Slides from the GDPR Security Roundtable hosted in Zurich. Part 2 of 2. “The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world" - Goal of the General Data Protection Regulation.

1. © 2017 SPLUNK INC.© 2017 SPLUNK INC.
GDPR Security Roundtable
Grüezi – Bonjour – Welcome – Willkommen – Buongiorno
Part II
Angelo Brancato
22th November 2017, Marriott Zürich

2. © 2017 SPLUNK INC.
Recap.
What is Personal Data?
Information relating to an directly or indirectly identifiable
natural person (data subject).
(e.g. Name, Address, IP Address, biometric data, gene
sequence)
Data Protection Officers (DPO):
Controllers and Processors must designate a DPO*.
Can be shared; Can be 3rd Party (virtual DPO or DPOaaS)
Who has to adhere to GDPR?
All entities, worldwide, that target to do business or monitor EU
residents.
What is a Breach?
“‘personal data breach’ means a breach of security leading to
the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data
transmitted, stored or otherwise processed”
Breach Notification
By the DPO, within 72 hours to the Data Protection Authority
(DPA) and also to all data subjects - if data was not secured
- where it is likely to result in a risk to the rights and
freedoms of individuals.
Data Subject
personal data
ControllerProcessor
can be the same oranization
personal data
What is a Consent?
data subject's freely given, specific, informed and
unambiguous agreement to the processing of personal data.
Right to… Access; Erasure; Portability; Rectification

3. © 2017 SPLUNK INC.
Splunk for GDPR
Process
People
Technology

4. © 2017 SPLUNK INC.
It’s all about determining the risk
and be able to defend it in front of the authorities!
Exemplary Splunk Glass
Table Dashboard
showing quantitative risk
in real-time.
KPIs can be clicked to
see the details.

5. © 2017 SPLUNK INC.
​Prove GDPR
Security Controls
are enforced
​Detect, Prevent
and Investigate
Data Breaches
​Search and Report
on Personal Data
Processing
Splunk for GDPR

6. © 2017 SPLUNK INC.
​Prove GDPR
Security Controls
are enforced
​Detect, Prevent
and Investigate
Data Breaches
​Search and Report
on Personal Data
Processing
Splunk for GDPR
Threat Detection /
Breach Avoidance
Comply with Data Impact Assessments
Comply with new data subject rights
+
Minimize Risk of Fines
Minimize Risk of Reputation Damage
Competitive Advantage!

7. © 2017 SPLUNK INC.
Splunk for GDPR
Detect, Prevent
and Investigate
Data Breaches
The Forrester Wave:
Security Analytics Platforms, Q1 2017Gartner MQ for SIEM, Aug. 2016
IT Operations
Application Delivery
Industrial Data & IoT
Business Analytics, Future Markets
IT Security, Compliance & Fraud
Monitor Detect Investigate Respond
Enterprise
ES, UEBA
On-Premise, Cloud, Hybrid | Analytics for Hadoop
Different people
asking
different questions…
…of the same data.
Machine
Data
Article 33 - Notification of a personal data breach to the supervisory authority
Article 34 - Communication of a personal data breach to the data subject
Data Breach
Notification

8. © 2017 SPLUNK INC.
Does Splunk break GDPR?
(49) The processing of personal data to the extent strictly necessary and proportionate for the
purposes of ensuring network and information security, i.e. the ability of a network
or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious
actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted
personal data, and the security of the related services offered by, or accessible via, those networks and
systems, by public authorities, by computer emergency response teams (CERTs), computer
security incident response teams (CSIRTs), by providers of electronic communications
networks and services and by providers of security technologies and services, constitutes a
legitimate interest of the data controller concerned. This could, for example, include
preventing unauthorised access to electronic communications networks and malicious code distribution and
stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.
No!

9. © 2017 SPLUNK INC.
Forwarder Splunk User
Data Layer Protection (In-Motion & At-Rest )Event Data
On-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
Energy Meters
Firewall
Intrusion
Prevention
Indexer Search Head
on-site | cloud
Option 2
Event Data Presentation Layer Protection Option 1
“Always-On” Transport Layer Protection (TLS)
Can Access to Personal Data be controlled in Splunk?
Yes!
See also .conf2017 session:
http://conf.splunk.com/sessions/2017-sessions.html#search=Data%20Obfuscation%20and%20Field%20Protection%20in%20Splunk&

10. © 2017 SPLUNK INC.
ccn=
5105-1051-0510-5100
ccn=fb415937c6f3065774810b300720cb3f2e82340a09b42b074fd13a09bc341fd939029012a
(e.g. SHA256 hash)
Anonymization
Option 1: Presentation Layer Protection
Forwarder Splunk User
On-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
Energy Meters
Firewall
Intrusion
Prevention
Indexer Search Head
ccn=U2FsdGVkX1+pn/g/S3aXZKlq+dMegBKi0P4H6Ge86ZjUPeYjlvAYEBfnL3XM6tyzPseudonymization
(e.g. AES256 encryption)
ccn=5105-0864-7332-5372
Format Preserving
Pseudonymization
(e.g. Format-Preserving-Encryption /
Tokenization)
Data as is Presentation Layer Protection
on-site | cloud
“Always-On” Transport Layer Protection (TLS)
Result Masking

11. © 2017 SPLUNK INC.
Option 2: Data Layer Protection
Forwarder Splunk User
On-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
Energy Meters
Firewall
Intrusion
Prevention
Indexer Search Head
Data as is Data Layer Protection (In-Motion & At-Rest )
on-site | cloud
“Always-On” Transport Layer Protection (TLS)
ccn=
5105-1051-0510-5100
ccn=fb415937c6f3065774810b300720cb3f2e82340a09b42b074fd13a09bc341fd939029012a
(e.g. SHA256 hash)
Anonymization
ccn=U2FsdGVkX1+pn/g/S3aXZKlq+dMegBKi0P4H6Ge86ZjUPeYjlvAYEBfnL3XM6tyzPseudonymization
(e.g. AES256 encryption)
ccn=5105-0864-7332-5372
Format Preserving
Pseudonymization
(e.g. Format-Preserving-Encryption /
Tokenization)
Regex Replace
Scheduled Search

12. © 2017 SPLUNK INC.
Option 2: Data Layer Protection
Forwarder Splunk User
On-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
Energy Meters
Firewall
Intrusion
Prevention
Indexer Search Head
Optional:
+ Original Event
Data as is Data Layer Protection (In-Motion & At-Rest )
on-site | cloud
“Always-On” Transport Layer Protection (TLS)
ccn=
5105-1051-0510-5100
ccn=fb415937c6f3065774810b300720cb3f2e82340a09b42b074fd13a09bc341fd939029012a
(e.g. SHA256 hash)
Anonymization
ccn=U2FsdGVkX1+pn/g/S3aXZKlq+dMegBKi0P4H6Ge86ZjUPeYjlvAYEBfnL3XM6tyzPseudonymization
(e.g. AES256 encryption)
ccn=5105-0864-7332-5372
Format Preserving
Pseudonymization
(e.g. Format-Preserving-Encryption /
Tokenization)
Modular /
Batch Processing

13. © 2017 SPLUNK INC.
Option 2: Data Layer Protection
Forwarder Splunk User
EP
(External Processor)
On-Premises
Private Cloud
Public
Cloud
Storage
Online
Shopping Cart
Telecoms
Desktops
Security
Web
Services
Networks
Containers
Web
Clickstreams
RFID
Smartphones
and Devices
Servers
Messaging
GPS
Location
Packaged
Applications
Custom
Applications
Online
Services
DatabasesCall Detail
Records
Energy Meters
Firewall
Intrusion
Prevention
Indexer Search Head
Optional:
+ Original Event
Data as is Data Layer Protection (In-Motion & At-Rest )
on-site | cloud
“Always-On” Transport Layer Protection (TLS)
ccn=
5105-1051-0510-5100
ccn=fb415937c6f3065774810b300720cb3f2e82340a09b42b074fd13a09bc341fd939029012a
(e.g. SHA256 hash)
Anonymization
ccn=U2FsdGVkX1+pn/g/S3aXZKlq+dMegBKi0P4H6Ge86ZjUPeYjlvAYEBfnL3XM6tyzPseudonymization
(e.g. AES256 encryption)
ccn=5105-0864-7332-5372
Format Preserving
Pseudonymization
(e.g. Format-Preserving-Encryption /
Tokenization)
External Processor

14. © 2017 SPLUNK INC.
Splunk for the SOC - Overview
Business

15. © 2017 SPLUNK INC.
Splunk for the SOC - Overview
Business
Infrastructure / Business Functions
SOC
Network, Server, Security, Endpoint, Cloud, Database, Facility /
DevOps, HR, R&D, Sales, Legal, GRC, Finance, Manufacturing etc.
IR
KPI
Data
Source
Business
Context/Risk
Security
Context
Playbooks

16. © 2017 SPLUNK INC.
Splunk for the SOC - Overview
Machine
Data
Enterprise
On-Premise, Cloud, Hybrid
Universal Indexing

17. © 2017 SPLUNK INC.
Visibility Across the Ops Environment
API
SDKs UI
Server,
Storage. N/W
Server
Virtualization
Operating
Systems
Mobile
Applications
Cloud Services
Other Tools
Ticketing/Help
Desk
No rigid schemas – add in data from any other source.
Custom
Applications
API Services
Infrastructure
Applications
Example Data Sources…
On-Premise, Cloud, Hybrid | Analytics for Hadoop

18. © 2017 SPLUNK INC.
Visibility Across the Security Environment
API
SDKs UI
Firewalling IDS/IPS
Vulnerability
Management
DLP
Threat
Intelligence
NBAD
Other Tools
Ticketing/Help
Desk
Proxy / Users
Malware /
Endpoint
proofpoint
Qualys
PAN
ThreatConnect
VectraNetworks
Anomali FireEye
CBlack
Phantom Recorded Future
Example Data Sources…
Bro
TippingPoint
FirePower
Rapid7
On-Premise, Cloud, Hybrid | Analytics for Hadoop
No rigid schemas – add in data from any other source.

19. © 2017 SPLUNK INC.
Visibility Across the Dev Lifecycle
API
SDKs UI
Other Tools
Escalation/
Collaboration
Plan Code Build Test/QA Stage Release MonitorConfig
Example Data Source…
On-Premise, Cloud, Hybrid | Analytics for Hadoop
No rigid schemas – add in data from any other source.

20. © 2017 SPLUNK INC.
Visibility and Enforcement for GDPR
API
SDKs UI
Report Compliance
Detect, Prevent
and Investigate
Data Breaches
Example Data Sources…
On-Premise, Cloud, Hybrid
No rigid schemas – add in data from any other source.
Protect
…
Classify
SDM/ControlPoint
…
Find
Trust Center
…
Prove GDPR
Security Controls
are enforced
Search and Report
on Personal Data
Processing
Govern
Content Manager
…
Securiity
IT-Ops
Cloud
IoT
…

21. © 2017 SPLUNK INC.
SOC Playbooks
Splunk for the SOC - Overview
Machine
Data
Monitor Detect Investigate Respond
Schema-On-Read
Adaptive Response
Enterprise
On-Premise, Cloud, Hybrid
Universal Indexing
Tier 1 - Alert Analyst
Notable Event Triage
Tier 2 - Incident Responder
Tier 3 - SME / Hunter
Process
People
Technology
Enterprise Security & UEBA
Business
Business Functions
SOC
1.
2.
3.
i.e.
i.e. calculate command length standard deviation - stdev

22. © 2017 SPLUNK INC.
IT Operations
Application Delivery
Industrial Data & IoT
Business Analytics, Future Markets
IT Security, Compliance & Fraud
Different People ask Different Questions of the
same Data
Monitor Detect Investigate Respond
Enterprise
On-Premise, Cloud, Hybrid
Machine
Data
Enterprise Security & UEBA
Different people
asking
different questions…
…of the same data.

23. © 2017 SPLUNK INC.
Splunk for the SOC - Overview
Business
Infrastructure / Business Functions
SOC
Network, Server, Security, Endpoint, Cloud, Database, Facility /
DevOps, HR, R&D, Sales, Legal, GRC, Finance, Manufacturing etc.
Data
Source
Business
Context/Risk
IR
KPI
Security
Context
Data Monitor Detect Investigate Respond

24. © 2017 SPLUNK INC.
Splunk for the SOC – Functional View
Business
Infrastructure / Business Functions
SOC
Data Collection
Assets
Audit / GRC
Threat Intel. Artefacts
Data
Source
Security Analytics
Business
Context/Risk
Visualization & Reporting
Incident Response
IR
KPI
Security
Context

25. © 2017 SPLUNK INC.
Example: Use Case Design –
Privileged User Monitoring (PUM)
Business
Infrastructure / Business Functions
SOC
Data Collection
Assets
Audit / GRC
Threat Intel. Artefacts
Data
Source
Security Analytics
Business
Context/Risk
Visualization & Reporting
IncidentResponse
IR
KPI
Security
Context
Function Description
Data Sources IM* logs
Active Directory
LDAP, RADIUS
etc.
Assets (Privileged) User Accounts
User Groups
Servers, Hosts
Networks, Files,
Databases
Locations, etc.
Audit/GRC (Business) Risk Compliance
Threat Intel. -
Security Analytics CS*- Default Account Activity detected
CS - Brute Force Access behavior
CS - Excessive Failed Login
CS - Concurrent Login detected
CS - Geographically Improbable Access Detected
CS - High or Critical Priority Individual Logging into Infected
Machine
Incident Response Firewall: Quarantine Host
Ticket System: Open Ticket
Visualization &
Reporting
D*– Access – All Dashboards (6)
D – Identity – All Dashboards (3)
D – User Intelligence – All Dashboards (5)
Glass Tables
KSI*: Authorized privileged user access
KSI: Blocked privileged user access
Kill-Chain mapping Exploitation, Installation, Actions&Objectives
CIS* Top 20 mapping 5, 6, 14, 16
Attackers are increasingly using privileged user credentials to
access corporate resources, sensitive information and exfiltrate
sensitive data. Privileged user accounts are accounts with
elevated privileges, such as users with Domain Administrator
rights or root privileges. Effective privileged user monitoring
(PUM) helps organizations to protect critical assets, meet
compliance requirements and mitigate both external threats and
insider threats.
CS: Correlation Search IM: Identity Management CIS: Center of Internet Security
D: Dashboard KSI: Key Security Indicator

26. © 2017 SPLUNK INC.

27. © 2017 SPLUNK INC.
Splunk for GDPR
Prove GDPR
Security Controls
are enforced
Article 32 - Security of processing
Article 58 - Supervisory Investigative Powers
Risk
Minimization
Report
Compliance
DPIA

28. © 2017 SPLUNK INC.
Splunk for GDPR
Search and Report
on Personal Data
Processing
Article 30 - Records of Processing Activity
Article 5, 15, 17, 18 and 28 - Data Subject Rights
Supply chain
Obligations
Right to be
Forgotten
Right of
rectification
Right of access
Right of data
portability
…

29. © 2017 SPLUNK INC.

30. © 2017 SPLUNK INC.
Real-Time GDPR risk
alerting thru the notable
event framework
(correlation framework)
of Splunk Enterprise
Security.

31. © 2017 SPLUNK INC.
Enterprise Security
Pre-built searches, alerts, reports, dashboards, threat intel feeds and workflow.
31
Dashboards & Reports Incident Investigations
and Management
Statistical Outliers & Risk Scoring Asset & Identity Aware
• Correlation- and Notable Event
Framework
• Risk Scoring Framework
• OTB key Security Metrics,
Dashboards, Use Cases &
• Analytic Stories
• Incident Investigation workflow
• Adaptive Response
• Glass Tables,
• etc…
Detect, Investigate & Response

32. © 2017 SPLUNK INC.
​Prove GDPR
Security Controls
are enforced
​Detect, Prevent
and Investigate
Data Breaches
​Search and Report
on Personal Data
Processing
Q&A

33. © 2017 SPLUNK INC.
Thank You.