6 ways Data Breach Notifications will improve IT Security Operations
As the GDPR deadline looms there are still programmes and projects underway in many organisations to achieve compliance – both private and public sector. It is easy to characterise GDPR and its requirements (including for data breach notifications) as a boon for consumers and a challenge for businesses or a marketing opportunity for consultants and lawyers and a life sentence for security teams.
GDPR changes the way Security Operations work
GDPR compliance requirements and the mandatory nature of data breach notifications changes the way security operations work. These changes will have a net benefit – over and above the “achievement of compliance” (if such a thing exists) to the GDPR.
1) Manage the collection and availability of security data
“Knowledge is power. Information is liberating.” – Kofi Annan
It is not a new concept to collect log and activity data. This has traditionally been a compliance requirement under a number of standards such as ISO27001 and PCI-DSS. The obvious audit point was to show that log and activity data was being collected for the detection and diagnosis of security failures. This is partly because any such failure could occur across a number of systems but also that in the event of an attack, the compromised system could no longer be deemed a trustworthy source of information about what had taken place.
This drove the emergence of the SEM market as solutions grew up to collect logs and save them. However the value beyond the audit was limited – drawing charts of top ten users, or percentage of network traffic by protocol had use to demonstrate system performance and convince auditors but unless the data was looked at and analysed, the use was limited.
This grew into a recognition that more real-time processing and analytics of log and also system and network activity was necessary to be able to ascertain when an attack or inside-job was compromising information. It meant that the maturity of security operations grew to meet modern cyber risks and privacy expectations; wider information than just “what happened” became necessary.
We now look to be able to retrieve information from a variety of security controls and enforcement points, as well as network meta data and raw session information, the configuration or state of systems in terms of security settings, installed software versions, patch history as well as wider threat intelligence from both inside the organisation and the wider public internet.
2) Formalise service levels and timescales
“In the old world, you devoted 30% of your time to building a great service and 70% of your time to shouting about it. In the new world, that inverts.” – Jeff Bezos
When dealing with tricky, uncertain or intractable problems it is easy to work through them in either a structured or unstructured way to find the answer, reach a solution or attain the final understanding of the nature of the event or cause.
This can be a quick process, especially if the solution or root-cause becomes evident quickly or the investigator has the knowledge and experience to select a fortuitous avenue for investigation. However, more often it is a slower process, with an uncertain end result.
It can involve gathering data and performing analysis that later turns out to be unnecessary (following a blind alley or taking a wide initial view), or having to manually gather and analyse information in ways that weren’t pre-empted so requires a degree of innovation in how it is approached.
This often leads to a security investigation, alert triage or incident analysis taking as long as “a piece of string”.
Under GDPR however, and similar requirements for data breach notifications in other countries, the regulatory clock is ticking towards an enforced deadline that focuses the mind and will drive greater urgency, discipline, rigour and formality in the way these processes are undertaken. It will be necessary to balance the breadth of consideration of all possibilities just as much as it will be necessary to decide how far down a particular rabbit hole to go before deeming it incorrect.
It also means that it is not sufficient to allow people to work in such a way that the resources available start and then labour until they have finished; there will need to be an adequacy of resourcing (much easier said than done in a skill-starved cyber security market) and an investment in the right tools that both enable and optimise the delivery of correct and complete information (the necessary technology, not excel, for alerts and incidents to be analysed within).
3) Ensure processes work proactively not reactively
“Any action is a good action if it’s proactive and there is positive intent behind it.” – Michael J. Fox
“Did this event or action occur at this time?” is an easy, closed question to answer.
Even “what happened in this time period?” is a fairly constrained question to answer.
However in security there is more often a less refined question to answer like “is there anything wrong?” or “what happened?” or “what does this mean?”
It is necessary, under the privacy and security requirements of regulations like GDPR, to be on the front foot and proactively identify issues, rather than not being able to respond when they are subsequently reported.
Hence it is not enough to simply be able to extract data or evidence to prove a hypothesis or validate an event; it is necessary to form the hypothesis and identify the cases directly and in an unprompted way.
See our related post at: https://www.huntsmansecurity.com/technical-implications-gdpr-data-breach-notification/
4) Have the right tools and right people
“Give me a lever long enough and a fulcrum on which to place it, and I shall move the world.” – Archimedes
Although this sounds obvious it is not uncommon to find that security teams, certainly in the past, had to make do with the people who were there and whatever tools they had available. Having a team that blends variable skills, aptitudes and seniorities or types of experience and a toolset that allows truly flexible and comprehensive analysis of data for diagnostic purposes is key – but often rare to find in its pure state.
In the past, a question from senior management might be OK to answer “to the best of one’s ability” or “with the tools available this is the best we can do”. However, under a more intense degree of regulatory and public scrutiny there will need to be a competent and adequately equipped team around to provide these answers, and in a conclusive way. This will mean investing in people (resources and training) and in tools (around analytics, alert management, diagnostics and forensics). It will also mean identifying the holes and gaps so that third parties and service providers can be identified and possibly contracted on a call-out or retained basis to address specific needs when those arise.
Expecting people to figure it out quickly in a time of crisis is not a sensible approach, neither is trying to panic-buy forensic services when everyone knows you have had a breach.
5) Be consumer-facing and people-centric
“Goodwill is the one and only asset that competition cannot undersell or destroy.” – Marshall Field
The goal of security teams in the past, in many respects, has been to act on the side of the organisation – safeguarding and protecting its systems and data from outsiders or the rogue elements within the business that might put that at risk.
Under the privacy and security legislation that we now operate under (GDPR is not alone in this respect) there is a subtle change of focus to one that aims to recognise that the information is owned and private to the individual and hence the security function actually works on their behalf to safeguard the information that is held by the business.
Broadly speaking, these two goals run in parallel and align, but when a breach occurs the job of identifying what happened and establishing the impact and best course of resolution for the individuals affected can diverge from that of safeguarding the organisational reputation and minimising the effects and costs of rectification.
6) Link security to business, marketing and PR strategy
“Empowered customers are shaping business strategy. Simply put, customers expect consistent and high-value in-person and digital experiences.” – Forrester
There is much talk in business about “the age of the customer” – the alignment of business strategies – for example marketing, sales, delivery and security/privacy – with the sentiment, buying habits and preferences of the customers that the business serves. See https://go.forrester.com/age-of-the-customer/.
In a security and privacy context, this has implications – we have spoken already of the need to be customer-focussed when dealing with a breach. Offering timely information, clarity, reassurance and minimising impacts on the individual is required.
This focus on both prevention AND recovery in security and data breach handling also overlaps with the approaches to marketing (buy from us because we are trustworthy), sales (you will benefit from being our customer) and delivery (we won’t let you down).
Data Breach Notifications = Better Security Operations
“A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.” – Sir Winston Churchill
In summary, the increased formality, rigour and higher demands of the various data breach notification requirements such as the EU GDPR and Australian mandatory data breach notification legislation has to be a good thing. Specifically, it will drive a clearer focus on:
- the process (what needs to happen, the repeatability and the timescales);
- the people (the right skills, adequate resources and a more structure); and
- the technology (tools that support the end-to-end process and deliver analytics and automation in an intelligent way).
So we should, as an industry, embrace this chance to provide a better security service to business and become more of an asset than a cost.
“Mandatory data breach notifications are a tremendous opportunity for customer-facing businesses, not a security and compliance burden.” – Huntsman Security