember that reporting is just one aspect of incident response. Just reporting a breach doesn’t absolve us of our responsibility to contain and remediate it, as well as to take lessons learned and follow-up actions to ensure that the organization improves its security posture.
GDPR is a complex regulation that will affect a large number of organizations around the globe when it goes into effect in May of 2018. Organizations should, of course, consult with legal and privacy experts regarding the full impact of GDPR. At the same time, organizations can benefit from some thinking ahead on how GDPR will affect security operations and incident response.