Given that the 1995 Data Protection Directive was written well before the advent of cloud and managed IT services, the protections are now unable to cope with the pace of technological change. However, unlike its predecessor, GDPR will soon fill in those gaps, encompassing not only those collecting the data but any third parties that also access, process and store that data.
With organisations increasingly turning to external service providers for help with their security needs, in the run-up to GDPR MSSPs must ensure that the services they offer meet the regulations. Failing to do so could place them in the firing line.
MSSPs' role as a processor
In GDPR terminology, MSSPs are classified as "processors," in that they hold and use personal data on behalf of their customers, the "controllers". Under GDPR, MSSPs will have to provide various assurances to their customers that they meet the legislation's new requirements, particularly around the technologies and processes in place to protect sensitive data.
Yet this is easier said than done. With the absence of a recognised accreditation, it will be up to individual MSSPs to make sure that their existing processes and tools can keep them compliant.
Are your security management tools up to the job?
The GDPR states that both processors and controllers are required to implement "technical and organisational measures" to mitigate the risk to individuals incurred when handling personal data (Articles 25 and 32). These measures should include those that protect against the purposeful or accidental access, transmission, destruction, loss, alteration, or disclosure of personal data leading to physical or reputational damage of any EU citizen (Article 32).
Organisations opting for a managed service model for security are pushing some of the regulatory burden onto their MSSP. Since monitoring of access to customer data will become a function of GDPR compliance, MSSPs will have responsibility for ensuring they can effectively track user activities, such as access to sensitive data.
However, existing technical tools used by MSSPs fall short in two ways. Firstly, they do not provide the context to determine if a hacker is accessing confidential data. Secondly, if a breach does occur, they often miss the full picture, enabling a hacker to stay in the network and potentially cause further damage.
Post-breach reporting is another area of concern for MSSPs. The new Data Protection Officer (DPO) role created under GDPR will be obliged to report breach incidents to local authorities within 72 hours (Article 33), and to affected persons as soon as possible. To provide accurate information to both the authorities and customers, these DPOs must ascertain the full scope and impact of the breach, and so MSSPs must make sure that their existing technical measures can provide timely and complete post-breach forensic information.
Rethinking security
MSSPs typically use traditional SIEM (Security Information & Event Management) technologies as the main vehicle to manage data security in their Security Operations Centres. SIEM technology was fit for purpose a decade ago when data was relatively small, attacks were single incidents and the infrastructure was fairly simple. For example, there was less remote working, very few companies had BYOD policies, and emerging cloud applications were hardly used by larger organisations.
Today the style of attack has changed considerably; instead of perimeter probing, compromised insiders and zero-day internal attacks are now the norm. These styles of attack are hard for traditional SIEM technologies to detect with their correlation-based approach to detection. Advances in analytics and data science are the future for this market.
The need to be able to clearly show how a breach started, and identify everything an attacker touched during the incident, poses a big issue for MSSPs utilising a traditional SIEM. Visibility is poor, meaning cloud applications are effectively a blind spot, and there are many rules that create lots of noise, making it difficult to automate response and reduce risk exposure.
MSSPs are starting to understand that they need to rethink security management in light of GDPR. Greater visibility will enable them to identify threats to customers much quicker and with higher accuracy, and will provide a better understanding of how a breach started and the path it took, without hours or days of manual work. With this higher degree of visibility and understanding, automated controls can be applied to remediate an attack before it grows out of control.
Ultimately, the MSSP will be able to demonstrate to current and future customers that they have the correct controls in place to limit data getting into the wrong hands. Not only that, they'll avoid some nasty fines in the process.
Brett Candon is EMEA channel director at Exabeam
