GDPR Compliance? Lessons Learned from Equifax

by Matt Howard

I’ve spent a ton of time over the past few weeks chatting with different folks about GDPR and how this soon to be enforced EU regulation is contributing to a rising tide of interest in best practices for IT risk management and open source governance.

With GDPR due to become enforceable on 25 May 2018, indeed every company in the world doing business in the EU has been studying GDPR and it’s potential ramifications for quite a while.  What’s new however, is the fact that many of these companies are all of the sudden interested in understanding how to implement open source governance programs in the wake of the recent Struts2 breach at Equifax.

Simply stated, from the time that Equifax first discovered the breach in late July — the company waited 40 days to disclose the exploit to the public.  This leisurely approach toward public notifcation would not fly in the EU under GDPR rules that are set to take effect in May 2018.  Under GDPR — Equifax would have been required to notify the public within 72 hours or face penalties up to €10M ($12M) — or up to 2% of prior year revenue — whichever is higher.

Yes, that’s right.  Under GDPR rules, Equifax would have been fined $60M for taking their sweet old time to disclose the breach.  That’s a whopping $1.5 million dollars per day.

Of course, in the US we do not currently have a federal law requiring companies to inform the public about data breaches.  Legislation proposed in 2015 would have set a 30 day disclosure deadline — but the bill failed — most likely because a majority of congress felt that we already have ample regulation in place in form of PCI.

The white hot irony of course is that Equifax most likely would have passed a PCI audit with flying colors — yet they still got hacked and lost personal data on 140 million Americans and 40 million Brits becuase of poor open source governance.

In the face of GDPR, and in the aftermath of Equifax, companies are beginning to understand two things:

  1. web application firewalls, network and end point security tools, and hardened operating systems by themselves are not sufficient to defend against an attack that is aimed at the application layer and exploits known vulnerabilities in popular open source components like Struts.
  2. true data protection requires end-to-end software supply chain hygiene.

As the U.K’s Information Commissioner’s Office (ICO) states in their FAQ, “In light of the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place».  An innovative solution to automatically manage open source risk wouldn’t be a bad idea either — just ask Equifax.

Gartner Forecasts Worldwide Security Spending Will Reach $96 Billion in 2018, Up 8 Percent from 2017

Egham, UK, December 7, 2017

Gartner Forecasts Worldwide Security Spending Will Reach $96 Billion in 2018, Up 8 Percent from 2017

Security Risks Drive Growth in Overall Security Spending

Gartner, Inc. forecasts worldwide enterprise security spending to total $96.3 billion in 2018, an increase of 8 percent from 2017. Organizations are spending more on security as a result of regulations, shifting buyer mindset, awareness of emerging threats and the evolution to a digital business strategy.

«Overall, a large portion of security spending is driven by an organization’s reaction toward security breaches as more high profile cyberattacks and data breaches affect organizations worldwide,» said Ruggero Contu, research director at Gartner. «Cyberattacks such as WannaCry and NotPetya, and most recently the Equifax breach, have a direct effect on security spend, because these types of attacks last up to three years.»

This is validated by Gartner’s 2016 security buying behavior survey*. Of the 53 percent of organizations that cited security risks as the No. 1 driver for overall security spending, the highest percentage of respondents said that a security breach is the main security risk influencing their security spending.

As a result, security testing, IT outsourcing and security information and event management (SIEM) will be among the fastest-growing security subsegments driving growth in the infrastructure protection and security services segments (see Table 1).

Table 1

Worldwide Security Spending by Segment, 2016-2018 (Millions of Current Dollars)

Segment

2016

2017

2018

Identity Access Management

3,911

4,279

4,695

Infrastructure Protection

15,156

16,217

17,467

Network Security Equipment

9,789

10,934

11,669

Security Services

48,796

53,065

57,719

Consumer Security Software

4,573

4,637

4,746

Total

82,225

89,133

96,296

Source: Gartner (December 2017)

Gartner analysts said that several other factors are also fuelling higher security spending.

Regulatory compliance and data privacy have been stimulating spending on security during the past three years, in the U.S. (with regulations such as the Health Insurance Portability and Accountability Act, National Institute of Standards and Technology, and Overseas Citizenship of India) but most recently in Europe around the General Data Protection Regulation coming into force on May 28 2018, as well as in China with the Cybersecurity Law that came into effect in June 2016. These regulations translate into increased spending, particularly in data security tools, privileged access management and SIEM. 

Gartner forecasts that by 2020, more than 60 percent of organizations will invest in multiple data security tools such as data loss preventionencryption and data-centric audit and protections tools, up from approximately 35 percent today.

Skills shortages, technical complexity and the threat landscape will continue to drive the move to automation and outsourcing. «Skill sets are scarce and therefore remain at a premium, leading organizations to seek external help from security consultants, managed security service providers and outsourcers,» said Mr. Contu. «In 2018, spending on security outsourcing services will total $18.5 billion, an 11 percent increase from 2017. The IT outsourcing segment is the second-largest security spending segment after consulting.»

Gartner predicts that by 2019, total enterprise spending on security outsourcing services will be 75 percent of the spending on security software and hardware products, up from 63 percent in 2016.

Enterprise security budgets are also shifting towards detection and response, and this trend will drive security market growth during the next five years. «This increased focus on detection and response to security incidents has enabled technologies such as endpoint detection and response, and user entity and behavior analytics to disrupt traditional markets such as endpoint protection platforms and SIEM,» said Mr. Contu.

Gartner analysts will further discuss where to deploy technology to add value to security, risk and privacy programs at the Gartner Identity & Access Management Summit, 5-6 March 2018 in London. Follow news and updates from the events on Twitter using #GartnerIAM.

Gartner’s guide to successful DevSecOps

Published: December 4th, 2017 – Christina Cardoza

In a recent survey conducted by Gartner, the organization found that the highest-ranked strategy for a successful DevOps approach was collaboration with information security. “In the past 12 months at Gartner, how to securely integrate security into DevOps — delivering DevSecOps — has been one of the fastest-growing areas of interest of clients, with more than 600 inquiries across multiple Gartner analysts in that time frame,” Gartner’s research director Ian Head, and distinguished analyst Neil MacDonald, wrote in a report.

The analysts have taken lessons learned from the organization and its clients, and released 10 steps they believes will set businesses on a successful DevSecOps path.

“Adapt your security testing tools and processes to the developers, not the other way around:” According to the analysts, the Sec in DevSecOps should be silent. That means the security team needs to change their processes and tools to be integrated into DevOps, instead of trying to enforce their old processes be adopted.
“Quit trying to eliminate all vulnerabilities during development.” “Perfect security is impossible. Zero risk is impossible. We must bring continuous risk- and trust-based assessment and prioritization of application vulnerabilities to DevSecOps,” Head and MacDonald wrote in their report. DevSecOps should be thought of as a continuous improvement process, meaning security can go beyond development and can be searching and protecting against vulnerabilities even after services are deployed into production.
“Focus first on identifying and removing the known critical vulnerabilities.” Instead of wasting time trying to break a system, find focus on known security issues from pre built components, libraries, containers and frameworks; and protect against those before they are put into production.
“Don’t expect to use traditional DAST/SAST without changes.” Scan custom code for unknown vulnerabilities by integrating testing into the IDE, providing autonomous scans that don’t require a security expert, reducing false positives, and delivering results into a bug tracking system or development dashboard.
“Train all developers on the basics of secure coding, but don’t expect them to become security experts.” Training all developers on the basis of security issues will help prevent them from creating harmful scenarios. Developers should be expected to know simple threat modeling scenarios, how to think like a hacker, and know not to put secrets like cryptographic keys and passwords into the code, according to Head.
“Adopt a security champion model and implement a simple security requirements gathering tool.” A security champion is someone who can effectively lead the security community of practice, stay up to date with maturity issues, and evangelize, communicate and market what to do with security and how to adapt.
“Eliminate the use of known vulnerable components at the source.” “As previously stated, most risk in modern application assembly comes from the use of known vulnerable components, libraries and frameworks. Rather than wait until an application is assembled to scan and identify these known vulnerabilities, why not address this issue at its source by warning developers not to download and use these known vulnerable components,” Head and MacDonald wrote.
“Secure and apply operational discipline to automation scripts.” “Treat automation code, scripts, recipes, formation scripts and other such infrastructure and platform artifacts as valuable source code with specific additional risk. Therefore, use source-code-type controls including audit, protection, digital signatures, change control and version control to protect all such infrastructure and platform artifacts,” according to the report.
“Implement strong version control on all code and components.” Be able to capture every change from what was changed, when the change happened and who made the change.
“Adopt an immutable infrastructure mindset.“ Teams should work towards a place where all the infrastructure is only updated by the tools. This is a sign that the team is maturing, and it provides a more secure way to maintain applications, according to Head.
In addition, the analyst predict by 2021, DevSecOps will be embedded into 80% of rapid development teams. “Integrating security into DevOps to deliver “DevSecOps” requires changing mindsets, processes and technology. Security and risk management leaders must adhere to the collaborative, agile nature of DevOps to be seamless and transparent in the development process, making the Sec in DevSecOps silent,” they wrote.

logoSC

SIGUENOS

Twitter

Youtube

CONTACTO

Seguridad IT y Contravigilancia