Data Protection Day — known as Data Privacy Day outside of Europe — marks an opportunity to assess data privacy, use, access and controls for individuals and organizations alike. Typically, this day is a time to reflect on fundamental decisions about the people and organizations with whom they intentionally share data. But as a cybersecurity company, we also know first hand the importance of protecting data from being accessed by criminal groups, hacktivists and nation-state threat actors.
At CrowdStrike, we are in the business of data protection. We believe that cybersecurity is fundamental to data protection, and proper data protection is critical for all. We stop breaches and understand profoundly how critical cybersecurity is, not only to compliance but to protecting privacy. As we celebrate Data Protection Day, it is important to reflect on what holistic data protection entails.
Cybersecurity Is Central to Data Protection
Data protection laws around the globe require organizations to protect specific types of data — such as personal data — against breaches and ensure proper notification where they may impact individuals. This is why data protection laws contemplate the use of data for purposes of protecting data. For example, data protection laws such as the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Brazil’s General Law on Data Protection (LGPD) and Japan’s Protection of Personal Information Act (APPI), along with sector-specific laws such as the U.S. Health Insurance Portability and Accountability Act (HIPAA), require organizations to protect data against breaches and provide notification in the event of a breach.
Beyond cybersecurity, organizations are responsible for undertaking many requirements when protecting data from misuse. However, regulatory enforcement actions and data breach realities mean that prioritizing cybersecurity is critical for obtaining compliance and meeting core data protection principles. In fact, many hefty fines in the GDPR era have focused on organizations that have failed to incorporate appropriate measures to protect data against breaches. As the United Kingdom’s Information Commissioner’s Office (ICO) puts it, “Under data protection law organizations must have appropriate security measures and robust procedures in place to ensure that any attempt to infiltrate computer systems is made as difficult as possible.”
While much privacy dialogues focus on whether data was properly collected, used or shared, there are significant threats to privacy even when such expectations are met. Sophisticated adversaries attempt to breach sensitive data around-the-clock. This reality defines what truly meets legal standards of “reasonable” or “appropriate” in protecting data, and many data breach reporting obligations focus on impact to individuals.
Data Protection Requires Big Data
On Data Protection Day, it’s important to consider the techniques proven successful to protect data from ever-evolving threats. Whether from the standpoint of a compliance or cybersecurity professional, it is key to think holistically about safeguarding data. Fundamentally, organizations must prioritize investigating incidents over alerts, preventing data breaches and, to the extent there is a breach, protecting against significant impacts to data subjects. This is why CrowdStrike believes it is critical to bring big data to data protection.
Big Data Enables Cybersecurity
Big data is a data protection asset. Importantly, big-data-powered cybersecurity distinguishes signal from noise and incidents from alerts. Leveraging the benefits of big data empowers organizations to meet legal obligations that require organizations to consider potential impact, both when protecting data as well as when assessing notification obligations in the event of a breach. Moreover, leveraging big data is key to achieving, as the UK ICO puts it, “appropriate security measures” that make any attempt to infiltrate an organization’s infrastructure as difficult as possible.
Leveraging big data is key to achieving appropriate security that makes any attempt to infiltrate an organization’s infrastructure as difficult as possible. By leveraging indicators of attack (IOAs) and indicators of compromise (IOCs) from a global customer base, the CrowdStrike Falcon® platform evolves as threats evolve.
Best Practices for Cybersecurity-informed Data Protection
There is a clear interrelationship between cybersecurity, big data and data protection. But several practical concepts can help organizations use this information to the greatest effect:
- Know what you’re protecting. Data protection laws require organizations to not only understand their own data assets, such as by maintaining a register of processing activities, but also to protect such data against breaches in a manner appropriate to the nature, scope, context of the data, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. This makes it vital for organizations to have an enterprise view of security. CrowdStrike sees first hand every day how adversaries focus on targeting organizations rather than mere one-off computers. Without centralized visibility, organizations risk falling victim to significant targeted attacks, ransomware and even basic lateral movement using stolen credentials. This means that defenders must have enterprise-wide visibility and security capabilities to protect data.
- Understand who and what you’re protecting your data from. It’s one thing to learn that malware has been detected, credentials were stolen, and data was exfiltrated. However, measuring the potential impact of a breach requires more. Contextualized data helps you distinguish a detection from an incident that could impact your entire organization. Big data analytics provide insight into scope, illuminate mitigation solutions and, when coupled with threat intelligence, potential adversary intent.
- Think big. Think fast. Adversaries move quickly, and static IOCs discovered from yesterday’s attacks might not protect your data from today’s. This is why it is critical to detect new patterns in real time to identify IOAs. When security is integrated into a cloud-native platform, then it is possible to protect data as quickly as the adversary attempts to breach it, by applying artificial intelligence (AI) in the form of machine learning (ML) techniques to big data generated from endpoints across the globe. This means that success can be measured against speed-based metrics like the 1-10-60 rule.
- Transition from credentials to identity. Protecting credentials from being compromised is important. However, organizations must go further to secure endpoints by embracing a Zero Trust approach to protect identity. Granular visibility into the specific identities accessing machines, accounts and other sensitive resources can help establish and enforce controls throughout the enterprise. This means better protection against unintentional access to data by unauthorized insiders, as well as additional opportunities to detect and prevent threat actors from escalating privileges and moving laterally during a compromise.
- Privacy-by-design. Bringing big data to data protection brings big data protection. In doing so, it is important to remember that principles-based big data protection must begin with privacy-by-design. Around the globe, legal requirements and expectations now require that organizations think about privacy from the beginning and not just as an afterthought. When leveraging big data, it is vital to ensure that core data protection principles such as proportionality, storage limitation and data minimization are incorporated.
Data protection is not just about having the fewest processors of the smallest amount of data possible. Nor is it about preventing cross-border data flows. Instead, the most sophisticated approaches to data protection actually leverage data from around the globe to secure data. Perhaps the most powerful illustration of this concept is the nexus between data protection and cybersecurity described above. Designing data protection programs with this in mind — supported by concepts like identity protection and privacy-by-design — can put organizations on a sound path to more compliant and more successful approaches ensuring good stewardship of sensitive information. This is big data protection.
- Learn more about how CrowdStrike meets your compliance requirements by visiting the Compliance and Certification webpage.
- Read the CrowdStrike GDPR white paper.
- Keep up-to-date with cybersecurity policy developments at the CrowdStrike Public Policy Resource Center.
- Read the CrowdStrike Cyber Front Lines Report: Incident Response and Proactive Services From 2020 and Insights That Matter for 2021.
- Learn more about the powerful CrowdStrike Falcon platform by visiting the webpage.
- Get a full-featured free trial of CrowdStrike Falcon Prevent™ and see how true next-gen AV performs against today’s most sophisticated threats.