Storm Emma, GDPR and the CIS CSC 20
It is back to work and school this week, following the most severe blizzard in years to hit Ireland, storm Emma (Emma, who decides the name?). The country was under the highest weather warning, a red alert, as the worst snow in 35 years swept north across the island. All shops were closed because of the weather and because they had no fresh meat, bread or milk left! There seemed to be more talk regarding the lack of bread on shelves than the weather which is really unusual for the Irish. I saw some students walking home from the stores with cases of beer, pizza, beer, movies, no mortgage to pay, no worries, happy days, good for them!
Anyway, this storm has reminded me of another one that is on the way, and will also have a severe impact, the ‘GDPR’ storm. GDPR is a hot topic for many people and organizations all over the world at the moment, not just across the EU but for also for ‘non-EU’ companies, even if they are not based in the EU. It is such an important market and as a result, they have EU ‘data’ and they are impacted.
It is such an important market and as a result, many organizations have EU ‘data’ and they are impacted. The port in this storm for many companies may be the CIS CSC 20.
Obviously, there is also a lot of hype and companies jumping on the bandwagon. Some of our customers have mentioned that they are sick of receiving sales calls from vendors, consultants, etc at this stage on the subject.
We in NetFort have been contacted by our customers, mostly our Irish and UK ones to date, asking us how we can help. ‘We have already purchased a LANGuardian, have been a good customer for years, we want to buy as few tools as possible, how can you help?’ Makes sense, most companies already have too many point security solutions and are trying to consolidate, NOT buy more.
We have also secured some new EU customers in central Europe. One for example, when asked why they purchased, came back with the following interesting information:
“On our side, our GDPR” requirements are (so far):
- Who is doing what on any shared file?
- Who is sending or receiving a file on the Internet?
- What is done on a database (SQL query is fine)?
- What rights are given to some user?
- What Admin are doing (reading CEO files or mail for example)?
- What email is sent, to whom, with an attachment- for SMTP’
- Some kind of IDS (have we been attacked) from either the internal network and the outside’
The image below shows a section from our CIS CSC 20 reports which we built using customer feedback like that shown above.
So we have taken the approach of firstly trying to work with and help our current customers and taking it from there.
Our LANGuardian analyses raw network traffic or wire data, extracts application specific metadata and integrates with Active Directory to enrich the traffic metadata and add usernames. It enables visibility, drill down, context into both Internet and internal network user and device activity including shared Data (file shares and SQL databases) Inventory, Users, and Applications. The LANGuardian is ideal for continuous monitoring, troubleshooting, forensics and as result an ideal data source or tool to help demonstrate visibility, control, and compliance. It retains an audit trail of network activity very cost effectively for long periods but we needed to convince ourselves first of the compliance and GDPR usefulness, then discuss it with our customers and get their reaction.
Our or my first piece of learning was that GDPR is very vague, time-consuming and difficult to read and understand. I’m an engineer, I want hard facts, the detail I can read and believe in. I understand GDPR is still in its infancy but at the moment it is almost so vague it is frightening a lot of organizations and as a result, they are waiting to see what will happen. Risky approach.
From a security perspective, Article 32 specifically compels companies to look at existing best practices. For example, The UK’s National Cyber Security Centre “10 Steps to Cyber Security’ or ISO 27001 or the CIS CSC 20 Security Controls. In our opinion, one very practical and detailed option is the CIS Critical Security Controls, originally the SANS Top 20. Lot of good information here: https://www.cisecurity.org/controls/
So we have studied them and tried to understand the detail. There is a lot of good practical information, readable which is critical but also realistic. GDPR aside, organizations should use these or an equivalent as guidelines, a good checklist. Recently I have met a number of our customers face to face and made a presentation on the CIS CSC 20 and how they can help. I wasn’t trying to sell to them, they are already customers. Just trying to have a discussion and get their reaction.
I was surprised to discover that about 50% of them to date had been studying the CIS CSC 20 and the current goal was to target the top 5 and be able to demonstrate compliance with these by May:
- CSC 1, Inventory of Authorized and Unauthorized Devices
- CSC 2, Inventory of Authorized and Unauthorized Software
- CSC 3, Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- CSC 4, Continuous Vulnerability Assessment and Remediation
- CSC 5, Controlled Use of Administrative Privileges
Seems like a good approach to us, take it step by step, be realistic. Be able to demonstrate that you are trying, taking it seriously, doing your best to be compliant. The goal is not just a checklist, it is to improve security and AVOID a breach. Everybody wins.
So now we ARE on a mission, on the CIS CSC 20 bandwagon because they are a very good practical set of security guidelines and realistic for organizations of all sizes. We are trying to leverage them and show how our LANGuardian internal visibility and continuous monitoring of network and user activity can try and help our customers.
We now have a GDPR and CIS CSC 20 tab on our LANGuardian system, access it directly here.
Stay tuned to this blog for more and more practical information and learnings.