The General Data Protection Regulation (GDPR) is now in effect and organizations worldwide are working hard to ensure they are compliant with the new regulations. With that in mind, SentinelOne has invited Ian Thornton-Trump aka ‘Phat Hobbit’ to share his thoughts on the GDPR and how endpoint protection can help companies achieve compliance.
Endpoint Protection – the Frontline in the Fight for GDPR
As of Friday 25th May 2018, all organisations worldwide must now adhere to the protection requirements of the GDPR. Whilst some companies are well into their compliance journey, there are many out there with business models who are going to face challenges in quickly adapting to this new reality. It’s an interesting time either way.
Endpoint protection becomes the frontline defence in the battle against cybercriminals; there’s no point spending lots of money investing in cloud security if you haven’t looked at protecting the devices in the hands of the users. It’s those devices the cyber criminals target and it’s those devices on which the actual attack takes place – according to the SANS Institute, “75% of the time identified, impactful threats initially entered via email attachment.”
Ransomware – or worse – is the end result of an organizational security failure, in which there are three components: an exploit (either a software or human vulnerability), a Remote Access Trojan (RAT) and a payload such as WannaCry. Once the exploit has been triggered and the RAT is in place, you’re already looking at a GDPR violation because the system has lost integrity and an attacker can now choose to do whatever they want. In many cases, this is delivering a ransomware payload, but we’re seeing an increasingly diverse range of activities beginning to take place. Attackers, for example, are moving laterally through corporate networks, looking for privileged account credentials and credit card information before dropping their payloads.
What Can be Done?
The GDPR is a new regulation, and the interpretation of regulations is similar to the interpretation of law – it’s done through precedents set in legal courts. Right now, there is still a lot of uncertainty about the application of the GDPR in the practical sense, but the key takeaway of it all is to make sure you’ve implemented a layered security model based on the personal data and confidential information you’re trying to protect. It’s also important to consider that installing anything and everything security will make you no more compliant than the organization that has taken the time to determine its level of risk and employed just two or three solutions to protect the integrity of their systems and data. Quality beats quantity every time when it comes to security defences.
Personal vs. Corporate Devices
With the mobile, BYOD era we operate in, many employees prefer to use their personal devices for work purposes. But then, who is responsible for the security of the device and the data it holds?
If the data belongs to the organization, they’re responsible for its protection – that much is clear. The company should have carried out a risk assessment to confirm they’re happy with the level of exposure the data has on the device, whilst also maintaining the ability, tools and techniques to locate and remote wipe the device should it be lost or compromised. Many organizations will also stipulate a minimum level of security required such as passcodes and encryption – this needs to be enforced. The end goal is to have evidence of data protection due diligence. A problem then arises if the device owner has been negligent in its protection, perhaps by sharing passwords or by not implementing them at all. At this point, the individual can be held to account, alongside the organization; look at the precedents set where unencrypted laptops have been lost or stolen.
When thinking about what you need to be successfully compliant, your organization needs the assurance the necessary security is in place and working. With the GDPR, it’s about assuring that the company’s systems have integrity and confidential data is secure.
You need to be able to prove that you’re compliant, and the only way you can do this is to have evidence. When you don’t have any evidence – or couldn’t even detect the attack in the first place – you’re in the unenviable position of having violated the GDPR. Chances are this compliance violation will be brought to your attention by an external third party, and not always a friendly one.
Many security products have the most amazing capabilities, but it means nothing if you can’t prove it. Any solution your organization implements should provide clear, concise reports summarising what’s going on, what is being found and whether all components are up to date. It’s these reports that will demonstrate compliance and which can be used as proof both to internal stakeholders and external agencies such as the supervisory authorities of the GDPR. For example, the UK’s Information Commissioner’s Office (ICO).
What if I’m Breached?
So, your devices all have endpoint protection and you’ve got the reports you need to prove you’re working hard to comply with the GDPR. But what happens if you still fall victim to a data breach? It’s nearly impossible to be 100% compliant all of the time – there will be chinks in the armour. However, the due diligence will show you’ve made every effort to be compliant and that means the difference between receiving a crippling – perhaps even fatal – fine versus a warning from the ICO. Conversely, a breach can also turn out to be a silver lining. If you have evidence of how the network was breached and what it was targeted, this can be used to assess what the true extent of the breach will be. It may not even be relevant to the GDPR if the data was not personal.
In addition to employing a trusted endpoint protection solution, my advice is to make sure data is properly segmented and secured so you know where it is stored and what protections are in place; this will help determine the level of risk that should be applied to the data. Equally important, is the management of privileged credentials. These are the keys to the corporate kingdom and a veritable treasure trove to a malicious attacker – the first thing an attacker will go after is local administrator rights, followed by domain admin or root credentials. One inexpensive way to detect compromise is to create a temping account such as “global administrator”. The attacker does not know you have an alert set to identify if anyone attempts to use the account to authenticate to a network resource. This is a low-cost way to detect a malicious actor with a foothold in your network.
However, all this advice is null and void if you don’t even know if an unauthorized person is roaming your network – which is why having have good endpoint protection in place is a ‘no brainer’. With endpoint protection, you will know the moment someone sneaks onto the network, alerting your Security Operations Centre to the threat and giving them the information they need to thwart any attacker.