Countdown to GDPR: Responding to the 72-hour Notification of a Personal Breach
December 12, 2017 | Regulations, Audit & Compliance | Corey O'Connor
Here’s a million dollar question (which could quite literally be a million dollar question, given the potential fines in play): How fast is your organization able to respond after a personal data breach? The General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, requires that organizations report unauthorized access to personal data within 72 hours of detection.
If you’re thinking that seems like a tight window—you’re right. According to a recent industry study, only 10 percent of breached organizations were able to notify regulators within 72 hours of discovering a breach. Moreover, 38 percent reported notification took two to five months to complete.
Beyond this initial notification, GDPR Article 33 also requires that organizations describe and document the following information:
- The nature of the personal data breach, the categories and approximate number of data subjects impacted
- Likely consequences
- Measures taken or proposed to be taken by the controller to address the personal data breach
The sobering truth is that attackers are likely hiding inside your environment right now, undetected, navigating the network in search of the right pathway to access sensitive data. To rapidly and accurately report on a breach—or, better yet, detect a threat before a breach occurs—you need robust operational controls. A strong Privileged Account Security strategy is critical to such control.
Detect and Block Threats Early in the Attack Cycle
Security tools and solutions are continuously developed to protect organizations from existing vulnerabilities and threats. But, attackers are often a step ahead, plotting new, sophisticated ways to infiltrate organizations.That’s why it’s critical to adopt an attacker’s mindset when bolstering your security practices in preparation for GDPR. To do so, it’s important to detect and block threats early in the attack cycle. Consider these four steps:
- First look for exposed privileged accounts. Do you have a solution in place for exposed credentials and unconstrained delegation alerts? Unconstrained delegation gives a service the ability to impersonate a user in another service. This presents a security impact. When unconstrained delegation has been enabled, as the privileged user connects to your machine, their ticket-granting-ticket (TGT) will be stored in memory, which can be replayed to move laterally and compromise a domain controller.
- Identify controls that can bypass privileged account security. Privileged accounts are a significant vulnerability when unsecured, and they exist across every organization. Can you identify how many privileged accounts and service accounts you have under management? Are they secured? Is there a solution in place that can detect suspected credential theft or rotate credentials and passwords to prevent attackers from escalating privileges and navigating their environment?
- Identify attacks known to bypass authentication. Do you have a way of detecting attacks that exploit Kerberos authentication? These attacks can be very damaging—some of which provide significant, unrestricted access and unlimited time for reconnaissance. Are you considering attacks that are launched deep within the network?
- Detect the abuse of privileged access. Can you clearly define the type of activity that is normal? In other words, business as usual versus activity that is anomalous and may be risky to the organization? Are you taking that risk-based approach to privileged account security? Do you have a solution that will prevent attackers from gaining access to critical systems and applications that are holding sensitive personal EU data?
Blocking unauthorized access to personal data helps you prevent reportable data breaches in the first place. As much as possible, automatic detection and blocking access should be a proactive function built into your Privileged Account Security solution. This type of early detection is different than perimeter defenses, which are monitoring and security controls focused on protecting your systems from attacks from the outside. A strong Privileged Account Security strategy focuses on proactively detecting threats to personal data from the inside out. Real-time profiling and analyzing individual privileged session behavior within the network can help an organization detect breaches early, with prioritized alerts, when abnormal activity is detected.
In our second GDPR advisory, we outline a list of proactive detection and privileged access accounting checkpoints to help you prepare for GDPR notification and reporting requirements. To learn more about detecting and responding rapidly to breaches, contact your sales representative, view our on-demand webinar series, or visit here to learn how CyberArk can help your organization with GDPR readiness.
Related Resource: Infographic: Responding to the 72 Hour Notification of a Personal Data Breach