The EU General Data Protection Regulation (known as “GDPR”), which will take effect on May 25, 2018, will have major effects on maintaining the confidentiality of personal data. While the GDPR is typically associated with data protection, it also provides strict requirements about notifying both authorities and customers about breaches that put personal consumer data at risk. Failing to meet these notification requirements can result in a significant fine that can reach 20,000,000 EUR or up to 4% of the company’s annual revenues.

This post will highlight GDPR notification requirements and how Cyberbit SOC 3D automation and orchestration platform and Cyberbit EDR streamlines compliance with notification requirements in addition to overall SOC efficiency gains. This post is not intended as legal advice, rather will focus on technological capabilities mentioned in the legislation.

GDPR Background 

The primary objectives of the GDPR are to update the previous EU data protection laws including the Data Protection Directive (known as “DPD”) to give its citizens back control of their personal data and simplify the regulatory environment for international businesses by unifying the regulation across the EU. This means any business that collects customer information from EU citizens, no matter where in the world they are domiciled, must fully comply by May 2018 or face the consequences. The implications of non-compliance with the GDPR are potentially severe. In addition to extremely high fines, non-compliance can cause damage to an organization’s reputation which may deter customers. Therefore, the organization’s activities should be carefully analyzed under the GDPR in a conservative way, to ensure compliance.

GDPR Terminology

Personal data – any information “relating to data subject”. A data subject is “an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used” by someone such as phone numbers, addresses, account numbers, email, biometric — anything that relates to the person.  The personal data is what needs to be protected.

Data collector – any entity who determines the “purposes and means of processing of the personal data.” It’s another way of saying the controller is the company or organization that makes all the decisions about initially collecting data from the data subject.

Data processor – any entity who processes data for the controller. The GDPR specifically includes storage as a processing function, so that includes, for example, cloud-based virtual storage.

The GDPR places rules on protecting personal data as its collected by data controllers and passed to data processors.

Data must be collected, breaches will happen

Consumer data collection is an unavoidable need for every modern, competitive business. Achieving compliance with GDPR and several additional regulatory frameworks such as SOX, tax authority requirements and others poses a serious operational challenge to the enterprise.

GDPR mandates data security standards for data collectors and data processors, but even once you have implemented the data security standards, the fact remains that your network will eventually be breached. There is no such thing as ‘perfect data security’. If your organization collects and stores information that criminal hackers want, they will eventually find a way to get it. Therefore, you must also make sure you are able to meet the GDPR breach notification requirements, or risk facing heavy fines.

Breach notification requirements

Once a breach is identified it is mandatory to notify the EU authorities of the breach in less than 72 hours, this applies to any organization that collects personal data from EU Consumers whether or not the organization is based in the EU. The organization is also obliged to notify those whose data is impacted (customers, suppliers, etc.) “without undue delay” after becoming aware of the breach. Failure to meet the breach notification requirements can result in the aforementioned fine of up to 20,000,000 EURO.

Now is the time to audit your existing technology and identify any gaps that would make it difficult to implement the GDPR breach notification requirements. This includes strict requirements for incident response procedures and the ability to oversee their implementation.

Breach verification – No organization wants to notify authorities and customers of a breach and then discover that it was a false positive. Therefore, you must have powerful alert investigation tools that will enable the security operations team to quickly and confidently differentiate between false positives and real breaches.

Breach scope – Once a breach has been verified, the next critical step is determining the exact scope of assets and customers affected. Again, this requires tools that can quickly and accurately determine every network asset affected. Mistakes in assessing the scope of a breach also cause considerable damage to company reputation as is makes the company appear incompetent and untrustworthy.

Incident response management – CISOs and SOC managers are responsible for every step of breach detection, investigation, and notification. This requires a simple, consolidated view of the entire incident response process to ensure that the breach has indeed been verified, the scope accurately determined and all notification requirements met as required by GDPR.

Incident response processes and tools

GDPR requires data collectors and data processors to adopt set incident handling processes and tools that will provide the following functions:

Data collection from all alert sources to ensure every alert will be handled

Prioritization and enrichment system to support the process of verifying the breach and prioritizing the breach based on the potential data exposure

Advanced centralized forensics capabilities to verify breaches, clear false positives, and determine the scope of a breach and affected data in a highly accurate and timely manner.

Process management system that manages the entire incident response process from alert, through the breach verification and analysis, and breach notification. The system must enable CISOs and SOC managers to enforce the required GDPR timetable and avoid fines.

Cyberbit solutions for effective GDPR breach response

Cyberbit provides several solutions that help organizations comply with these GDPR requirements:

Cyberbit SOC 3D

SOC 3D automates and orchestrates the entire incident response process, coupled with big-data powered investigation. As a result, it significantly accelerates incident response, boosts SOC efficiency and reduces escalations to tier-2 analysts.

SOC 3D helps organizations comply with GDPR requirements by enforcing the workflows and alerting needed to satisfy the notification regulations.

SOC-3D Dashboard

Cyberbit EDR

Cyberbit EDR is an AI-based endpoint detection, forensics, threat hunting, and response platform. Cyberbit EDR detects, in real-time, endpoint threats that evade conventional security platforms, including file-less attacks, signature-less attacks, and ransomware. The solution is powered by behavioural analysis and machine learning algorithms that use statistical modeling and therefore are highly effective in identifying unknown threats with minimal false positives. Its capabilities include:

Real-Time Forensics – By using a big-data based platform, Cyberbit EDR provides real-time forensics and accessibility to all data within seconds. Having all data at their fingertips – analysts can perform investigations and identify the scope of a breach by analyzing the root cause of the breach and its affected data.
Full Visibility – A central big-data repository stores all endpoint data. This provides unmatched visibility of all endpoints and servers and allows the analysts to keep on top of their network operations and the organizational data.
Insightful Visualization – Cyberbit’s advanced graph-based malware analysis, uniquely draws the full attack trace including all related entities and events, alongside significant insights provided automatically by the system, allowing analysts to quickly identify and understand the level of exposure and its implications.

Cyberbit EDR Real-Time Analysis

Cyberbit EDR Threat Hunting

GDPR requires fast, accurate incident response tools

GDPR is as much about breach notification as it is about data security. All organizations should start now to determine which process and tool gaps exist and remedy them to meet the breach notification requirements. Many traditional SOC technologies and processes will not provide the needed solution and therefore new tools that will support identifying the breach and its scope are mandatory. Cyberbit SOC 3D and EDR automation and orchestration tools provide best of breed breach notification requirements and dramatically improve overall SOC efficiency.

Ami Braun is VP Business Development at Cyberbit.