The ability to quickly detect, respond
and, most importantly, investigate
breaches will mean a lot when it comes
to meeting those obligations. It already
takes 101 days – according to Mandiant
– before the average organisation even
discovers a breach but, when that
breach is spotted, how quickly will they
be able to investigate and report on it?
Most enterprises simply can’t monitor,
detect, investigate or respond in the way
that they need to effectively disclose
within that 72-hour window.
It seems that most organisations freely
admit that. A recent survey by the
Ponemon Institute and the law firm
McDermott Will & Emery showed that
83% of companies list reporting as the
most difficult aspect of GDPR. What
is perhaps more encouraging is that
68% realise that failing to comply with
this aspect of the regulation poses the
biggest risk to them.
www.intelligentciso.com
|
Issue 04
Reporting is currently hamstrung by a
number of problems, which will make a
swift and detailed submission to GDPR
regulators that much harder. They centre
around four key areas of this process.
First, scoping and root cause analysis,
followed by containment and mitigation.
Scoping and root cause analysis are
related but not the same. Scoping will
help you understand the size of the
impact crater – how much damage was
done in the breach. The SOC can be best
prepared with an accurate catalogue of
assets in your environment and which
data they process. With regard to GDPR,
that means personal data.
You’ll need to effectively scope in order
to begin root cause analysis, which
requires the analyst to thoroughly
explore and trace the activities and
touch points of the attacker en-
route to the exfiltration. This means
finding accurate and current data on
transactions and time series and then
forensically reconstructing the steps of
how an attacker broke into and made
their way through your network. It also
often means sifting through the human
errors or simple misconfigurations that
so often lead to breaches.
Compliant
organisations will
have to document
their breaches
in detail even if
they don’t need to
directly report them.
85