One of the key requirements under the new General Data Protection Regulation is breach reporting. Of course, to report a breach implies you have the capability to detect a data breach – and that’s not always easy.
McAfee Labs research discovered that over 53 per cent of all incidents are detected externally. Additionally, a SANS Incident Response survey from 2016 found that only about 16 per cent of security operations centres (SOCs) were considered in a mature state.
From my own experience, many security operations are mostly focused on malware threat hunting with very few use cases for insider threat or data exfiltration. That leads to one more alarming statistic. A 2016 Ponemon report found that only 24 per cent of businesses can identify unauthorised access to critical systems in less than 24 hours.
All of this leads me to believe that most security operations are not ready for GDPR.
In this post, I have outlined a few key steps security operations can take to improve readiness for GDPR.
Understand the Journey:
The first step to improvement is understanding your current state and designing a plan to move forward. I put together this simple three-step model to help organisations assess their current sec ops capability as it relates specifically to data breach detection and response.
In my experience, most customers are somewhere between level one and two but an increasing number are exploring adoption of advanced technologies, like user behaviour analytics, to help detect advanced attacks whether from the inside or outside. More on analytics later.
Getting the Right Data for the Job:
Without the right visibility into user and data activity, detecting data breaches, or even investigating suspicious activity, becomes near impossible. Most security operations are familiar with the data sources used to hunt malware incidents. Intelligence such as malware indicators of compromise, firewall traffic logs and endpoint AV logs are commonly collected to help investigate or detect compromised machines.
However, identifying unauthorised user behaviour or detecting data exfiltration requires a different level of visibility. Consider adding the following data sources to your SIEM and other data aggregation platforms:
Data loss prevention (DLP)
Endpoint and network DLP sensors provide potential insights into accidental data loss or simple data theft attempts. They are essential logs to investigate a reported breach and to proactively identify an incident.
Identify and access management
Data from access and privilege management systems are necessary to identify or investigate unauthorised access attempts to critical systems.
Database Activity Monitors
Databases are often overlooked as a key data source for detection and response. Yet they often hold the key to detecting a data breach early. Collecting database logs is good but you should augment with specialised sensors that provide other points of visibility.
Analytics for Insights:
What are the right ‘operational insights’ I need in order to identify and validate a data breach? Deriving operational insights from the collected data is the key goal of security operations and often the hardest. Many organisations look for a singular platform to analyse data but the smarter approach is to deploy the right tool for the job.
These are some of the key technology building blocks and their primary role in data breach analysis.
Security information and event management (SIEM)
SIEM platforms aggregate data and provide the diagnostics necessary to rapidly investigate and validate security incidents. Security operations should look for features that simplify data breach investigations, such as pivot functions on user behaviour or those that support the Unified Compliance Framework, to ease reporting efforts.
User behaviour and entity analytics (UEBA)
UEBA platforms, on the other hand, gather data from SIEM or raw event sources and use advanced machine learning techniques to provide indicators of potential insider threat. Security operations should look for solutions with many different behaviour models, particularly models tuned to insider threat kill chain.
Network Behavior Analytics
Network behaviour analysis platforms perform a similar function to UEBA but are focused on network traffic flows. The advanced analytics should be tuned to detect data exfiltration attempts.
These are just a few of the key steps security ops must take to improve their readiness for GDPR.
Please follow my blog on Securing Tomorrow for continuous insights on GDPR and other cyber security issues.