Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
As the GDPR deadline looms there are still programmes and projects underway in many organisations to achieve compliance – both private and public sector. It is easy to characterise GDPR and its requirements (including for data breach notifications) as a boon for consumers and a challenge for businesses or a marketing opportunity for consultants and lawyers and a life sentence for security teams.
GDPR compliance requirements and the mandatory nature of data breach notifications changes the way security operations work. These changes will have a net benefit – over and above the “achievement of compliance” (if such a thing exists) to the GDPR.
“Knowledge is power. Information is liberating.” – Kofi Annan
It is not a new concept to collect log and activity data. This has traditionally been a compliance requirement under a number of standards such as ISO27001 and PCI-DSS. The obvious audit point was to show that log and activity data was being collected for the detection and diagnosis of security failures. This is partly because any such failure could occur across a number of systems but also that in the event of an attack, the compromised system could no longer be deemed a trustworthy source of information about what had taken place.
This drove the emergence of the SEM market as solutions grew up to collect logs and save them. However the value beyond the audit was limited – drawing charts of top ten users, or percentage of network traffic by protocol had use to demonstrate system performance and convince auditors but unless the data was looked at and analysed, the use was limited.
This grew into a recognition that more real-time processing and analytics of log and also system and network activity was necessary to be able to ascertain when an attack or inside-job was compromising information. It meant that the maturity of security operations grew to meet modern cyber risks and privacy expectations; wider information than just “what happened” became necessary.
We now look to be able to retrieve information from a variety of security controls and enforcement points, as well as network meta data and raw session information, the configuration or state of systems in terms of security settings, installed software versions, patch history as well as wider threat intelligence from both inside the organisation and the wider public internet.
“In the old world, you devoted 30% of your time to building a great service and 70% of your time to shouting about it. In the new world, that inverts.” – Jeff Bezos
When dealing with tricky, uncertain or intractable problems it is easy to work through them in either a structured or unstructured way to find the answer, reach a solution or attain the final understanding of the nature of the event or cause.
This can be a quick process, especially if the solution or root-cause becomes evident quickly or the investigator has the knowledge and experience to select a fortuitous avenue for investigation. However, more often it is a slower process, with an uncertain end result.
It can involve gathering data and performing analysis that later turns out to be unnecessary (following a blind alley or taking a wide initial view), or having to manually gather and analyse information in ways that weren’t pre-empted so requires a degree of innovation in how it is approached.
This often leads to a security investigation, alert triage or incident analysis taking as long as “a piece of string”.
Under GDPR however, and similar requirements for data breach notifications in other countries, the regulatory clock is ticking towards an enforced deadline that focuses the mind and will drive greater urgency, discipline, rigour and formality in the way these processes are undertaken. It will be necessary to balance the breadth of consideration of all possibilities just as much as it will be necessary to decide how far down a particular rabbit hole to go before deeming it incorrect.
It also means that it is not sufficient to allow people to work in such a way that the resources available start and then labour until they have finished; there will need to be an adequacy of resourcing (much easier said than done in a skill-starved cyber security market) and an investment in the right tools that both enable and optimise the delivery of correct and complete information (the necessary technology, not excel, for alerts and incidents to be analysed within).
“Any action is a good action if it’s proactive and there is positive intent behind it.” – Michael J. Fox
“Did this event or action occur at this time?” is an easy, closed question to answer.
Even “what happened in this time period?” is a fairly constrained question to answer.
However in security there is more often a less refined question to answer like “is there anything wrong?” or “what happened?” or “what does this mean?”
It is necessary, under the privacy and security requirements of regulations like GDPR, to be on the front foot and proactively identify issues, rather than not being able to respond when they are subsequently reported.
Hence it is not enough to simply be able to extract data or evidence to prove a hypothesis or validate an event; it is necessary to form the hypothesis and identify the cases directly and in an unprompted way.
See our related post at: https://www.huntsmansecurity.com/technical-implications-gdpr-data-breach-notification/
“Give me a lever long enough and a fulcrum on which to place it, and I shall move the world.” – Archimedes
Although this sounds obvious it is not uncommon to find that security teams, certainly in the past, had to make do with the people who were there and whatever tools they had available. Having a team that blends variable skills, aptitudes and seniorities or types of experience and a toolset that allows truly flexible and comprehensive analysis of data for diagnostic purposes is key – but often rare to find in its pure state.
In the past, a question from senior management might be OK to answer “to the best of one’s ability” or “with the tools available this is the best we can do”. However, under a more intense degree of regulatory and public scrutiny there will need to be a competent and adequately equipped team around to provide these answers, and in a conclusive way. This will mean investing in people (resources and training) and in tools (around analytics, alert management, diagnostics and forensics). It will also mean identifying the holes and gaps so that third parties and service providers can be identified and possibly contracted on a call-out or retained basis to address specific needs when those arise.
Expecting people to figure it out quickly in a time of crisis is not a sensible approach, neither is trying to panic-buy forensic services when everyone knows you have had a breach.
“Goodwill is the one and only asset that competition cannot undersell or destroy.” – Marshall Field
The goal of security teams in the past, in many respects, has been to act on the side of the organisation – safeguarding and protecting its systems and data from outsiders or the rogue elements within the business that might put that at risk.
Under the privacy and security legislation that we now operate under (GDPR is not alone in this respect) there is a subtle change of focus to one that aims to recognise that the information is owned and private to the individual and hence the security function actually works on their behalf to safeguard the information that is held by the business.
Broadly speaking, these two goals run in parallel and align, but when a breach occurs the job of identifying what happened and establishing the impact and best course of resolution for the individuals affected can diverge from that of safeguarding the organisational reputation and minimising the effects and costs of rectification.
“Empowered customers are shaping business strategy. Simply put, customers expect consistent and high-value in-person and digital experiences.” – Forrester
There is much talk in business about “the age of the customer” – the alignment of business strategies – for example marketing, sales, delivery and security/privacy – with the sentiment, buying habits and preferences of the customers that the business serves. See https://go.forrester.com/age-of-the-customer/.
In a security and privacy context, this has implications – we have spoken already of the need to be customer-focussed when dealing with a breach. Offering timely information, clarity, reassurance and minimising impacts on the individual is required.
This focus on both prevention AND recovery in security and data breach handling also overlaps with the approaches to marketing (buy from us because we are trustworthy), sales (you will benefit from being our customer) and delivery (we won’t let you down).
“A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.” – Sir Winston Churchill
In summary, the increased formality, rigour and higher demands of the various data breach notification requirements such as the EU GDPR and Australian mandatory data breach notification legislation has to be a good thing. Specifically, it will drive a clearer focus on:
So we should, as an industry, embrace this chance to provide a better security service to business and become more of an asset than a cost.
“Mandatory data breach notifications are a tremendous opportunity for customer-facing businesses, not a security and compliance burden.” – Huntsman Security
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.