dat how threat intelligence can reduce your liabilities...cyber security posture and compliance....

1

DATA BREACH UNDER GDPR | How threat intelligence can reduce your liabilities

2


The information provided in this document is the property of Blueliv, and any modification or use of all or part of the content of this document without the express written consent of Blueliv is strictly prohibited. Failure to reply to a request for consent shall in no case be understood as tacit authorization for the use thereof.

Blueliv® is a registered trademark of Leap In Value S.L. in the United States and other countries. All other brand names, product names or trademarks belong to their respective owners.

© 2017 Leap In Value S.L. All rights reserved.

3


The new European Union General Data Protection Regulation (GDPR) will impose hefty financial penalties on those who fail to meet its parameters, so it must be every organization’s top priority to focus on its cyber security posture and compliance.

Under GDPR, data breach will be among the most serious issues a company can face, especially with regard to personal data protection. Unfortunately, breaches happen continuously and can have a negative financial, operational and reputational effect, often simultaneously. GDPR adds a regulatory impact. When it comes to Data Intrusion, it is a simple fact that is it not if you get breached, but rather when.

Cyberthreat intelligence technology can help in the prevention, detection and remediation of data breaches under GDPR in three key ways:

• Reduce the chances of a personal data breach occurring

• Mitigate the effects of a breach

• Lower the costs incurred by a breach

This paper is intended to guide organizations concerned about aspects of GDPR relating to data breach: what are the effects, what are organizational requirements and obligations, and what novel security measures are available to prevent and mitigate data breach.

Data breach will be among the most serious issues a company can face under GDPR

Novel security measures are available to mitigate data breach

INTRODUCTION

4


After years of negotiation, the European Union General Data

Protection Regulation (GDPR) will come into effect on 25 May 2018, replacing the 22-year-old EU Data Protection Directive with more stringent conditions.1 This means that any local or international organization that does business in Europe or handles the personal data of EU residents is subject to a new standard of data protection and steep fines if it does not comply. Equivalent regulations have also been proposed in

Canada and New York State in recent months.2 2.1

Understandably, the principal focus for an organization is how to meet these new regulations. One key aspect is related to leakage of personal information. Besides the reputational consequences, under GDPR a breach can also have a massive financial impact. With all this flurry of compliance activity, how much thought is being given to preventing a data breach from happening and mitigating the ramifications when it does?

A NEW FRAMEWORK FOR ORGANIZATIONS TRADING IN EUROPE

External threat solutions can help deal with the rigor of GDPR by reducing the chances of a personal data breach occurring, mitigating the effects of a breach and lowering the costs incurred. To help understand the GDPR’s complexity surrounding data breaches, the following section summarizes definitions, requirements, and statistics that will impact stakeholders.

Article 4 defines personal data as any information relating

to an identified or identifiable natural person (data subject).3

Personal data can include: a name, an identification number, location, bank details, medical information, email address, IP address or online identifier, mobile device ID, and can even include physical, psychological, genetic, mental, economic, or cultural identity.4

The task of protecting such disparate and widely distributed customer and employee data may understandably seem daunting, especially when failure to comply to GDPR standards could result in hefty fines.

WHAT IS PERSONAL DATA UNDER GDPR?

Date GDPR comes into operation

25th MAY2018

Personal data is any information relating to an identified or identifiable natural person

http://gdpr-info.eu

http://gdpr-info.eu

https://www.reuters.com/article/bc-finreg-canada-data-breach-reporting/canada-proposes-eu-like-regulations-for-mandatory-data-breach-reporting-idUSKCN1C828J


https://www.bankinfosecurity.com/interviews/how-to-comply-new-yorks-cybersecurity-regulation-i-3733

5


When the original 1995 directive was enacted, data as we know it did not play such a crucial role in business transactions. Now, after countless breaches and millions of personally identifiable information records (PII) having been compromised globally, the EU has mandated stricter controls to protect its citizens, tightening regulation and ensuring compliance with the promise of harsh penalties.

Privacy and control of PII are being systematically handed back to the data subject. An organization that wants to be successful under these new regulations will need to refine its approach to data privacy with this in mind.

Controllers are stewarding limited data with the clear consent of data subjects for defined period of time, at the end of which they are required to forget or erase it. They may also be required to pass it along to other controllers at the request of the data subject.

If your company works with processors, entities that processes personal data on your behalf, you must protect yourself by having monitoring measures in place. Compliance doesn’t simply mean you escape fines and that your reputation remains untarnished. In this context, data breaches are probably the most serious issue a company can face, especially with regard to personal data protection. Under GDPR, relevant breaches must include personal data and affect the confidentiality, integrity and/or availability of such data. These situations are the ones that can be fined with the higher amounts.

Depending on the risk it poses to the rights and freedoms of individuals, when a breach occurs the controller needs to report this situation to the Data Protection Authority and potentially to the affected individuals (Article 33: a corporation must report a breach within 72 hours of being detected).5 Recent clarifications from Article 29 Data Protection Working

GDPR REQUIREMENTS ON PERSONAL DATA PROTECTION

Party provide clear guidelines regarding what is considered a data breach, how to assess its risk, when to report it, and what the potential impact could be.6

Notice that a single compromised record can be considered a data breach, and that appropriate prevention and detection measures in place (or not) will have an impact on the size of the potential penalty incurred.

Even more importantly, the speed at which an organization reacts will also have a bearing on the fine. With this in mind, it is crucial to use technology that helps you detect potential attacks and infections in as close to real-time as possible, improving your incident response performance.

Privacy and control of PII are being systematically handed back to the data subject

A single compromised record can be considered a data breach

Relevant breaches will affect the confidentiality, integrity or availability of personal data

6


Breaches are more frequent than most people realize. The following statistics tell an alarming story.

According to the Breach Level Index, a staggering 9,053,156,308 data records have been either lost or stolen since 2013.7 Data records are mostly personal data records which include Personal Identifiable Information. Only 4 percent of these breaches were “secure,” where encryption was used, and the stolen data was rendered useless.

The Breach Level Index reports data records lost/stolen at the following frequency:

• 5,226,996 records every day

• 217,791 records every hour

• 3,630 records every minute

• 60 records every second

Meanwhile, The Identity Theft Resource Center (ITRC) reports there have been 917 data breaches from January through August 2017. 8

9 BILLIONNumber of data

records lost or stolen since 2013

OVER 5 MILLIONNumber of records

stolen per day

FREQUENCY OF DATA BREACHES

http://breachlevelindex.com

http://www.idtheftcenter.org

7


Data breach can occur for multiple reasons: disaffected staff members, careless employees who leave sensitive data available, and external attackers trying to obtain financial gain.

An external attacker, usually part of a cybercrime syndicate, steals personal information to sell it in on the black market for other cybercriminals to exploit the information, or to coerce ransom from stakeholders with threats like, “pay me a million euros and I won’t publicly disclose the fact that you’ve been breached.” The amount requested is proportional to the volume and importance of the leaked data, and linked to the reputational impact on the affected organization. When GDPR is implemented, we expect cybercriminals to demand ever higher sums.

WHY DATA BREACHES HAPPENS

Figure 1 - Example of ransom request (500BC were worth close to 2M USD at that time)

Cybercriminals will demand higher ransoms for data after GDPR is implemented

Disaffected employees

Careless workers

External Attackers

8


Cybercriminals leverage many techniques to penetrate corporate infrastructures and steal personal information and other valuable assets. Main attack vectors used by cybercriminals include compromised user credentials and malware infections. In fact, 81% of breaches last year used stolen/weak passwords and 51% using malware.9

According to the Ponemon Institute, 50 percent of data breaches in both France and the UK were caused by malicious or criminal attacks, while Germany was close with 46 percent. Malicious attacks caused 40 percent of Italy’s breaches. Italy also had the highest percentage of incidences of human error at 36 percent. 10

Two other recent studies found that the average cost of a breach for EMEA firms is €3.1 million.11 11.1 Yet these do not include fines from supervisory entities, such as those defined by GDPR. There are many factors to consider when calculating the final cost of a data breach, some of which are obvious: the size of the breach, clean-up and post-breach costs. Other expenses may not be so clear.

For instance, time is also a factor. The longer it takes an organization to discover the breach, the costlier it becomes. Since malicious/criminal breaches often take longer to detect, they are considerably more expensive to remedy. Beyond the disruptive impact in business operations and the potential fines imposed by GDPR, a corporation must report a breach within 72 hours of being detected. The longer the delay, the higher the fine. It is important not to underestimate the impact of reputational

Average cost of a single breach

The time you have to report a breach before incurring a penalty under GDPR.

€3.1 MILLION

72HOURS

$8 million

$4 million

$6 million

$2 million

$0 millionLess than 10.000

records

Average cost per size of data breach, global, F.Y.2017

$1.9 MILLION

$2.8 MILLION

$4.6 MILLION

$6.3 MILLION

10.000 to 25.000 25.001 to 50.000 More than 50.000

Source: Ponemon Institute

damage and subsequent rate of customer attrition following a breach. Ponemon quantify this churn rate in financial terms, pointing out that organizations who lose less than 1 percent of their customer base were suffered an average loss of €2.23/$2.6 million. However, if 4 percent or more was lost, the average cost rose to €4.37/$5.1 million.

9


The recent instance of the Equifax breach in the US and its subsequent fallout serves as a striking example. Since the breach, the market value of the company dropped 40 percent and many C-level executives were forced to step down, including the CEO, CISO and CIO. The fact that customers are no longer accessing the company’s credit services cannot be ignored either. Equifax’ reputation has been devastated and at this stage it is unclear how the company will recover.

Figure 2 - Impact of Equifax valuation after making public the breach

€133

€109

€107

Average cost per single record, as a result of malicious or criminal attacks

Average cost per single record, as a result of system glitches

Average cost per single record, as a result of human error

GDPR is likely to increase the

frequency of attempted data

breaches

Source: Ponemon Institute

10


GDPR PENALTIES

An organization in breach of GDPR can be fined up to 4 percent of its annual global turnover, or €20 million – whichever is greater. This is the maximum fine that can be levied against the most serious infringements (when a high-risk breach happens, and it is also found that the corporation had no appropriate measures in place, such as real-time intelligence gathering).

When deciding whether to impose an administrative fine, Data Protection Authorities (DPA) will consider the following criteria (found in Article 83):12

• Gravity of the breach• Duration of exposure• Number of data subjects• Level of damage suffered

It is worth noting that, while considering the scale of the penalty, the DPA investigator will look at the actions taken by an organization to prevent, detect and remediate data breaches, including steps it is taking to recover the compromised data and its transparency in reporting the situation.

An organization which demonstrates a proactive approach to security using a range of technical, managerial, and operational controls will incur a lower penalty (or even no penalty) than one that takes little or no security measures and disregards its obligations under GDPR.

Actionable and targeted threat intelligence augments measures already being taken inside organizations to help detect potential attacks before they happen. Proactivity such as this will be looked on favourably by those authorities tasked with implementing and enforcing GDPR.

GRAVITY OF THE BREACH

LEVEL OF DAMAGE SUFFERED

DURATION OF

EXPOSURE

NUMBER OF DATA SUBJECTS

Criteria defining penalty:

11


SETTING UP TO HANDLE DATA BREACH

Data breach is a constant threat. However, with new, stricter regulations just around the corner, the way in which your organization is set up to handle a breach is an ever more pressing concern.

When it comes specifically to data breach, and how to improve your internal defences with external threat intelligence, Blueliv advises asking the following questions of your organization in advance of GDPR implementation – not just as a one-off, but on an ongoing basis. Are you suitably prepared?

Your organization should be able to contend with these priorities using solutions which reduce the chance of a breach. Should one occur, it should also help you to detect leaked information quickly. Below we have prepared some tips to help prepare your organization and minimize the costs to your business.

Prevention

Mitigation

Remediation

1

2

3Is my threat monitoring proactive?

Am I receiving targeted intelligence about potentially infected devices, compromised documents and stolen data credentials, and in a timely manner?

Can I trust the intelligence I am receiving, so that I can act immediately?

Do I know what cybercriminals and malicious actors are planning against my business?

What is going on in the Dark Web? Should I be concerned?

12


There is no single measure or technology that can achieve prevention alone, but improving your resilience is key. Organizations need to put in place different complementary solutions to minimize the chance of suffering a data breach.

Proactive threat monitoring technology helps to detect in real time external risks that have the potential to affect your organization. We advise helping improve your global protection by detecting your weak points before they can be exploited. The more robust your attack surface, the more secure your perimeter, the less appealing you will be to attackers. If it is less demanding or cheaper to attack one organization over another, cybercriminals will choose the softer target.

Incidents from all attack vectors will be heavily punished by GDPR, including data breaches which originate from compromised user credentials and infected assets. We advise strengthening your current set up with technology to mitigate these vectors by:

• Detecting malware infected assets that have bypassed your endpoint security measures

• Identifying newly compromised user/system credentials

If your organization can monitor the above situations in real-time, it can dramatically decrease the exposure window for cybercriminals performing deep penetrations – currently the average time for detection of a data breach is 106 days in EMEA, which is simply too long and will likely be taken into consideration by those enforcing GDPR, should your organization be breached.

Complementary threat intelligence services can help you radically reduce attack success rates - often by over 97 percent - but Blueliv remains the only provider to offer this in real time.

PREVENTION

The average time for detection of a data breach in EMEA.

106 days

Real time detection of compromised credentials and infected devices can reduce the attack success rate by over 97 percent

• Identify newly compromised credentials

• Detect infected assets

Improve your resilience with proactive threat monitoring

13


Proactive monitoring should go far beyond the standard or even deep web and include the Dark Web too. Complementary security solutions should monitor places where documents and data have been leaked and help your team understand the implications. Note that these leaks may originate in your own network, or even in the networks of your data processors.

Organizations can mitigate their impact through rapid detection of breaches ‘as seen from the outside,’ so you can start to investigate its origin and close the potential gap to reduce its impact.

Incident Response Teams should be armed with all the tools necessary to understand the context of an external attacks. In a critical situation, with the right information they can focus their efforts in remediating the issue and investigating the root causes. Enhancing your organization’s orchestration capabilities will allow your team to react rapidly and effectively in these situations.

Improving incident response performance times by detecting potential attacks before they happen and investing in support for security operations teams will be a sure-fire way to minimize the impact of the GDPR on your organization if you suffer a data breach.

Organizations can mitigate

penalties by remembering

what GDPR investigations

will be looking for

Length of the breach

Strength of your security posture

How immediate your response was

DETECTION

REMEDIATION

Having a robust, proactive set of security controls in place will demonstrate that your company takes personal data protection seriously, both in front of DPA and public opinion. Therefore, when a data breach happens, regulatory authorities will take all these factors into consideration when calculating a possible fine: the length of the breach, the strength of your posture, and how immediate your response.

MITIGATING GDPR PENALTIES

The impact of a data breach on your reputation could be significantly moderated: detecting an issue, fixing it and reporting it in just a few days will demonstrate that you take care of your customers and employees.

The immediacy of your response is going to rely on having actionable, intelligence with your security operations team, as close to real-time as possible.

14


Blueliv Cyber Threat Intelligence is a modular, subscription-based cloud technology which manages external cyber threats from one single dashboard and can be completely customized to meet your organization’s needs - from the outside in. It is totally frictionless: organizations are able to start using it within minutes at a very low operational cost.

Blueliv’s patented technology provides unique targeted and actionable cyber threat intelligence on different domains to enable you to:

• Be aware of compromised credentials and assets in real-time, with thousands of unique sources to identify credentials and malware infections

• Be notified in real-time about malware samples targeting corporations and its end customers around the world, including web-injects

• Receive detailed information on stolen credit cards, in real-time from infected Points of Sale and from underground sites

• Be aware of rogue, malicious and illegal applications distributed across a large number of official and non-official marketplaces

• Track and monitor global social Hacktivism Ops and targeted hacking attacks which can affect your organization

• Track down confidential data and documents belonging to your organization that have been exfiltrated in public and not-so-public sites, including P2P networks

• Monitor information and activities affecting your organization and your employees on the Dark Web

• Detect cybersquatting sites before they become phishing sites, in addition to those which are already doing it

• Search through social media, repositories, websites to find offenders affecting the reputation and image of your organization, brands and VIPs

• Retrieve relevant news published in worldwide newspapers and magazines in multiple languages which mention your organization, brands, products and locations

OUR UNIQUE TECHNOLOGY SOLUTION

• Learn which malicious groups may affect your organization and learn about their campaigns, plans and correlate it with relevant targeted intelligence

With this proprietary toolbox, Blueliv can help your organization: detect potential attacks before they happen; discover stolen data; detect infections bypassing end-point solutions in close-to real-time; improve your incident response performance; empower your security operations team; save time and resource.

Real-time threat detectionThousands of unique sources to identify compromised credentials, to help you meet GDPR parameters as quickly as possible

Analyze threatsUnique patented technology leveraging Machine learning to analyse and classify threats and incidents

RespondReal-time, targeted actionable intelligence combined with remediation capabilities to mitigate threats and reduce GDPR penalties

Blueliv Cyber Threat Intelligence technology is a plug-and-play cloud-based platform, meaning no messy installation or complex integration necessary.

15


https://gdpr-info.eu



https://gdpr-info.eu/art-4-gdpr/

https://www.whitecase.com/publications/article/chapter-5-key-definitions-unlocking-eu-general-data-protection-regulation


http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083


http://www.idtheftcenter.org/Data-Breaches/data-breaches

http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/

https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN

https://securityintelligence.com/media/2016-cost-data-breach-study/

https://www.fireeye.com/blog/threat-research/2017/03/m-trends-2017.html


1 -

2 -

2.1 -

3 -

4 -

5 -

6 -

7 -

8 -

11 -

10 -

9 -

11.1 -

12 -

REFERENCES

https://gdpr-info.eu

https://www.reuters.com/article/bc-finreg-canada-data-breach-reporting/canada-proposes-eu-like-regul






https://www.whitecase.com/publications/article/chapter-5-key-definitions-unlocking-eu-general-data-p

https://www.whitecase.com/publications/article/chapter-5-key-definitions-unlocking-eu-general-data-p



http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083


http://www.idtheftcenter.org/Data-Breaches/data-breaches

http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/



https://securityintelligence.com/media/2016-cost-data-breach-study/






16


Blueliv is a leading cyber threat monitoring and remediation provider with a world-class in-house Labs team. We scour the web to deliver fresh, targeted and actionable threat intelligence to organizations across multiple industries to protect their networks from the outside in. Our frictionless cloud-based technology turns global threat data into actionable intelligence, enabling organizations to save time and resource by improving their incident response performance and empowering their Security Operations team with real-time intelligence.

Start detecting external threats and join the

achieved ‘Cool Vendor’ status with Gartner and is a 2016 winner of Go Ignite.

Call Blueliv today to schedule your demonstration. Let us help you identify gaps and leverage our solution into your existing security practice.

twitter.com/blueliv

linkedin.com/company/blueliv

About

Follow Us

http://twitter.com/blueliv

http://twitter.com/blueliv

http://es.linkedin.com/company/blueliv

https://www.blueliv.com/blog-news/corporate/cybersecurity-breakthrough-awards-2018/

https://www.blueliv.com/blog-news/corporate/blueliv-winner-of-go-ignite-the-scale-up-program-leaded-by-four-world-class-telcos/

https://www.blueliv.com/blog-news/corporate/blueliv-named-a-cool-vendor-by-gartner/

dat how threat intelligence can reduce your liabilities...cyber security posture and compliance....

Documents