John is a disgruntled employee. His boss has just informed him that the latest cuts to public sector budgets has forced the organisation to re-evaluate its finances. Redundancies are expected and John's department has been put on consultation.
Frustrated at the way his organisation has handled his imminent departure, John decides to retaliate. He starts transferring abnormally high amounts of sensitive data from an endpoint to a USB. Other files and records are downloaded from the internal file store containing data from individuals about claims to their healthcare insurance including sensitive details about the treatments they received.
The following day, John is summoned to his boss's office and greeted by the company's legal and compliance officers and the company's data protection officer. He learns that the company's security information and event management (SIEM) system alerted the IT team to abnormal user activity linked to his company credentials. He is shown the log files which ominously point towards unauthorised extraction of sensitive data via the endpoint and the network.
What John didn't know was that the activity and behaviour of corporate user accounts, applications, servers, sensors, networks and mobile devices are instantly recorded. His organisation has a legal obligation to monitor/collect this data for security and compliance purposes and this was highlighted to John in the employment contract he signed.
We call this machine data. It's the digital fingerprints generated by activity on networked devices, embedded systems and computers. It provides security teams with the highest levels of visibility across their entire IT environment, enabling them to adapt and respond to prevent real-life threats and create a secure, documented and accountable environment for processing personal information.
GDPR casts patchwork data protection aside
By May next year, every organisation that holds personally identifiable information (PII) on EU citizens will need a system like John's former employer. Documenting all components involved in the processing, protection, storage and analysis of PII is one of the General Data Protection Regulation's (GDPR) core provisions. Otherwise any company that is victim to a breach, and isn't able to provide a supervisory authority 360 visibility to prove security controls were put in place to avoid attacks, will be slapped with a fine, risking both the reputation and ongoing operation of the brand.
As it stands today, few organisations are ready for data protection reform. Some think that GDPR doesn't apply to them. Others lack the skills and resources to work towards compliance. And there are those that believe they are compliant but have underestimated the complexity of the regulation. Couple these stumbling blocks with increasingly distributed IT infrastructures and thorny security challenges, the inevitability of financial fallout appears greater than ever.
Look at logs, they're not for the fireplace
The scenario above shows how machine data can be used to support security efforts with early warning of threats to an organisation's digital infrastructure (and personal data). This is one example, but if a business has visibility over the vast amounts of activity logs generated, it can be used in multiple ways to support compliance.
For instance, only machine data can tell you whether there is logon activity associated with an employee who is out-of-office, raising a possible red flag. It can also help mobile device management teams to identify when a new device accesses a system or logs into a VPN, warning them of compromised credentials that could help to prevent data exfiltration. Machine data analytics does this quickly and in real-time.
Speed is critical, especially in the event of a security breach. The GDPR demands breach notification and communication as part of Articles 33 and 34. It means that organisations must notify supervisory authorities within 72 hours of becoming aware of a personal data breach. They must also notify the affected individuals without undue delay.
In the unfortunate event of a successful cyber-attack, insight from machine data allows businesses to quickly detect, investigate and scope the problem. Detailed analysis can be performed to track how and when the attacker entered the IT environment, which systems and data were accessed and when, how many people or records were affected and what remedial measures need to be taken. As notifications to authorities must contain information about the nature of the breach, the number of subjects it concerns and the next steps to fix it, such insights are central to GDPR compliance.
The news in review
No organisation on earth wants to experience the wrath of the Information Commissioners Office (ICO).
Look back to October 2015, when an NHS approved online pharmacy, Pharmacy2U, was fined £130,000 by the ICO for offering customer's personal details to a marketing company without their consent.
But things could have been worse for the company's balance sheet if the breach occurred under the GDPR. Next May, failure to identify and report a breach within 72 hours of awareness, followed by a failed data protection audit from the supervisory authority in which they are found to be not complying with the regulation, will lead to fines of €20 million or four per cent of annual turnover, whichever is greater. Under GDPR, and catastrophically for Pharmacy2U, their fine would have grown to a huge £4.4 million. Arguably, enough to put it out of business.
Machine data is one of the most underused and undervalued assets in any organisation. And, unfortunately, it's usually kept for short periods of time before it's discarded and never looked at again. But the most important insights you can gain, across the business and IT suites, are hidden in this data. As the GDPR looms ever closer and as cyber-threats increase in volume and sophistication, an organisation that chooses not to take advantage of the deep insights available to them are walking an increasingly narrow tightrope.
Contributed by By Matthias Maier, security evangelist, Splunk.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.