Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT1

© 2017 SPLUNK INC.© 2017 SPLUNK INC.© 2017 SPLUNK INC.© 2017 SPLUNK INC.
GDPR Security Roundtable
Grüezi – Bonjour – Welcome – Willkommen – Buongiorno
Part I
Matthias Maier
22th November 2017, Marriott Zürich

© 2017 SPLUNK INC.© 2017 SPLUNK INC.
▶ 13:30 Uhr: Splunk Welcome and Introduction Round
• Intro to GDPR
• Discussion
▶ 14:30 Uhr: Splunk‘s View: Day in a life of a GDPR Breach & How it looks like in a SOC
▶ 15:15 Uhr: Coffee Break
▶ 15:45 Uhr : Two Customer Insights
▶ 16:30 Uhr: Panel discussion
▶ 17:00 Uhr: Apéro
Agenda

Introduction Round
SOC / GDPR / Security Experience
Todays Expectations

GDPR: Overview
• Sharing Where are you with GDPR?
• Splunk’s View

Goal of the General Data Protection Regulation
“The aim of the GDPR is to protect all EU
citizens from privacy and data breaches
in an increasingly data-driven world”

GDPR Timelines
The regulation is binding across all EU members states
January, 2012
Commissioner Proposed reform
to Data Protection regulation
May, 2018
Effective Data Protection
Framework comes into force (25th
May, 2018)
April, 2016
EU Council adopted new
regulation
December, 2015
EU agreement on regulation
including the UK after Brexit

Key Features of GDPR
Applicable to any company doing business in the European Union
European
Data
Protection
Harmonizati
on
Fines up to
€20m or
4% of
turnover
Mandatory
Privacy
Impact
Assessment
s
Privacy by
Design &
Default
72 Hour
Breach
Notification
Mandatory
Data
Erasure &
Portability
Consent for
Personal
Data
Profiling

GDPR Advice
from the
information
commissioner
office

• Who drives the GDPR
Program in your
organization?
• Experience with the
GDPR
• What’s your GDPR
challenge / question /
take away you want to
hear from your peers
today?
Sharing
Experiences

▶ What’s the current status within your Organizations? Data Impact Assessments
happened?
▶ Who owns the GDPR Program in your organization?
▶ What are the Key Challenges?
▶ What are expected changes that influences the IT Department? What changes
have happened already?
▶ What capabilities need to be established for breach notification?
▶ What capabilities need to be established for data privacy audits?
▶ How about monitoring of PII processing activities?
Roundtable Discussion Points
HINTS

Splunk’s View

How Splunk helps you
with GDPR compliance
Do not break GDPR
compliance with Splunk

▶ Data in transit: Encryption
▶ Data at rest: Encryption
▶ Data at rest: Integrity
▶ Data/Fields within Splunk:
• Anonymization in raw event
• Anonymization in presentation layer
• Pseudonymization in raw event
• Pseudonymization in presentation layer
Pseudonymization of PII
Stay compliant whatever occurs in your machine data
risk
minimization
strategy
1.5hr workshop available
with live demo

© 2017 SPLUNK INC.
A day in the life of a
GDPR Breach

© 2017 SPLUNK INC.
What if
tomorrow is

© 2017 SPLUNK INC.
What if you’re
responsible
for Security?

© 2017 SPLUNK INC.
You wake up
in the morning
and you even
haven’t had
your coffee

© 2017 SPLUNK INC.
Your friendly
Data Privacy
Officer is on
the phone

© 2017 SPLUNK INC.
Someone
claims to sell
PI data you
hold

© 2017 SPLUNK INC.
He hangs up!
What’s next?

© 2017 SPLUNK INC.
Your incident
investigation
plan kicks in

© 2017 SPLUNK INC.
DPO
IT
PR/Media Team
Legal
(CEO)
Coordination

© 2017 SPLUNK INC.
Emergency
call
Emergency
chatroom

© 2017 SPLUNK INC.
The fire alarm
button is
pulled down

© 2017 SPLUNK INC.
Internal Leak
External Leak
Incident
commander
T- 70h

© 2017 SPLUNK INC.
“We need to
investigate!!!”
Reaching out
to your
security
operations
team
T- 65h

© 2017 SPLUNK INC.
Where is that
data stored in
your
environment?
T- 55h

© 2017 SPLUNK INC.
First Action
Is data still
leaking?
T- 45h

© 2017 SPLUNK INC.
How will you
watch them?
T- 40h

© 2017 SPLUNK INC.
Nice,
structured,
tidy data
T- 39h

© 2017 SPLUNK INC.
Diving deep into
the digital
infrastructure
T- 35h

© 2017 SPLUNK INC.
time series, in motion,
unstructured
Machine data
33
T- 34h

© 2017 SPLUNK INC.
It can be big
data…
T- 33h

© 2017 SPLUNK INC.
… it is lazy
T- 32h

© 2017 SPLUNK INC.
… and it is
hard to
understand…
T- 30h

© 2017 SPLUNK INC.
Take response
actions to stop
data leakage
T- 20h

© 2017 SPLUNK INC.
Understand
T- 15h

© 2017 SPLUNK INC.
How much
data will be
needed for
this?

© 2017 SPLUNK INC.
Who
processed
your
information?
T- 10h

© 2017 SPLUNK INC.
Which user or
systems was
involved?
T- 8h

© 2017 SPLUNK INC.
You know what you
know
You know what you
don’t know
Painting the
picture
T- 5h

© 2017 SPLUNK INC.
Maybe resulting in a
non event?
Puts the breach
data subjects at
risk?

© 2017 SPLUNK INC.
Do individuals need to
be informed
additionally?
How sensitive
was the data?

© 2017 SPLUNK INC.
before chatter explodes
• Inform Authority
• Inform affected
Individuals
• (Inform Public)
As an
organization
you want to
control the
story
T- 0h

© 2017 SPLUNK INC.
Worst
Practice:
German
Bundestag
"The Trojans are still active," confirmed SPIEGEL ONLINE. According to
data from several sources familiar with the case, Bundestag data from
the ”Parliament" network continue to flow in an unknown direction.

© 2017 SPLUNK INC.
Best Practice:
ABTA Breach

© 2017 SPLUNK INC.
2+ weeks later out of
the news
Example
ABTA Breach
50

© 2017 SPLUNK INC.
Someone
knocks on
your door
T+ 1 Week

© 2017 SPLUNK INC.
Have you deployed
“countermeasures
appropriate to the risk”?
Have you used “state
of the art” best
practices?
Data Privacy
Audits
T+ 1 Week

© 2017 SPLUNK INC.
Massive Fines
T+ 1 Week

© 2017 SPLUNK INC.
What did you know?
When did you know?
How did you know
about it?
Prove
T+ 2 Weeks

© 2017 SPLUNK INC.
Logs become
your digital
fingerprints

Machine Data plays a critical role and helps your organization to
comply with the GDPR - Are you prepared?
We invite you to ask for a GDPR Workshop!

Customer Story in
Detail
UCAS – Security Mapped to Business Needs
PostFinance – SOC Use Case in Detail: Phishing Fishers

Security at the
Universities and
Colleges Admissions
Service (UCAS)
Neil Bell, Security Assurance Manager, UCAS

Getting to know us a little
The world’s only national centralised
organisation processing applications to higher
education.
An intermediary in an ever changing multi-£billion market.

Our customer(s)
Circa 800,000applicants
Circa 600,000 placed
4 million applications, in over 6,000 registered
centres, to 388universities & colleges & 1200 schools.
This includes UK & international schools, agents and advisers
from over 100 countries.

▶ Protecting circa 800k Student Records (across multiple schemes) and ensuring
availability of our services throughout the year including during our peak periods
of activity
▶ Data flows from applications to universities and back
▶ Maintaining service levels throughout the year but with specific focus during
August
▶ “UCAS provides important core services throughout the year, but for two
weeks during August the reliance on our services is significantly increased
- we are a crucial part of the process of ensuring applicants obtain their
University offers. If we fail circa 700k+ Undergraduate students don’t get
their places confirmed on time (during an already stressful period) and
universities don’t fill the spaces they need to.”
Our priorities in IT

National News at UCAS on results day

BBC Live from UCAS on results day

▶ Exam results: Time sensitive (embargoed) data
▶ Students: UCAS.com and TRACK.UCAS.com over 4000 hits/s
▶ Providers: 388 providers wanting the latest view of their applicants
▶ Detect issues before they become a ‘real’ problem
▶ We can only do this using a single analytics driven view
Our Challenges - The ‘live’ view

Our Challenges - The ‘live’ view

• AV endpoint reporting – Vulnerability scan data – Web filtering – mail
filtering – Domain – DNS
• File system auditing, Database auditing, Web access logging
• 98 web application services
• Sophos Endpoint incl. PUA detection
• Cisco ASAs, Firepower, Cisco ISE, Palo Alto
• Amazon Web Services monitoring via the app
• And much much more…
What goes into Splunk?
Monitoring
Alerts
Data

Centralized Visibility in our
SOC
Detecting Security Risks
beyond Malware
Incident Investigation to
prove-negative for breach
notification obligation
What do we do with Splunk’s Security Platform
Insights in three use cases

With Splunk Enterprise
Security in the Cloud
Centralized
Visibility in
our SOC

Automation of reporting
Detecting
Security Risks
beyond
Malware
Need:
• Monitoring of file auditing to detect if unauthorized users
are making changes or access data that is treated under
NDA and a timed embargo
Solution:
• Enabled windows auditing and data onboarding within a
day
• Event enrichment through a list of authorised users
• Automated alerting

Automation
Detecting
Security Risks
beyond
Malware
Need:
• Monitoring newly created domain users
Solution:
• On boarded data within a day
• Created a dashboard
• Splunk Cloud sends us every day a report to review

Protecting Privacy
Incident
Investigation
to prove-
negative
Compliance Regulation:
We are processing personal information from students around
the world and need to comply with the Data Protection Act
1988 (shortly EU-GDPR)
If personal data is lost or ends up in the wrong hands,
we have the obligation to report publicly

Protecting the Privacy
Incident
Investigation
to prove-
negative
Situation:
Security Incident which looked like a breach of the DPA
Solution:
Incident Investigation with Splunk
• Analysing log data from all our databases
• „Connecting the dots“
• Found out it was a false report of loss that we could prove
didn‘t happen - no data was disclosed.
• We showed that others were wrong.
Result:
• No statutory reporting needed
• Stronger reporting position
• Increased trust in the platform and my team

▶ We have been going about a year, but…
▶ It can be technically done in less than 5 Weeks
▶ We have a ‘Splunk Champion’ in every business area that uses it
▶ Put as much in as you can to get the best out
▶ Operate
• IT core technology partner (Including SOC service)
• Splunk Cloud and Splunk Enterprise Security are key to the deliverables
• Splunk is listed as our strategic logging and SIEM product
What does it take to establish and build this?

PostFinance
SOC Use Case in Detail: Phishing Fishers

Post Finance: How Splunk Connects Business
and IT at a Swiss Bank
▶ 1TB Data / Day, 55+ Splunk Apps, 2360 Source Systems, 800 Searches per
Minute
▶ Automated Statistic Generation for Fraud Detection and Product Management
in E-Payment
▶ E-Payment Fraud Investigation Workflow
▶ Online Banking Security ,Threat Detection like Phishing Attack response
workflows

Thank You
83

Backup

Finding of the ICO at a
Privacy Audit
Search and
Report on
data
processing

© 2017 SPLUNK INC.© 2017 SPLUNK INC.© 2016 SPLUNK INC. CONFIDENTIAL. INTERNAL USE ONLY.
Splunk can help your Organization with GDPR
GDPR about People (IT & Legal), Process and
Technology
Splunk helps to detect, prevent and investigate
breaches
• Breach Notification Article
• Breach Communication to Individuals Article
• Implement appropriate techn. Measures (Article)
Prove GDPR security controls are enforced
• Data security article / state of the art tech / implement
appropriate techn. Measures
Search and report on personal data processing

Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT1

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT1

Similaire à Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT1 (20)

Plus de Splunk

Plus de Splunk (20)

Dernier

Dernier (20)

Splunk GDPR Security Roundtable: Zurich - 22 Nov 2017 PT1