By Tony Cole, CTO, Attivo Networks Will the SolarWinds breach finally prompt the right legislative and regulatory actions on a broader, more effective scale? The SolarWinds breach is not the first major supply chain breach, but previous similar breaches failed to prompt effective regulatory action. Both governments and businesses remain focused on things like cyber …
They have trouble modifying their strategy to report within 72 hours. Previous directives from the EU made no specific mention of data breaches, and GDPR now sets a clear directive as to what constitutes a data breach, how the incident is to be reported and the substantial penalties for not complying,” she said. “This has required businesses to reassess their technology and processes to understand their ability to detect, audit and report breaches in compliance with GDPR. Closing these gaps, in many cases, requires the adoption of new technology to ensure that the attack is not only detected, but understood in a way that can explain the magnitude of the breach and the corrective actions to contain it.
Many organisations have been able to address Articles 32 and 25 of GDPR, but many still struggle with Article 33. Numerous organisations have difficulty identifying if an incident happened and if it happened, they have trouble modifying their strategy to report within 72 hours. Previous directives from the EU 95/46 made no specific mention of data breaches and GDPR now sets a clear directive as to what constitutes a data breach, how the incident is to be reported and the substantial penalties for not complying. This has required businesses to reassess their technology and processes in order to understand their ability to detect, audit, and report breaches in compliance with GDPR. Closing these gaps, in many cases, requires the adoption of new technology to ensure that the attack is not only detected but also understood in a way that can explain the magnitude of the breach and the corrective actions to contain it. Whether it be access to budget, skills shortages, or otherwise, a fair amount of organisations remain hard-pressed to comply with this article if faced with a breach today.
Written by: Carolyn Crandall, CMO & Chief Deception Officer – Since the original breach notification law enacted in California in 2002, each of the 50 states and District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have all enacted breach notification laws that require organizations or government entities to notify individuals of a security breaches that involve personally identifiable information. U.S. organizations that have suffered a breach currently face a regulatory web that is near impossible to navigate and if a company’s products or services reach into the EU, they must also comply with GDPR for the relevant segment of their user base.
By: Carolyn Crandall The General Data Protection Regulation (GDPR) is expected to radically change the global data usage and protection landscape when it becomes effective on May 25th. This European legal framework will hold any organization collecting, controlling or processing EU personal data accountable to safeguard it. Businesses that do not comply will risk facing potentially crippling penalties of up to $28 million or 4 percent of its annual revenue.
GDPR was established to safeguard consumer information and set a bar for organizations to demonstrate compliance with protective measures. GDPR’s arrival will require a heightened set of data security and data privacy measures for businesses of all sizes. Noting that, many organizations today remain unprepared to address these requirements. Traditional information security systems have repeatedly proven that they can be compromised, and existing security controls are unreliable in detecting threats that have by passed preventative defenses. These gaps in detection and inability to quickly and accurately disclose a breach, leave these organizations exposed to substantial violations.
Unless organizations make a material change to their information security defenses, breaches will continue to escalate in number and severity, and with GDPR, the consequences of a breach are greater than ever before. History has proven that a prevention-only approach using data loss prevention, spam filters and firewalls is simply not adequate or reliable, and to comply with these stringent standards, attention and investment must shift to an active defense that includes detection and response.
Against this backdrop, forward-looking organizations are re-evaluating their technology and processes to assess their ability to detect, audit and report breaches to ensure GDPR compliance. Many are rapidly adopting new solutions that are designed to detect attacks early, accurately, and provide a detailed analysis that can explain the magnitude of the breach, as well as the corrective actions to contain it.
Enter Deception Technology
Among these new technologies in the information security toolkit are deception-based cybersecurity solutions, which secures Personal Identifiable Information (PII) while meeting GDPR regulations.
Used by enterprises to build a proactive security posture, deception technology can play an instrumental role in turning the game against the modern-day perpetrator. It accomplishes this objective by providing a proactive in-network threat defense of traps and lures, designed to deceive attackers into revealing themselves early in an attack cycle and significantly reduce dwell time. Deception plays a unique role in that it can proactively entice an attacker into revealing themselves once they are inside the network, rather than waiting for set behaviors to attempt to discern wrongful behavior. Second, since deception is engagement-based, each alert is substantiated with attack analysis and forensic reporting that includes the full tactics, techniques, and procedures (TTP) of an attack and the indicators of compromise (IOC).
Deception technology can better prepare organizations for GDPR Article 33 – the notification of a personal data breach to the supervisory authority – by providing powerful security controls for an active defense through early and accurate threat detection. By obfuscating the attack surface with traps and lures designed to look like files and other assets within the network, deception technology makes it difficult for an attacker to decipher what assets are real and which ones are fake. It also offers integrations with 3rd party prevention tools like firewalls, SIEMs, NAC, and EDR solutions that can be set up for information sharing and the ability to automatically block, quarantine and threat hunt. This strengthens perimeter and in-network defenses and accelerates incident response.
With the growing volume and variety of attacks – and an ever-evolving attack surface – it is critical for organizations to mitigate threats by embracing tools that provide early and accurate detection as well as a better understanding of where the weakest links in their security infrastructure are.
As May 25 approaches, businesses must ask themselves some tough questions. Can I demonstrate that my organization has the necessary controls in place? Am I able to monitor user behaviors and investigate abnormalities quickly enough? Under GDPR, not only will businesses be held to these regulations, but individuals will have the ability to sue organizations that cause material or non-material damage due to a breach of personal information. In preparation for the initial launch and for ongoing compliance, organizations must objectively assess their readiness and be prepared to invest in solutions that further protect PII data across all channels, devices, location, networks and cloud storage.
By detecting breaches early, understanding attacks with threat, adversary, and counterintelligence, and adding detailed reporting and automation to demonstrate that the attack has been properly addressed, deception technology will play an increasingly active role in an organization’s GDPR compliance plan. Investing in deception technology is an easy and effective way to add detection capabilities that will deliver real and measurable results for breach response and disclosure. Ultimately, deception technology closes today’s detection and reporting gaps, further protecting organization’s business, brand reputation, and wallet from costly fines.