So this Friday (otherwise known as GDPR Day) might not be quite as full of enjoyment as many others. Indeed this week may prove to be busy and stressful, getting last minute things done before GDPR takes effect. Once the final touches have been made to things like data collection policies, subscription forms and you have completed staff training, you may want think more closely about the options available for breach notification.
In our experience this is often either one of the last elements considered by Data Controllers or even something which is less likely to be considered at all. Companies often believe that with some form of security in place, data is secure – and that is the end of the discussion. Not so. Companies must not just consider the likelihood of a breach and take steps to secure data but also be able to report the breach within a 72 hour window, providing the ICO with an overview of: The Nature of the Breach; The Type of Data Affected; and The approximate Number of Records at risk.
This is in addition to measures to stop it happening again, the potential consequences (in relation to how it was taken) and the details of the Data Protection Officer who is responsible for resolving the issue.
For each company, the difficulty in providing this data within a 72 hour window may be easy, or it may be extremely difficult. Companies may choose to play it safe, and report every potential breach, risking their reputation, or may play a dangerous game and risk huge fines. Neither route is good for business. Instead, companies should look to reduce the number of potential false positives and understand their relationship to their data more closely.
There are three critical tools which help companies respond to a breach within the 72 hour time frame: Breach Detection Systems (BDS); Network Behaviour Analysis (NBA); and Endpoint Detection and Response.
Breach Detection Systems (BDS)
The family of web-based tools used to protect against, and notify about, breaches, is called a Breach Detection System. These are automated tools which monitor IP addresses, network port access and breakages in Network Security defence to create a wider picture of what data could have been taken by a third party at any given time based on their access.
These tools are used to recognise, identify and attempt to halt threats which are already inside the network. They do not stop outside threats, for the most part, from being able to get into the network – they are a secondary form of defence to limit the damage an external threat can do once inside.
In most cases their role is to alert security staff to the fact that something is not right, or that a threat has been detected, so they can take the proper remedial steps as soon as possible. Historically, data security was managed through data policies and whitelisting – rules designed to protect users – however with new hacking techniques and viruses far more unpredictable thanks to the sheer scope of methods available, it has become necessary to employ machines to monitor activity far more closely to ensure total security.
“Using algorithms to watch these behaviors greatly increases your chances of finding an attack that was previously unknown — no signature or rule will find these. The algorithms can detect behavior deviations — statistically — or match known behaviors to new behaviors.”
Eric Ahlm, Security Research Director at Gartner.
Three Different Approaches to Breach Detection
There are three distinct methods of BDS which are available, all of which have their own advantages and disadvantages, depending on the level of access users within systems generally have, how they are managed and maintained, and the rules which currently exist to protect the network from attack.
User and Entity Behavioural Analytics (UEBA)
Instead of tracking security events or looking at the details of devices, EUBA tracks a systems users – playing the man and not the ball. It looks at the standard way in which users typically act, regardless of whether they have the right credentials or other access, then looks at any deviation from normality as a guide to make sure the person is in fact who they claim to be.
A good example of EUBA would be the world of banking, where a system builds a profile of general spending, the kinds of places they purchase, times of day, location – all sorts of factors. It then makes a guess about whether that users activity is in line with what it has seen previously.
Advantages: Extremely accurate over time. Alerts staff quickly and accurately to potential threats. Little to no management required.
Disadvantages: Requires lots of User Data to make accurate predications. Potentially lots of false positives in the early stages – best used with systems that hold large amounts of highly sensitive data. Can be costly if a large amount of users.
Network Behaviour Anomoly Detection (NBAD)
Network Behaviour AI is the newest and most effective form of breach detection available to business. It uses a large number of variable factors, including bandwidth usage, deep packet inspection, log analysis, flow monitoring, route analytics and statistical analysis models to detect anomalies in network behaviour.
This is the leading method to detect non-user threats such as viruses and malicious code. It ensures data within the network carries untouched data (called a signature) and can immediately block threats in real-time without the need to be connected to the internet. Much like UEBA, NBA is a machine learning tool which comes to quickly recognise strange or unusual behaviour and use it as a guide to shut down attacks quickly and effectively.
NBA tools work in sync with Firewalls, Intrusion Detection and Anti-virus Systems as an inside player, forming a critical tool that halts code from running once access has been forced, or a user has run code by mistake. NBA tools give an extremely close-up view of what code is running and how that code impacted the system, giving a definite idea of what impact the data breach may have had and what data may have been taken.
Advantages: Highly observant technology which gives an accurate picture of what occurred in a breach. Available offline – ‘always on’. Streamlines network operations by detecting and resolving operational issues.
Disadvantages: Larger network load – monitoring across all functions can increase carry load and put greater strain on networks. Potentially lots of false positives in the early stages – may require constant management. Requires full management to constantly asses new threats or update in line with new technologies.
Endpoint Detection and Response.
There are many different Endpoint Tools available, but they all work in a similar fashion:
An Endpoint is any device which is connected to a Network and can run code, ie. That has an operating system (this includes PC’s, Tablets, Mobiles, Network Storage and Servers). Endpoint tools refer to an application which is installed on that device (called an Agent) that enables a range of different features for IT Management.
In the case of Threat detection and Response, the agent may be setup to: block malicious code running on the device (with Anti-virus); stop viruses spreading across a network; to allow the device to be managed remotely without threat of further infection; to whitelist and blacklist new threats immediately and enhance firewall security; to monitor network activity and recognise threats; or to enable clean-up and remediate groups of infected machines quickly.
Endpoint is the preferred option for many businesses when it comes to breach detection and prevention. The main reason for this is the level of versatility and flexibility it offers in regards to IT Management and no requirement to purchase large hardware items. Endpoints are an effective method to halt network attacks and diagnose a breach which may have happened over a wide number of machines.
Advantages: Priced competitively. Allows quick resolution rather than a wipe of the device in most cases, meaning a great reduction in downtime to business after an attack. Allows for cross correlation in real-time and preventative action in real-time once a threat is detected.
Disadvantages: Endpoint Security tools typically use markers such as file attributes to protect against, making them vulnerable against new threats. Endpoints only report prevention and anomalies – if they are fooled then it can be difficult to know what was done and therefore what data has been breached.
Finding the Best Option for You
The truth is that often decisions such as this come down to experience, the preferences of management and the risks that a business faces.
If you deal in large quantities of sensitive data and are highly customer centric then, to offset that risk, you may find User Analytics is the best option. If you are a financial firm who rely completely on the integrity of computer systems, with downtime being worth millions, then Network Anomoly detection is probably best suited. If you are a smaller B2B business who are looking to fulfil data protection and breach reporting legislation then an Endpoint tool may well suit your needs.
Generally speaking an effective IT Security setup is one that offers the fewest false positives. We always suggest a robust security setup that blends key security tools with proper user training and detailed customer documentation.
In any case, ensure you have something before the start of GDPR!