Brace Yourselves for the new European legislation on data and network security coming soon! Get ready to invest millions in technologies and hire dozens of new employees. The whole world as we know it will never be the same again.
Hold on a minute… Perhaps everything you’ve read about General Data Protection Regulation (GDPR) and Directive on security of network and information systems (NIS) isn’t as scary as it seems. Let me share some experience from our customers in countries where comparable laws have been established ahead of the European directive.
GDPR, Prevention vs. detection
GDPR describes how personal data should be stored and secured from a breach. The directive is based on common sense and the latest trends. Nobody can expect the people responsible for the design to come up with ideas never seen before. Those organizations which care enough and attend security conferences from time to time already know about the techniques and rules applied. Strong passwords, appropriate access rights, secure storage spaces, and patching are essential components of modern data and network security. Where those organizations are lacking regarding the new guidelines are the proper definition of roles, responsibilities and liability. Take a teaspoon of help from a reliable consultancy firm, add a cup of time and stir in a pinch of pain and this can be achieved easily.
Now a much more worrisome topic the legislative talks about are the two terms “Security by design and by default” and “The right to know when one's data has been hacked”. The first one means that systems storing personal data need to be designed in a way to prevent data leakage. The main problem is that systems like CRM or HR tools are always delivered through a network and so will always be accessible by malware and hackers. Cases where personal information has been leaked and the owners only found out days later happen every week. The cause isn’t weak prevention. It’s a fact that criminals will always be a step ahead and figure out ways to penetrate your prevention. Event logging with SIEM systems at the protected system level itself isn’t always effective. Especially if it is an infected device of an authorized user that steals.
The actual infection of the station or exfiltration of the sensitive data outside the network is something that will help you to prevent the actual leakage or at least follow the legislative by detecting the fraud and informing the appropriate entities about it. It is important to adopt early detection and response techniques that are independent of signatures of known attacks and work with the fact that malicious behaviour always looks different from legitimate behaviour. And it’s just as important to adjust your SIEM system that is otherwise blind to see the behaviour of the network.
NIS, Protection on network level
National critical infrastructures (utilities, transportation, healthcare, finance) usually protect their networks on two levels. Perimeter security with firewalls, endpoint security with antiviruses and some SIEM or log management on top of these. Internet Service Providers use a variety of techniques to filter DDoS attacks, to prevent their DNS servers from misuse, and use perimeter security in their datacentres. This seems to be quite sufficient to fight attackers, right? Security experts have joined forces to create a new directive called NIS and effectively confirmed that the existing security of such organizations is insufficient. They specifically talk about the need to implement detection and response capabilities, and here I would only repeat myself if I explained how important role Behaviour Analysis and Anomaly Detection plays here. Flowmon is the right solution to cover such important capabilities of any network size and nature, out of shelf and with simplicity.
Flowmon is proven to comply
A few national critical infrastructures and services that fall under and are in-line with the country specific equivalent of the new directives and are also protecting their networks with Flowmon. They are:
- Veolia - utilities (water and waste management),
- MO-CIRC – (Incident Response team of the Czech Ministry of Defence),
- Fire Rescue Service of the Czech Republic
- O2 IT Services - a part of Telecommunications group (formerly Telefonica O2) Security Operations Centre providing security as a service mainly to public organizations
Conclusion and Recommendation
Conferences, articles, social media. Scary information about the impact of GDPR and NIS surrounds us everywhere. Bearing in mind that important national organizations and services already have many essential parts incorporated into their processes and toolset, the transition to the new directives should not be that painful. From dozens of organizations I’ve met so far, and which fall under directives very similar to the two named ones, only a handful had the capabilities to detect, react and to inform respective entities about cyber attacks. Simply because they lacked the capabilities to effectively monitor the network and to reveal anomalies with a modern and intelligent detection system. From a legal perspective, this was often the only major capability they lacked to protect their data and their infrastructure.
Visibility and behaviour analysis enhances your security, and most crucially, addresses the very important parts of our new pan-European directives to detect, respond and to inform governing entities about cyber attacks.
Intelligent Behaviour Analysis and Anomaly Detection tool is fast, easy to deploy and operate, suitable for any type and size of organization, and does not require changes in the infrastructure. Please worry about GDPR and NIS. Just remember that it doesn’t have to be a nightmare if you choose the right partner to go with.