SECURITY OPERATIONS CENTER

– is it the right answer for new EU cybersecurity law?

Mariusz Stawowski, Ph.D.

CISSP, CEH
Technical Director, CLICO

© 1991 − 2017, CLICO.eu

CLICO Competence Center
• +35 security and networking
experts
• The biggest Security VAD in the
region (IDG report)
• Security audits, ATC, PS, etc.
• Operating in Central and Eastern
Europe:
• POLAND
• ROMANIA
• BULGARIA
• CROATIA
• SLOVENIA
• SERBIA
• HUNGARY
• SLOVAKIA
• CZECH REPUBLIC
© 1991 − 2017, CLICO.eu
Security Operations Center (SOC) - centralized unit that deals with
security issues on an organizational (business) and technical level
other names: Information Security
Operations Center (ISOC),
CyberSecurity Operations Center
(CSOC), Security Defense Center
(SDC), Security Analytics Center
(SAC), Network Security Operations
Center (NSOC), Security Intelligence
Center (SIC), Cyber Security Center
(CSC), Threat Defense Center (TDC),
Security Intelligence and Operations
Center (SIOC), Infrastructure
Protection Centre (IPC)

SOC vs CERT, CSIRT

SOC types: Corporate SOC,

Outsourced SOC, Cloud SOC
More information: „Building a World-Class Security Operations Center: A Roadmap”,
SANS Institute 2015 © 1991 − 2017, CLICO.eu
Intelligence-Driven SOC

SIR
Security
Incident
Response
SOA
Security
Operations
Automation
TVM
Threat and
Vulnerability
Management

More information: The Five Characteristics of an Intelligence-Driven Security Operations Center, Gartner 2015
© 1991 − 2017, CLICO.eu
More information: http://eur-lex.europa.eu/eli/reg/2016/679/oj
© 1991 − 2017, CLICO.eu
Risk-based approach to security

Risk analysis and safeguards Incidents management and reporting

Art. 35 - Data protection impact

assessment
Art. 33 - Notification of a personal data breach
to the supervisory authority
Art. 25(1) - Data protection by
design

Art. 25(2) - Data protection by Art. 30 - Records of processing

default activities

Art. 32 - Security of processing

© 1991 − 2017, CLICO.eu

 ISO/IEC 29134 - Guidelines for privacy impact assessment
1. Identify information flows of PII in business
processes and IT systems
Input: Description of business
processes and IT systems
processing PII
2. Analyse the implications of the use case
(potential PII principals, user behaviour within the
business processes, threats, etc.)
3. Determine the relevant privacy safeguarding
requirements
4. Assess privacy risk
5. Prepare for treating privacy risks
Source: ISO/IEC 29134 - Information technology — Security techniques — Guidelines for privacy
impact assessment, First edition 2017-06
4.1 Privacy risk identification
4.2 Privacy risk analysis (i.e. analyse the
potential consequences and threats of the
privacy risks identified, and to estimate their
respective levels of impact and likelihood)
4.3 Privacy risk evaluation (prioritize the
identified privacy risks, and create privacy risk
map)
5.1 Choose the privacy risk treatment options
(i.e. risk reduction, retention, avoidance, and
transfer)
5.2 Determine appropriate controls to the
treatment options chosen
5.3 Create privacy risk treatment plans, control
plans, risk owner approvals, acceptance
statement, etc.
© 1991 − 2017, CLICO.eu
No more “checklist” approach to security

(c) the ability to restore the

(b) the ability to ensure the
ongoing confidentiality,
integrity, availability and
resilience of processing
systems and services
availability and access to
personal data in a timely
manner in the event of a
physical or technical
incident

(d) a process for regularly

(a) the pseudonymisation testing, assessing and
and encryption of personal evaluating the
data effectiveness of technical
and organisational
measures for ensuring the
security of the processing

Article 32
Security of processing
© 1991 − 2017, CLICO.eu
How to effectively protect Sensitive Data?
MULTILAYERED SECURITY IS RECOMMENDED*

• DLP world market leader for 9 years (Gartner)

• The most effective NGFW on the market (NSS Labs) *GARTNER’S TOP 10 STRATEGIC TECHNOLOGY TRENDS FOR 2017
• Blocked 99.91% of exploits, 100% of evasions (NSS Labs) © 1991 − 2017,
© 1991 − 2017,CLICO.eu
CLICO.eu
ISSA: Practical Steps for Compliance with New EU
Data Privacy Regulations

1. Locate the data

2. Define access 

3. Identify and manage security risks

More information: ISSA Journal February 2017, Patrick Looney, "Practical Steps for
Compliance with New EU Data Privacy Regulations". © 1991 − 2017, CLICO.eu
Practical Steps for Compliance with New EU Data
Privacy Regulations

1. Locate the data Example of useful solution:

• DLP helps the organizations to understand where
Personal Data is located
• For many organizations, to locate Personal Data is
the most difficult element of GDPR compliance

© 1991 − 2017, CLICO.eu

IDENTIFY WHAT NEEDS TO BE PROTECTED

Most Accurate

Many tools for different

types of data and purposes

Machine Learning

© 1991 − 2017, CLICO.eu

Practical Steps for Compliance with New EU Data
Privacy Regulations

2. Define access  Example of useful solution:

• DLP is natural answer to GDPR’s data security
requirements
• DLP helps the organizations to avoid data leaks
(e.g. theft of personal data, personal data sent
outside the organization by mistake)

© 1991 − 2017, CLICO.eu

COMPLETE DATA PROTECTION

Data-in-motion: Network DLP

Data-at-rest: Storage DLP
Data-in-use: Endpoint DLP
Printers – Local &
Cloud Services & Network
Applications

Storage

USB/DVD Active Instant

Web Email FTP
Removable Sync Message
Media

© 1991 − 2017, CLICO.eu

7 features of effective DLP

1. DLP protects sensitive data locally on the user computers, including the data copied
from the databases without need to send the data to DLP server. DLP works even if
the user computer is offline.
2. DLP protects sensitive data locally on Web proxies and mail gateways, without
need to send the data to DLP server. Sensitive data is less exposed to manipulation
in the network.
3. DLP protects sensitive data in cloud apps, e.g. Email Gateway Office 365.
4. DLP detects sensitive data embedded in images and scanned PDF docs using
Optical Character Recognition (OCR) technology.
5. DLP detects sensitive data leaks conducted in long time by aggregation of small
data pieces (Drip DLP feature).
6. DLP automatically classifies, assesses the risk and prioritizes the incidents based on
the events aggregation and user behavior (Incident Risk Ranking feature).
7. DLP incorporates with User & Entity Behavioral Analytics (UEBA) solutions and
takes the actions depending on the users behavior and risk. © 1991 − 2017, CLICO.eu
Practical Steps for Compliance with New EU Data
Privacy Regulations

3. Identify and Example of useful solution:

manage security
• User & Entity Behavioral Analytics (UEBA) helps
risks the organization in effective detection of the
incidents to respond on-time and avoid Personal
Data breaches

© 1991 − 2017, CLICO.eu

Breach notification is the law obligation

• GDPR Art. 33
Mandatory incident reporting for personal data breach
• NIS Directive Art. 16 (4)
Mandatory incident reporting for digital service providers
• Telecom Framework Directive Art. 13a
Mandatory incident reporting in the telecom sector
• eIDAS regulation Art. 19
Mandatory incident reporting for trust service providers

More information: https://www.enisa.europa.eu/topics/incident-reporting

© 1991 − 2017, CLICO.eu
Breach notification is the law obligation

Art. 33 - Notification of a personal data breach Art. 30 - Records of processing

to the supervisory authority activities

(…), not later than (a) describe the nature of the personal data breach including where
72 hours after possible, the categories and approximate number of data subjects
having become concerned and the categories and approximate number of
aware of it, notify personal data records concerned;
the personal data (b) communicate the name and contact details (…)
breach to the (c) describe the likely consequences of the personal data breach;
supervisory (d) describe the measures taken or proposed to be taken by the
authority (...) controller to address the personal data breach, including, (…)

© 1991 − 2017, CLICO.eu

 How to effectively manage incidents?

Complex and time consum

Methodologies of Incident Management:

• "Incident Handler's Handbook”, SANS Institute 2011
• "Computer Security Incident Handling Guide„NIST 2012
• "Strategies for incident response and cyber crisis cooperation", ENISA 2016
• „CSIRT Services Framework”, Forum of Incident Response and Security Teams
• „SIM3 : Security Incident Management Maturity Model”, S-CURE and PRESECURE
© 1991 − 2017, CLICO.eu
(…) Multilayered security and use
of user and entity behavior
analytics will become a
requirement for virtually every
enterprise.
More information:
http://www.gartner.com/smarterwi
thgartner/

gartners-top-10-technology-trends
-2017/

© 1991 − 2017, CLICO.eu

UEBA HOLISTIC SURVEILLANCE

© 1991 − 2017, CLICO.eu

UEBA INCIDENT DETECTION

confidential
© 1991 − 2017, CLICO.eu
 UEBA PURPOSE-BUILT UI FOR ANALYSTS
Identify highest risk
employees Fast, friendly forensics

Streamlined event review

© 1991 − 2017, CLICO.eu

DATA PROTECTION DLP AND UEBA INTEGRATION

Forcepoint DLP Forcepoint DLP Forcepoint Insider Threat

Compliance IP Protection User Protection

Forcepoint UEBA
Analytics for Data & User
Protection

Product Fit to Need

GDPR Art. 33 Intellectual Property
NIS Directive Art. 16 (4)
PCI-DSS
Telecom Framework Directive Art. 13a eIDAS regulation Art. 19

© 1991 − 2017, CLICO.eu

DLP RISK CALCULATION BASED ON USER ACTIVITY

User risk score is calculated

hourly by UEBA

User risk level (1 - 5) is

computed by UEBA

Current risk levels computed

by UEBA are synced with DLP
management system

© 1991 − 2017, CLICO.eu

DATA PROTECTION RISK ADAPTIVE PROTECTION

Actions vary based on the risk level of people and the

value of data

Risk Based on Value of Data

Actions & 3rd- Based on Data
Interaction Classification
Party Data
Source

High Policy: observe Kate’s every user & machine detail and
Risk Group block all data transfers or copies anywhere

Medium Risk Policy: observe Kate much more closely with video from
Group local cache.

Low Policy: encrypt fingerprinted files to USB drives but allow

Risk Group others to be copied.

© 1991 − 2017, CLICO.eu

DIRECTIONS TO ACHIEVE
COMPLIANCE
Cybersecurity Law

1. No more “checklist” approach to security

2. Risk-based approach
3. Mandatory incident reporting

High quality Safeguards and Security Management tools can

significantly help organizations to comply with the new EU
cybersecurity law

© 1991 − 2017, CLICO.eu