Impact of GDPR on Threat Intelligence Programs

The EU General Data Protection Regulation (GDPR) plays a part in enterprises’ overall strategies and, more specifically, in their collection and use of threat intelligence. In particular, it impacts enterprises’ security and privacy strategies for current and planned projects.

GDPR Impact on Cybersecurity

GDPR affects the cybersecurity function in a number of ways:

• Scope of responsibility—Cybersecurity managers need to have a clear understanding of their specific role in implementing GDPR, the systems and departments covered, and their access rights.
• Scope of territory—The territorial scope of GDPR compliance must be defined. Is the territory the place where the manager responsible for GDPR compliance is physically located, or is it broader? This question is especially important in cases of international groups, where one person can be in charge of several organizations.
• Applicable laws—Parties should be clear about which laws are applicable to their relationship. Are only GDPR-implemented laws in effect, or are there other applicable privacy- and security-related regulations? What are the rules for determining enterprise and employee liability?
• Communication—If the cybersecurity manager’s scope of responsibility overlaps with that of other managers or employees, it is crucial that they agree on how to work together and how to distribute common tasks.
• Provability—All agreements related to scope of responsibility, distribution of tasks and liability should be provable. If possible, they should be written down. Other options (e.g., communicating the main terms via email) are acceptable, as long as it is possible to prove that all stakeholders accepted the terms should a conflict arise.¹

What Is Threat Intelligence?

There is no one definition of threat intelligence, but in general, it can be understood as any timely, accurate information about an actionable threat, vulnerability or incident that can be considered an indicator of compromise (IoC) to the enterprise. An IoC can be defined as evidence that a cyberattack has taken place. In addition to providing valuable information about what has already happened, IoCs can be used to prepare for the future and prevent similar attacks. Antimalware software and similar technologies use known IoCs, such as virus signatures, to guard against threats. IoCs can also be used in heuristic analysis.²

Figure 1 describes the inputs of a threat intelligence program.

Enterprises should be cognizant of the following:

• Vulnerabilities—Weaknesses in hardware or software can often be remedied with patches. These may be provided by software and hardware vendors, such as Microsoft in the case of Windows or Microsoft (formerly Office) 365 and Adobe in the case of Adobe Flash.
• Incident information—Forensic evidence of data breaches or other security incidents can help an organization harden its internal and external barriers by identifying lapses in processes and technologies that require strengthening.
• Vendors—Email alerts and other notices from vendors regarding current threats, available patches and potential threats impacting an industry are valuable.
• IoCs—IoCs come in many forms. Some examples include anomalies based on an enterprise’s analysis of its users’ Internet and computer activity; irregularities such as operator activity from locations where the enterprise does not usually conduct business, whether inbound or outbound; and unusual server or database activity, based on the enterprise’s policies and standards.

Other inputs include threat information shared by regulatory authorities or information sharing activity centers (ISACs), such as those managed or operated by industry groups or government agencies.

SOC ANALYSTS ARE PART OF THE METHODOLOGY USED BY ORGANIZATIONS TO MITIGATE RISK AND INCIDENT OCCURRENCE AND ENHANCE THEIR CONTROL POSTURE.

How to Detect, Prevent, Respond or Mitigate Threats?

After being cognizant of the various inputs to their threat intelligence program, the security operations center (SOC) analysts then need to consider the treatments or actions to detect, prevent, respond to and mitigate these threats. SOC analysts are part of the methodology used by organizations to mitigate risk and incident occurrence and enhance their control posture. SOC analysts rely on a combination of threat intelligence shared by other sources and their own threat “hunting” efforts to improve the enterprise’s control posture and situational readiness.

Step 1: Know Where the Crown Jewels Reside
The crown jewels are an enterprise’s sensitive assets and data. Under GDPR, enterprises must be aware of where all their personal and sensitive data are collected, used, stored and destroyed. Access to personal data must be monitored to ensure that such access is authorized and proper. Anomalous access should be flagged for further review, and disclosure of personal data should be limited.

To ensure that their threat intelligence efforts are comprehensive, analysts must:³

• Be aware of privacy concerns that may be related to user credentials or assets that are identified in real time, using the thousands of unique sources available to identify credentials and malware infections
• Get real-time notifications about malware samples targeting enterprises and their customers around the world, including web injects
• Receive detailed information about stolen credit cards
• Be aware of rogue, malicious and illegal applications distributed through official and nonofficial marketplaces
• Track and monitor global social hacktivism operations and targeted hacking attacks
• Track down the enterprise’s confidential data and documents that have been exfiltrated in public and not-so-public sites, including peer-to-peer (P2P) networks
• Monitor information and activities on the dark web affecting the enterprise and its employees
• Detect cybersquatting sites before they become phishing sites, in addition to recognizing established phishing sites
• Search social media, repositories and websites to find offenders affecting the reputation and image of the enterprise, its brands and its leaders
• Retrieve relevant information published in multiple languages in worldwide newspapers and magazines that mentions the enterprise and its brands, products and locations

Step 2: Consider the Impact of Violating GDPR in the Event of a Data Security Incident
Enterprises that are asked to share personal data with regulators, such as information regarding data breaches, have to consider the impact of violating GDPR requirements. Data protection authorities can impose large fines on violators. There is also a certain amount of ambiguity about how much data sharing regulators consider acceptable.

Under GDPR, two enterprises that share data are required to have binding rules for doing so. GDPR also includes a provision that allows an individual to sue an enterprise in addition to a data protection authority, which means that enterprises need to tread carefully. The Anti-Phishing Working Group (APWG) is a not-for-profit group dedicated to sharing information to fight cybercrime. It acts as a clearinghouse for cybercrime event data, distributing millions of reports on phishing sites and other IoCs to help organizations defend themselves. Its members include Microsoft, PayPal, McAfee, RSA and many financial institutions.⁴

Step 3: Increase the Importance and Frequency of Risk Assessments
Once enterprises identify vulnerabilities and threats to their assets, they generally perform risk assessments to determine the criticality, probability and frequency of the threat. GDPR requires that enterprises describe and document their information flows, identify their data protection requirements and risk factors, and substantiate efforts to reduce or eliminate risk. Enterprises then make efforts to integrate data protection solutions into existing or planned projects. As a result, risk assessments play an increasingly important role. Enterprises should address these questions:

• How to determine which risk assessments to perform?
• Which risk assessments are prioritized?
• Are risk assessments being conducted across the enterprise and across lines of business?
• Are risk assessments integrating the security and privacy requirements of GDPR?
• Are the lessons learned from data security incidents being used to identify processes and technology that should be reviewed?
  Are tabletop exercises being used to identify threats to data stores?
• Is the failure to discard personal data at the user’s request subjecting the enterprise to fines and penalties?
• Are data governance rules being enforced?
• Are threats to third parties and suppliers being identified, evaluated, ranked and mitigated?

The Nymity Privacy Management Accountability Framework recommends that a privacy risk assessment be performed.⁵ This assessment should cover the cybercontrols in place, such as those identified through the enterprise’s existing efforts to detect threats and vulnerabilities related to its data.

Step 4: Integrate Privacy Strategy With Threat Intelligence Strategy
The Nymity Privacy Management Accountability Framework recommends several activities that should overlap with an enterprise’s threat intelligence strategy. They include the following:⁶

• Establish a privacy governance structure—Responsibility for data privacy should be properly assigned and overlapping responsibilities related to data security identified.
• Maintain an inventory of personal data and processing activities—The intent is to identify categories of data and warn enterprises about threats and vulnerabilities related to their data, such as dark web monitoring.
• Embed data privacy into operations—Data privacy controls should be embedded in security and business operations to ensure that SOC analysts are aware of the controls over the collection, use, storage and removal of sensitive personal data within the boundaries of the enterprise.⁷

Conclusion

Organizations are facing some interesting challenges in terms of integrating GDPR requirements into their threat intelligence programs. Threat intelligence has three objectives:

1. Reduce the chance of a personal data breach occurring.
2. Mitigate the effects of a breach if it does occur.
3. Lower the costs associated with a breach.

Organizations should maintain proactive efforts including the following:

• Be reactivate in identifying and monitoring threats.
• Seek intelligence about potentially infected devices, sensitive data and credentials.
• Receive and respond to threat information in a timely manner.
• Detect malware-infected resources that have circumvented endpoint security controls.
• Identify newly compromised user or system credentials and data exfiltration efforts.
• Conduct regular tests of incident response plans to ensure that the tools, techniques and processes to detect and remediate attacks and other crisis situations are in place and effective.
• Implement robust security controls to demonstrate to customers, vendors and regulators that the enterprise’s security posture is strong enough to protect the personal data it maintains or accesses.
• Track planned security and privacy controls, along with risk factors, gaps, planned remediations and residual risk.

It should be noted that GDPR will impose fines for security incidents related to attack vectors, including data breaches that originate from compromised user credentials and infected assets. Regulators may consider some or all of the following factors when calculating a fine: length of the breach, type and nature of response, actions taken to mitigate risk, and control posture.

DATA PRIVACY CONTROLS SHOULD BE EMBEDDED IN SECURITY AND BUSINESS OPERATIONS TO ENSURE THAT SOC ANALYSTS ARE AWARE OF THE CONTROLS.

Integrating GDPR and other privacy efforts into an enterprise’s threat intelligence program requires finding a balance between compliance and security. Enterprises must review their threat intelligence strategies, plans and programs and their current security controls to ensure that they encompass threats to personal data and data subjects and the ramifications on regulatory requirements.

Endnotes

¹ Vladimirova-Kryukova, A.; “The Impact of GDPR on Cybersecurity Managers,” ISACA Now, 16 November 2018, https://www.isaca.org/resources/news-and-trends/isaca-now-blog/ 2018/the-impact-of-gdpr-on-cybersecurity-managers
² Forcepoint, “What Are Indicators of Compromise?” https://www.forcepoint.com/cyber-edu/indicators-compromise-ioc#
³ Blueliv, Data Breach Under GDPR: How Threat Intelligence Can Reduce Your Liabilities, Spain, 2017, https://www.blueliv.com/wp-content/uploads/2018/05/Data-breach-under-GDPR-Final.pdf
⁴ APWG, https://apwg.org/
⁵ Nymity, “A Practical and Operational Structure for Managing and Demonstrating Compliance With the World’s Privacy Requirements,” https://www.nymity.com/privacy-management-accountability-framework/
⁶ Ibid.
⁷ Experian Data Breach Resolution, Data Breach Response Guide 2013–2014 Edition, USA, 2013, https://www.experian.com/assets/data-breach/brochures

Larry Marks, CISA, CRISC, CGEIT, CFE, CISSP, CSTE, ITIL, PMP

Has focused his career on leading through collaboration to ensure best practices are implemented to assist compliance and process improvement. He has focused his career on audit, security, risk, compliance, privacy and program/project management across financial services, healthcare and telecommunications. Marks has extensive experience in designing, managing, auditing and implementing IT processes, policies, controls and technology. He has managed teams, priorities and expectations across business and IT leadership while delivering fit-for-purpose services. Marks has been published in numerous magazines and is involved with industry magazines’ editorial advisory review committees.