GDPR – Breach management planning

by Carl Roberts, Chief Information Security Officer at SMT.

So you have been taking the EU general data protection regulation (GDPR) seriously. You identified all the personal data you hold, mapped it and sorted out how to tell your customers about it and how they can assert their rights. Well done! Now, how are you going to safeguard that data? Will you be able to see an attack coming or if there has been a breach? What will be your plan in the event it happens?


Secure their data

Remember it is the customer or other individual’s data, not yours, so handle with care and secure properly.


Defense in depth and Zero trust

Outdated thinking focuses on securing the perimeter of your environment and assuming that all components inside are to be trusted.

In 1644 the Manchus broke through the Great Wall of China by bribing a general to open the gates leading to the end of the Ming dynasty.
In 1940 the Maginot line was totally bypassed by the Germans, a decoy force kept the French defenders attention while the invaders chose a different route.

What these lessons teach us, is that perimeters fail by different strategies unforeseen by those blinded by the magnificence of their design. A model whereby you expect the perimeter to fail and the invaders to be in, forces you to defend yourself with a number of different strategies. This is the basis of defense in depth and zero trust thinking.

Each of the components in your security architecture will create different issues for attackers to overcome. Hopefully slowing them down and making them leave small traces of their attempts. When these trace signals are correlated in real time, the defenders will see the attack before it is too late and can minimize the damage and maximize the possibility of recovery.

The rise of cloud services and a hybrid system of on- and off-premise IT solutions has made the typical IT landscape more complex while appearing simpler. By implementing various security solutions, the amount of trace signals increases, generating a huge volume of noise. When every car alarm is going crazy in a street all the time, when do you know something is really happening?


The solution

At SMT, we have been deploying SPLUNK to correlate all the signals being generated in your enterprise so that you can pick up the real indicators from the noise. Our use cases can link information showing an unknown IP address traversing the boundaries of our network. Or unusual activity on a normally dormant account with a connection attempt to another server to show a potential reconnaissance mission by an attacker. Such correlation activities can help you see the attack before it hits.

Gathering these insights and dealing with them can still be a time consuming activity which is why SMT also works with mnemonic to offer a managed detection and response service (MDR).

Early detection means lower damage, also you can identify the damage and fulfill obligations under GDPR to inform the regulatory body within 72 hours about what has occurred and what has been compromised.

This also means you can demonstrate to your customers that you did everything possible – before, during and after – that could be done. You were open and transparent and are able to minimize the damage to them and their rights. Delays in reporting will not just incur fines or censure from the regulators but will destroy the most important currencies of the new economy, trust and the use of data.


Breach management planning

Therefore beyond the ways to secure the data, an organization must have a plan to deal with the breach when it happens. This plan describes who will they contact, what data will they present and how. This all requires forethought, don’t wait till the house is burning to figure out how to get out and whom to call.


April 2018