By the time you finish reading this sentence, the average organization with 1000 employees will have generated more than 65,500 log events from all of the devices connected to their network.* This might be 65,500 login attempts, files deleted, or files that contain personally identifiable information (PII) copied to a USB device by an employee working without VPN on the road. With the EU general data protection regulation (GDPR) going into full effect this week, understanding the difference and interpreting the implications of each scenario quickly and efficiently is necessary in order to be compliant with Article 33.
Article 33* of the GDPR states “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”
Big ask of any organization
The window of time allotted for the security team to perform the required steps to acknowledge an alert, investigate and confirm the breach, gather evidence, and notify the appropriate channels is very small.
Furthermore, it’s no secret that well-seasoned security specialists are hard to find. The cognitive expertise needed to properly interpret logs generated by an alert is just shy of a full-on programmer; even the best trained eyes can miss crucial events due to alert fatigue.
The amount of processing power needed to analyze logs and alerts hundreds or even thousands times over per day has paved the way for products that are built to differentiate a lower severity alert from a higher one. This gives security professionals the opportunity to focus on their primary responsibilities: keeping the security posture of the organization upright and forward-thinking, and not chasing alerts.
On top of this, modern day organizations have been forced to adapt to remain competitive, with influx of all-things-connected, telecommuting, bring your own device (BYOD), and so on. At the same time, organizations have opened themselves up to new vulnerabilities, which means new ways of solving problems are in order.
How does an already strained security department cope?
Machine learning, automation, and simplifying the alerting and investigation process so that time to detection for a breach goes from an average of 200+ days to hours or minutes. Only software can ease this process, and Jazz Networks has taken the hard road to assist in this way.
Keeping your data and employees safe with Jazz Networks
Mark, an employee for XYZ company, was in the midst of travelling on business and assisting in rolling out a new HR portal for employees to access their payroll and benefits information. He had authorized access to the database containing this sensitive data, and due to a recently discovered bug in the code, decided to make a quick backup before authorizing a patch. He inserted a USB key and downloaded 65,500 database documents in a matter of minutes, for safekeeping of course. Mark wasn’t signed into VPN at the time, however, a notification displayed on his screen, advising him that copying information to a USB key is against company policy. Shortly thereafter, Mark’s mobile rang with a number similar to his office number, but as he was late to his next meeting, he didn’t take the call. Upon opening his laptop while walking into said meeting, he was met with a new notification, “Your computer has been locked until you contact the security team”. Mark called the security team at the number provided and explained the circumstances. After agreeing to fully format the USB key (effectively destroying the sensitive data on it), Mark’s computer was unlocked. However, because he violated strict policy and the organization was under GDPR compliance, he was informed this incident had to be reported up the chain.
In this particular scenario, a fully-vetted employee, who had authorized access to sensitive data for everyone in the company, inadvertently violated GDPR, and an incident had to be reported to the regulatory body. At the same time, public embarrassment and fines were avoided for the organization because XYZ company invested in the proper products to monitor and respond—not only within 72 hours, but as the incident was taking place, even outside of their network perimeter.
This is what the security industry refers to as the “insider threat”. It’s not always malicious intent. Contact Jazz Networks to see how we can help detect and respond to the above scenario, and many more like it.
- EU general data protection regulation, “Notification of a personal data breach to the supervisory authority”, Article 33
- Solarwinds, “Estimating Log Generation for Security Information Event and Log Management”, Whitepaper, January 22, 2013