Preparing for GDPR in 2017, Part 4: Your SOC

This is the fourth in a series of blog posts designed to help enterprise security and business executives prepare for GDPR throughout 2017. (Part 1, 2, 3)

One of the key requirements under the new General Data Protection Regulation is breach reporting. Of course, to report a breach implies you have the capability to detect a data breach – and that’s not always easy.

McAfee Labs research discovered that over 53 per cent of all incidents are detected externally. Additionally, a SANS Incident Response survey from 2016 found that only about 16 per cent of security operations centres (SOCs) were considered in a mature state.

From my own experience, many security operations are mostly focused on malware threat hunting with very few use cases for insider threat or data exfiltration. That leads to one more alarming statistic. A 2016 Ponemon report found that only 24 per cent of businesses can identify unauthorised access to critical systems in less than 24 hours.

All of this leads me to believe that most security operations are not ready for GDPR.

In this post, I have outlined a few key steps security operations can take to improve readiness for GDPR.

Understand the Journey:

The first step to improvement is understanding your current state and designing a plan to move forward. I put together this simple three-step model to help organisations assess their current sec ops capability as it relates specifically to data breach detection and response.

In my experience, most customers are somewhere between level one and two but an increasing number are exploring adoption of advanced technologies, like user behaviour analytics, to help detect advanced attacks whether from the inside or outside. More on analytics later.

Getting the Right Data for the Job:

 Without the right visibility into user and data activity, detecting data breaches, or even investigating suspicious activity, becomes near impossible. Most security operations are familiar with the data sources used to hunt malware incidents. Intelligence such as malware indicators of compromise, firewall traffic logs and endpoint AV logs are commonly collected to help investigate or detect compromised machines.

However, identifying unauthorised user behaviour or detecting data exfiltration requires a different level of visibility. Consider adding the following data sources to your SIEM and other data aggregation platforms:

Data loss prevention (DLP)

Endpoint and network DLP sensors provide potential insights into accidental data loss or simple data theft attempts. They are essential logs to investigate a reported breach and to proactively identify an incident.

Identify and access management

Data from access and privilege management systems are necessary to identify or investigate unauthorised access attempts to critical systems.

Database Activity Monitors

Databases are often overlooked as a key data source for detection and response. Yet they often hold the key to detecting a data breach early. Collecting database logs is good but you should augment with specialised sensors that provide other points of visibility.

Analytics for Insights:

What are the right ‘operational insights’ I need in order to identify and validate a data breach? Deriving operational insights from the collected data is the key goal of security operations and often the hardest. Many organisations look for a singular platform to analyse data but the smarter approach is to deploy the right tool for the job.

These are some of the key technology building blocks and their primary role in data breach analysis.

Security information and event management (SIEM)

SIEM platforms aggregate data and provide the diagnostics necessary to rapidly investigate and validate security incidents. Security operations should look for features that simplify data breach investigations, such as pivot functions on user behaviour or those that support the Unified Compliance Framework, to ease reporting efforts.

User behaviour and entity analytics (UEBA)

UEBA platforms, on the other hand, gather data from SIEM or raw event sources and use advanced machine learning techniques to provide indicators of potential insider threat. Security operations should look for solutions with many different behaviour models, particularly models tuned to insider threat kill chain.

Network Behavior Analytics

Network behaviour analysis platforms perform a similar function to UEBA but are focused on network traffic flows. The advanced analytics should be tuned to detect data exfiltration attempts.

These are just a few of the key steps security ops must take to improve their readiness for GDPR.

Please follow my blog on Securing Tomorrow for continuous insights on GDPR and other cyber security issues.

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

Leave a Comment

seventeen − 10 =