Matti Neustadt Storie, Microsoft Alex Harmon, Microsoft Christopher Mills, Microsoft The European Union’s General Data Protection Regulation (GDPR) is the most impactful privacy law of the last generation. The GDPR requires us to apply more rigor to data privacy to avoid burdensome restrictions on data collection, and use, significant fines and credibility issues. Microsoft has developed a cross-company privacy architecture that will help enable compliance with this law, and those efforts include processes and procedures to manage and delete data as well as respond to data subject requests and enforce data subject rights. A general misunderstanding of when to de-identify items such as IP addresses, email addresses, internal customer or resource IDs, certificate thumbprints, VM names or any other piece of information can be considered “Personal Data” can lead to negative impact on security response. Learning how to work within the law while still preserving this key evidence like service tenant VM names, crash dumps, system logs containing personal identifiers, subscription IDs, or identifying content relating to vulnerability descriptions or proofs-of-concept, is necessary to do continued work in cybersecurity threat intelligence, forensic investigation, attacker attribution, and incident response. This presentation is designed to provide actionable information about how you can address your GDPR compliance obligations while still ensuring an effective cybersecurity readiness program.

1. The Law of
Unintended Consequences
MSRC & CELA
Alex Harmon, Chris Mills, Matti Neustadt Storie
GDPR Impact on
Cybersecurity Readiness and
Response

2. Special Thanks

5. The Responders’
Greatest Risk
Data
Minimization

6. Hypotheticals

7. Web App Compromise and Data Breach
Investigation stops
because IIS logs have
had all client IP
addresses (c_ip)
redacted
Attacker exfiltrates
several GB worth of
data
Attacker pivots into
database system
housing customer
data .
Web app
compromised via an
XSS attack.

8. DMCA Repeat Infringer
Legal risk incurred
because no DMCA
Safe Harbor
Alleged infringer
email is redacted
DMCA Safe Harbor
requires the user to
be terminated.
Multiple DMCA
Complaints received
alleging copyright
infringement

9. Stealing Intellectual Property
Law Enforcement
issues a search
warrant to Microsoft
40 days after the
event.
Customer engages
law enforcement to
enforce IP rights.
Microsoft customer
has their Azure
account compromised
and loses millions in
intellectual property.

10. Right of rectification
Right to be informed
Right to access
Right to data portability
Right to be forgotten (erasure)
Right to object
Right to restrict processing
Why Would GDPR Do this?

11. Right of rectification
Right to be informed
Right to access
Right to data portability
Right to be forgotten (erasure)
Right to object
Right to restrict processing
Why Would GDPR Do this?

12. Right to hide evidence of a crime
Right to disrupt business operations
Right to prevent legal or regulatory compliance
Not Included
NOT

13. GDPR Myths
Fact:
Deletion within 30 days does
only addresses 1 DSR.

14. Data Subject Rights & 30 Day Impact:
a
rr r r
r rrrrr
aaa

15. Controller? Processor? Both?
Per the reg: “… the natural or legal person, public
authority, agency or other body which, alone or jointly
with others, determines the purposes and means of
the processing of personal data.”
Per the reg: “… a natural or legal person, public
authority, agency or other body which processes
personal data on behalf of the controller.”
Simply: Decides how the data is processed. Simply: Processes the data at the direction of the
controller.
Decides:
• What data to collect
• Where & how to use the data
• How to share the data
• When to dispose of the data
Responsible for:
• Creating the IT systems and processes to facilitate the
Controller’s needs.
• Protecting the collected data
• Storing and processing the data per the Controller

17. GDPR Myths
Fact:
Data Asset Classifications used
for engineering are broad rules
to ensure compliance in all
situations. Response scenarios
may differ.

18. GDPR: Personal Data
• “Personal Data”
• For Incident Responders:
• Security Obligations
• Notification Requirements
• Are we a controller or a
processor? Yes.

19. https://aka.ms/EntOnlineSvcDataTaxonomy
Developed for All Enterprise Online Services
Defines Data Types and Gives Examples

20. GDPR Myths
Fact:
You don’t need an exception.
You need a legitimate interest.

21. GDPR Article 6
Do responders need
personal
information?
Logs.
More logs.
Even more logs.

22. Web app compromised via an XSS
attack.
Customer name
Web app IP address
• Determine affected
customers
• Determine affected assets
Attacker pivots into database
system housing customer data.
Other customer data
Information about third parties
belonging to the customer
• Identify specifically which data
were accessed
• Identify total scope of
exfiltrated data (i.e. size)
Attacker exfiltrates several GB
worth of data
Exfiltration log information – IP
addresses
• Identify the attacker to detect
further attempts

23. GDPR Article 6

24. GDPR Article 6

25. GDPR and Security
• GDPR Compliance is never an excuse to
avoid securing your system.
• Security incident responders and analysts
NEED some of the same data that’s being
redacted or prematurely expired because of
a well-intentioned but ultimately damaging
effort to comply with GDPR.
• Real security investigations have been
hampered or entirely prevented due to
these issues.

26. Operationally
Variants approved for OPG, C+AI, AI&R, and WDG
Covers Security Logs, Telemetry, Crash Dumps
3-Year Retention from Time of Collection
Can Reject Certain Data Subject Rights Requests

27. Call To Action
Ask questions.
Understand what you might be missing.
Talk to your engineers.
Enable retention.

28. Thank you.
@TheChrisAM