The General Data Protection Regulation’s breach notification mandate is likely to impact an organization’s information security program. Under GDPR, once a breach is discovered, organizations have 72 hours to provide authorities with extensive details on the incident, including what type of data was stolen, who was impacted and what remediation measures are being taken. Here are the technical and procedural steps that companies should take to meet this deadline and avoid GDPR’s substantial fines.
What is GDPR?
The General Data Protection Regulation is a European Union data protection law that takes effect on May 25, 2018. GDPR aims to protect the data of E.U. residents by placing rules on how organizations handle personal data, which is defined as any data that can be used to identify a person. This includes information like employee data, partner data and customer data. A core concept of GDPR is the notion that data privacy is an individual right.
While GDPR is an E.U. regulation, it applies to any organization that handles E.U. citizens’ data, regardless of country. This means that GDPR’s reach extends beyond Europe and impacts any company that has European citizens as customers, clients or users, regardless of location.
Other countries are likely to use GDPR as a baseline for their privacy laws, although these regulations may not be as comprehensive as GDPR. Still, the steps companies take today to comply with GDPR could help them prepare for future regulations around how organizations handle personal data.
Data transparency is key part of GDPR. For example, a company’s website needs to clearly state what data the site is collecting from visitors and how it will be used. Under GDPR, vague statements saying that collected data will be used for a marketing campaign are too ambiguous. Instead, businesses need to say exactly how they’re using the data they’re collecting. For example, will it be used in an email campaign or will it get sold to a third party? Data transparency includes giving E.U. citizens more control over the data that companies collect on them. Under GDPR, E.U. citizens can ask to see the data that businesses have collected on them and transfer it to a competitor or even delete it, among other options.
Knowing how data flows through an organization can help organizations better protect it. For instance, if a company realizes that someone in customer success can access employee payroll data (and shouldn’t), this access can be cut off. Ensuring that only the right people have access to data decreases the opportunities for an adversary to access it. And if a breach does occur, knowing how data flows in an organization can help companies meet the GDPR’s requirement around reporting breaches. Out of GDPR’s many components, breach reporting is the one that’s most likely to have a major effect on an organization’s information security program. Bottom line: companies have three days to provide regulators with extensive details on the breach, including who was impacted and remediation efforts.
Have questions about GDPR? So do your peers judging by the amount of questions we received after our webinar on how organizations can enhance their security practices to comply with GDPR. Shlomi Avivi, Cybereason’s vice president of security and the person making sure that we comply with GDPR, answered some of those questions in this blog.
GDPR places a tight deadline on reporting breaches
A much-discussed aspect of GDPR is its potential impact on how companies handle data breaches. Under GDPR, organizations have to report a data breach to a “supervisory authority” within 72 hours from when the impacted organization learns about the incident. Reporting a breach goes well beyond letting a supervisory authority know that an incident has occurred and includes providing extensive details on the breach. Information that must be provided includes:
- The relationship between the victims and the breached organization. Are they employees? Customers? Third-party vendors?
- What type of data was stolen and how much was taken. Was it health care records? Bank account details? Credit card numbers? User names and passwords?
- How to contact the organization’s data protection officer. If the company doesn’t have one, then another person who can provide breach information has to be listed.
- Describe the potential consequences of the breach. What further security incidents could the breach cause? Identity theft or fraud if bank account information was exposed? Or, if user names and passwords were leaked, could account compromise occur since people reuse log-in information?
- Remediation and mitigation efforts. What has the company done or will do to mitigate the breach and lessen its impact?
The monumental task companies face in compiling all this information is figuring out what data was impacted within 72 hours, an effort that can take, at a minimum, days given the complexity of IT environments.
And there's the issue of detecting a breach, an undertaking that's proven challenging for organizations considering that U.S. companies took an average of 191 days to detect a breach in 2017, according to the Ponemon Institute. Keep in mind that GDPR cover personally identifiable information so data breaches that expose intellectual property don’t have to be reported. Companies typically take this long to detect a breach for two reason:
- Lack of proper controls or processes that would have allowed the security team to identify a breach using information provided by security tools. This includes the challenge faced by every organization: finding skilled security analysts who know how to respond to alerts generated by security programs.
- Security tools weren’t deployed extensively enough in an organization and infiltration began an area that wasn’t adequately protected, such as endpoints. Typically, infiltrating endpoints is the attackers’ ultimate goal since credit card numbers, bank account details, intellectual property and other personal data resides there. Endpoints often run antivirus software but those programs can’t protect a computer from an adversary who knows how to change hashes to make old malware seem new and slip past antivirus applications.
GDPR, though, will change how organizations protect personal data. It calls for privacy by design, which requires companies to have security tools in place to protect personal data and processes in place that allow organizations to detect and understand a breach’s scope.
While businesses don’t automatically face financial repercussions for violating GDPR, companies outside the E.U. aren’t being complacent about complying with the regulation: a PwC survey of 200 U.S. multinational companies found that 92 percent of respondents consider GDPR readiness a top priority while 77 percent will spend $1 million or more on compliance.
Preparing to meet GDPR’s 72-hour breach reporting deadline
From a technical perspective
Meeting the three-day deadline means having breach detection technology in place. This includes systems like an EDR platform, a behavioral detection tool or a SIEM. These tools can identify suspicious patterns and beaches as they occur and should cover all areas where sensitive data resides. They should also provide data visibility and a timeline of the attack and the ability to scope an incident. This means that if a server is breached, for example, a security team should be able to investigate other machines in the organization and see if adversaries have moved laterally to computers and servers.
Given the short time organizations have to gather extensive breach information, analysts don’t have time to manually build and run queries. They should use automation tools to speed up the collection and investigation process.
From a procedures perspective
Even the best detection tools aren’t effective without people who know how to act on the information they provide. Organizations need analysts who understand what the alerts mean and know how to triage an incident, scope a breach and generate a full picture of the attack.
But analysts aren’t the only people involved in GDPR preparation. Complying with the regulation requires the help of executive management and the marketing and legal departments, among other departments. Leadership has the power and budget to make GDPR preparation a priority in a company. Executives who treat GDPR preparation and compliance as a key business issue show employees that the regulation should be taken seriously and receive appropriate resources. This may include providing the information security department with a budget to purchase security tools that can present a full attack timeline, such as an EDR platform.
How Cybereason can help companies boost GDPR compliance
Companies shouldn’t panic about complying with GDPR. A key part of the regulation calls for organizations to demonstrate that they are taking actions to comply with GDPR and protect personal data. Using Cybereason can demonstrate that a company is making an effort to keep personal data safe.
Data protection is a fundamental tenet of GDPR but not every security tool can tell a security team if data was impacted. Take antivirus software, for example. While these programs can identify and block known malware, they can’t determine if data was at risk during a security incident.
The Cybereason platform provides data-based protection. By using behavioral analysis, the platform can automatically identify security incidents that could potential impact data. For instance, Cybereason can detect DGA (domain generation algorithm) activity, which is an essential step for establishing command & control (C&C) communication between the attackers and infiltrated network. C&C communication could mean that adversaries are in an organization’s network and possibly accessing personal data. Armed with this information, security teams could investigate this incident and determine if their company is under attack and personal data is at risk.
The Cybereason platform can also detect and block malicious PowerShell activity. Attackers use PowerShell, a powerful scripting language found in Windows, to bypass traditional security tools, like firewalls. Since PowerShell is a legitimate tool used by administrators, its commands are trusted by security tools and not suspected of carrying out malicious activities. But flagging malicious PowerShell activity can indicate that adversaries are in an organization’s environment and possibly going after personal data. By automatically malicious PowerShell detection, Cybereason provides analysts with a starting point for a deeper investigation into how personal data could be impacted.
Automated attack timeline and attack scoping
The information that the GDPR requires companies to report following a breach means that security teams need to have a complete attack story. Cybereason presents a full attack story by automatically collecting endpoint data and using a custom-built, in-memory graph to analyze this data for malicious behavior. Leveraging every endpoint in an organization allows Cybereason to connect seemingly unrelated events to reveal the entire attack campaign. Seeing the complete attack allows security teams to fully remediate a threat and leads to better data protection since the risk of adversaries lingering in the network and launching another attack is mitigated.
Cybereason also helps analysts scope an attack. The platform automatically tells analysts what machines were impacted, what users were affected and how the attack started and allows analysts to remediate the incident -- all information that organizations must report under GDPR. This information is presented in an interface that‘s intuitive for security teams to use, allowing even junior analysts to figure out the scope of the attack and quickly remediate the incident without having to use multiple tools. Cybereason’s EDR platform gives analysts deep endpoint visibility, allowing them to better protect the personal data stored there and demonstrate that the company is taking actions to comply with GDPR.