You’re a CIO, CISO or DPO - and you’ve been woken up in the middle of the night because personal data held by your organisation has been discovered for sale on the dark web. This disclosure puts the privacy of your customers at risk. What do you do next? Splunk's own Mathieu Dessus and Elizabeth Davies explore the future scenario.

1. © 2017 SPLUNK INC.© 2017 SPLUNK INC.
A day in the life of a GDPR breach
The General Data Protection Regulation of
the European Union
Elizabeth Davies | Director Risk Management and Data
Protection, Data Protection Officer (DPO), Splunk
Mathieu Dessus | Presales Engineer
July 2017 Name
Title

2. © 2017 SPLUNK INC.
Elizabeth Davies Mathieu Dessus
▶ Director Risk Management and Data
Protection, Data Protection Officer
(DPO)
▶ Presales Engineer, France
Your hosts of today
From Splunk

3. © 2017 SPLUNK INC.
Legal Disclaimer
3
The information in this presentation was compiled from
sources believed to be reliable for informational and
discussion purposes only.
The information contained herein is not intended to
constitute legal advice. You should consult with your
own legal teams when developing programs and
policies. You should not take, or refrain from taking,
action based on its content. We do not guarantee the
accuracy of this information and assume no liability in
connection with therewith.

4. © 2017 SPLUNK INC.
What’s the
GDPR
What
activities are
happening
within
organizations
to prepare for
What tools
and
processes a
DPO relies on
How a day in
the life of a
GDPR breach
can look like
Why Splunk
What you will learn

5. © 2017 SPLUNK INC.
Has your
organization already
started to prepare for
the GDPR?

6. © 2017 SPLUNK INC.
DPO’s View

7. © 2017 SPLUNK INC.
An Outsider’s
Perspective On GDPR
Why GDPR Is So
Important to US
Security First Mindset
Agenda
GDPR: Quick Overview

8. © 2017 SPLUNK INC.
Individual Rights
(Right of Access, Rectification, Erasure,
Portability, Restriction)
(Arts. 15-20)
Record of Processing
Activities
(Data Mapping and DPIA—Art. 30/35)
Breach Notification
(Art. 33-34)
Secure Processing
(Art. 32)
GDPR
GDPR: General Data Protection Regulation
Highlights of Key Areas

9. © 2017 SPLUNK INC.
Your Vendors
(Processors) Must
Report Events to
Your Business
Your Business
(Controllers) Must
Report to the
Authorities (DPAs)
You Business May
Also Need to Report
to the Individual
Affected
GDPR: Breach Notification Across EU
A harmonized/tiered reporting obligation, but with tight response times (72 hours)
Reporting Obligations: Your Business, Authorities and Affected Individuals

10. © 2017 SPLUNK INC.
Your Vendor
Notifies Your
Business
Your Business
Notifies the DPA
Your
Business
Notifies the
Individual
Affected
When Do You Need to Report?
Without “Undue Delay” and Often within 72 hours
Without undue delay after
becoming aware of breach
Not later than 72 hours
after becoming aware of
breach if likely to result
in risk to rights and
freedoms
Without undue delay if
likely to result in high
risk to rights and
freedoms

11. © 2017 SPLUNK INC.
▶ Nature of the breach, including
category/number of affected
individuals and categories/number of
personal data records concerned
▶ Contact info—if you have a DPO
theirs are required
▶ Likely consequences of breach
▶ Measures taken to mitigate breach
What Do You Need to
Report?
At a minimum, the following:

12. © 2017 SPLUNK INC.
Detection + Escalation
(Global: $0.99M)
Notification
(Global: $0.19M)
Post-Breach Response
(Global: $0.93M)
Lost Business
(Global: $1.51M)
Costs of Data Breaches
(Global Average Costs Per Breach)
Source: Ponemon Inst.
2017 Cost of Data Breach
Study – United States and
2017 Cost of Data Breach
Study - Global
Average total cost of data breach
Global: $3.62M
$

13. © 2017 SPLUNK INC.
You will need log file reporting tools to help you determine:
• If you have a breach—unauthorized access, disclosure,
leak of information
• If the breach is consequential enough to report—what
kind of information was exposed, for how long, how many
affected, was it anonymized/encrypted, etc.
• What steps you will need to take to mitigate—take
systems or users off line, shunt access, create sink
holes, etc.
So What Can You Do to Prepare?
Some essential tools will help

14. © 2017 SPLUNK INC.
▶ At Splunk, our employees are our canaries in the
coal mine
▶ You can’t notify customers, DPAs, or consumers, if you
don’t know there is a problem
▶ No DPO/CPO/CISO/CIO can be everywhere, all the
time
▶ Loss, destruction, leakage, unauthorized access—they
can happen anywhere, not simply at your firewall
▶ You need everyone to play their part
You Will Also Need Training
It takes a village
(Security/IT/Legal/Customer Relations/Marketing/HR)

15. © 2017 SPLUNK INC.
• Eliminate duplication,
streamline and
enhance baseline
education for all
• Supplemental training
where needed
Enhanced
Privacy/Security
Training
• Enhance first
responder base when
needed
• Develop org-wide
“muscle memory"
Volunteer
Firefighting
• Enhance messaging
campaign globally
about who, when and
where to report
security/privacy events
• Make this know-how
second nature
Revised IR Plan
Enhanced
Messaging
At Splunk, We Are Focusing On Three Key Areas
All designed to get us ready for May 2018

16. © 2017 SPLUNK INC.
1. Security and Privacy are team sports—rally
your team (Security/IT/Legal/HR/Marketing/Customer
Relations)
2. Training and IR Plan updates can be done easily
and quickly—an ounce of prevention is worth
a pound of cure
3. Don’t get overwhelmed, it won’t help
4. Put together a workable—not a perfect—plan
and get going
5. Start with the easy stuff first—build team
confidence
Don’t let perfection be
the enemy of the
good—GDPR is here to
stay—plenty of time
ahead to improve
Key
Takeaways

17. © 2017 SPLUNK INC.
Helen Keller
“Life is either a
great adventure or nothing.”

18. © 2017 SPLUNK INC.
Has your
organization
identified which
processes and
technologies are
required to adjust for
the GDPR?

19. © 2017 SPLUNK INC.
A day in the life of a
GDPR Breach

20. © 2017 SPLUNK INC.
“Les personnages et les situations de ce
récit étant purement fictifs, toute
ressemblance avec des personnes ou
des situations existantes, ayant existé,
ou qui existeront dans le futur, ne
saurait être que fortuite.

21. © 2017 SPLUNK INC.
What if
tomorrow is

22. © 2017 SPLUNK INC.
What if you’re
responsible
for Security?

23. © 2017 SPLUNK INC.
You wake up
in the morning
and you even
haven’t had
your coffee

24. © 2017 SPLUNK INC.
Your friendly
Data Privacy
Officer is on
the phone

25. © 2017 SPLUNK INC.
Someone
claims to sell
PI data you
hold

26. © 2017 SPLUNK INC.
How does the DPO
know?
Your threat
Intelligence
provider
informed you
and provided
you samples

27. © 2017 SPLUNK INC.
There is data in the
deep web
It may be your
data!

28. © 2017 SPLUNK INC.
He hangs up!
What’s next?

29. © 2017 SPLUNK INC.
Your incident
investigation
plan kicks in

30. © 2017 SPLUNK INC.
Does your
organization have an
incident investigation
process defined and
in place in case
you’re breached?

31. © 2017 SPLUNK INC.
DPO
IT
PR/Media Team
Legal
(CEO)
Coordination

32. © 2017 SPLUNK INC.
Emergency
call
Emergency
chatroom

33. © 2017 SPLUNK INC.
The fire alarm
button is
pulled down

34. © 2017 SPLUNK INC.

35. © 2017 SPLUNK INC.
Internal Leak
External Leak
Incident
commander
T- 70h

36. © 2017 SPLUNK INC.
“We need to
investigate!!!”
Reaching out
to your
security
operations
team
T- 65h

37. © 2017 SPLUNK INC.
People and
Processes
T- 60h

38. © 2017 SPLUNK INC.
Where is that
data stored in
your
environment?
T- 55h

39. © 2017 SPLUNK INC.
First Action
Is data still
leaking?
T- 45h

40. © 2017 SPLUNK INC.
How will you
watch them?
T- 40h

41. © 2017 SPLUNK INC.
Nice,
structured,
tidy data
T- 39h

42. © 2017 SPLUNK INC.
Diving deep into
the digital
infrastructure
T- 35h

43. © 2017 SPLUNK INC.
time series, in motion,
unstructured
Machine data
43
T- 34h

44. © 2017 SPLUNK INC.
It can be big
data…
T- 33h

45. © 2017 SPLUNK INC.
… it is lazy
T- 32h

46. © 2017 SPLUNK INC.
… and it is
hard to
understand…
T- 30h

47. © 2017 SPLUNK INC.
Worst Case
External
authorities
might come in
to your
organization
and say:
“Don’t stop it”
T- 25h

48. © 2017 SPLUNK INC.
Take response
actions to stop
data leakage
T- 20h

49. © 2017 SPLUNK INC.
Understand
T- 15h

50. © 2017 SPLUNK INC.
How much
data will be
needed for
this?

51. © 2017 SPLUNK INC.
Who
processed
your
information?
T- 10h

52. © 2017 SPLUNK INC.
Which user or
systems was
involved?
T- 8h

53. © 2017 SPLUNK INC.
You know what you
know
You know what you
don’t know
Painting the
picture
T- 5h

54. © 2017 SPLUNK INC.
Does your organization
collect the machine data to
analyse with your SIEM
from all applications and
systems that are
processing personal
information?

55. © 2017 SPLUNK INC.
Maybe resulting in a
non event?
Puts the breach
data subjects at
risk?

56. © 2017 SPLUNK INC.
Do individuals need to
be informed
additionally?
How sensitive
was the data?

57. © 2017 SPLUNK INC.
before chatter explodes
• Inform Authority
• Inform affected
Individuals
• (Inform Public)
As an
organization
you want to
control the
story
T- 0h

58. © 2017 SPLUNK INC.
Worst
Practice:
Yahoo!
“Yahoo later admitted to an even
larger breach from 2013

59. © 2017 SPLUNK INC.
Best Practice:
ABTA Breach

60. © 2017 SPLUNK INC.
Best Practice:
ABTA Breach

61. © 2017 SPLUNK INC.

62. © 2017 SPLUNK INC.
2+ weeks later out of
the news
Example
ABTA Breach

63. © 2017 SPLUNK INC.

64. © 2017 SPLUNK INC.
Someone
knocks on
your door
T+ 1 Week

65. © 2017 SPLUNK INC.
Have you deployed
“countermeasures
appropriate to the risk”?
Have you used “state
of the art” best
practices?
Data Privacy
Audits
T+ 1 Week

66. © 2017 SPLUNK INC.
Massive Fines
T+ 1 Week

67. © 2017 SPLUNK INC.
What did you know?
When did you know?
How did you know
about it?
Prove
T+ 2 Weeks

68. © 2017 SPLUNK INC.
Logs become
your digital
fingerprints

69. © 2017 SPLUNK INC.
Why Splunk?
Splunk can help

70. © 2017 SPLUNK INC.
Prove GDPR security
controls are enforced
Splunk helps to detect,
prevent and investigate
breaches
Search and report
on personal data
processing
What GDPR use cases does Splunk help solve?
Breach Investigation Notification: 72 Hours

71. © 2017 SPLUNK INC.
Three Use Cases that bring
different person’s on the
same level and speak the
same language, each:
▶ Real World Scenario
(IT-Manager)
▶ Relevant GDPR Articles
and what they mean
(Data Privacy Officer)
▶ How machine data
helps with (Splunk
Champion)
Whitepaper: How machine data helps with GDPR
https://www.splunk.com/en_us/form/white-paper-how-machine-data-supports-gdpr-compliance.html
https://www.splunk.com/de_de/form/wie-maschinendaten-die-eu-dsgvo.html
https://www.splunk.com/fr_fr/form/les-donnees-machine-facilitent-la-conformite-au-rgpd.html

72. © 2017 SPLUNK INC.© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Industry Leading Platform For Machine Data
Custom
dashboards
Report and
analyze
Monitor
and alert
Developer
Platform
Ad hoc
searchOn-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
Energy MetersFirewall
Intrusion
Prevention
Platform Support (Apps / API / SDKs)
Enterprise Scalability
Universal Indexing
Machine Data: Any Location, Type, Volume Answer Any Question

73. © 2017 SPLUNK INC.© 2017 SPLUNK INC.© 2017 SPLUNK INC.
Industry Leading Platform For Machine Data
Custom
dashboards
Report and
analyze
Monitor
and alert
Developer
Platform
Ad hoc
searchOn-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
Energy MetersFirewall
Intrusion
Prevention
Platform Support (Apps / API / SDKs)
Enterprise Scalability
Universal Indexing
Machine Data: Any Location, Type, Volume Answer Any Question
Any Amount, Any Location, Any Source
Schema
on-the-fly
Universal
indexing
No
back-end
RDBMS
No need
to filter
data

74. © 2017 SPLUNK INC.
Download our
Whitepaper “How
machine supports
GDPR compliance”
▶ https://www.splunk.com/en_us/form/whit
e-paper-how-machine-data-supports-
gdpr-compliance.html
Ask for a Workshop
▶ GDPR Article
Mapping
▶ Data Obfuscation
Explore Splunk Hands on
▶ Cloud | Sandbox | On
Prem
▶ www.splunk.com/
Machine data plays a critical role under the upcoming EU-GDPR
and Splunk's universal machine data platform allows
organizations to quickly ask any question they have.

75. © 2017 SPLUNK INC.© 2017 SPLUNK INC.
Thank You for attending
▶ Fill out our Survey Monkey to rate the
webinar and give us feedback
▶ Questions