Some of these standards require you to deploy a file integrity monitoring (FIM) internal control within your operating environment to protect your organization’s critical assets and data. For PCI DSS, those specifically include your cardholder data environment, and for HIPAA, it is any system that stores or transmits patient data.

To help organizations address their compliance auditing needs, we are excited to introduce file integrity monitoring for InsightIDR.

What is FIM?

A FIM solution actively watches the changes of files within your environment. By monitoring file modification activities, InsightIDR provides key metrics to detect suspicious behavior applied to critical system files that don’t often change and to privileged data files being sabotaged.

FIM compliance rule coverage and benefits

InsightIDR FIM provides specific coverage for the following compliance requirements:

• PCI DSS Requirement 10.5
• PCI DSS Requirement 11.5
• HIPAA 164.312(b)
• HIPAA 164.312(c)(1)
• HIPAA 164.312(c)(2)
• GDPR Article 32-1.b
• GDPR Article 32-2

PCI

For example, the PCI DSS standard explicitly requires the demonstration of compliance via FIM. Specifically, PCI DSS mandates that you track changes on critical assets such as the following:

• Critical system files, like system and executable files
• Content files that contain card data and personally identifiable information (PII)
• Configuration files to critical applications, such as a database storing card and PII data
• Digital key and credential files for secure authentication and authorization
• Historical and archived log and audit files

HIPAA and GDPR

Like PCI DSS, HIPAA requires the implementation of policies and technologies to safeguard protected health information (PHI) from alteration and destruction. Similarly, GDPR requires the protection of personal data files and applications:

• Configuration and system files to critical PHI/personal data storage applications
• Configuration and system files to critical PHI/personal data transportation/communication applications
• Digital key and credential files to access critical PHI/personal data applications

UBA

In addition to compliance coverage, FIM expands InsightIDR’s industry-leading user behavior analytics (UBA) to apply to file modification events. New file modification events may be looped into an investigation to fully understand the critical file modifications as they relate to a user’s other actions within your environment. Additionally, file modification events may be aggregated into fully customizable dashboard charts to better understand FIM visually within your environment. The charts and underlying data may be exported for your auditor to peruse.

Powered by Insight Agent, monitor in near-real-time

Taking advantage of the Insight Agents already deployed, InsightIDR FIM adds another layer of compliance visibility and critical file-change tracking to an already robust suite of security tools. InsightIDR enables you to keep watch and validate critical file changes that may endanger your business and customers.

Getting started with FIM in InsightIDR

Let’s take a look at how Rapid7 can help you achieve your compliance needs and reap the value of InsightIDR.

FIM for InsightIDR runs on common Windows Audit Policy configurations with which IT teams should be intimately familiar. Take a look at the InsightIDR help page to set up FIM in your environment. As a trusted advisor to your compliance and security needs, Rapid7 offers recommendations to FIM configurations, which will be updated accordingly as the industry moves forward and we learn more over time.

During the 2018 countdown to the GDPR there have been some major milestones falling of late: 100 working days until GDPR, 100 actual days until GDPR, 99 days until GDPR, and so on. By the way, you do have our solemn vow that we’re not going to remind you on a daily basis how close it’s getting to May 25th, 2018. But for those folks still trying to work out what the hell to do for GDPR, by the time this blog hits the interwebs it’ll be around 50 working days in the US until go-day. Not long (tick tock, etc etc), but if you’re reading this as your first step, at least you’re doing something, which is a good start.

GDPR could most definitely be described as a massive exercise in both consumer and business trust, and if you outwardly state that you don’t care about GDPR compliance, or indeed just keep quiet and hope this all blows over, then there are multiple ways it could come back to haunt you. But let’s hope as you’re reading this blog you’re not falling into that camp: instead, you’re either just a little late to the party and are looking for ideas on where to start, or you’re somewhere out there on the GDPR forever-road.

I haven’t personally spoken to any of the (hopefully) mythical beasts who are sitting back and purposely doing nothing whilst awaiting the fireworks once GDPR becomes enforceable, but I do hear rumours that this is happening. As courses of actions go, this really isn’t a good idea, even if you thoroughly believe that you won’t/can’t get hauled up for non-compliance, or “it’ll only be the big guys” who get called out, or it’ll be a big newsworthy data breach that puts the first organisation into the GDPR spotlight. One of the big misconceptions about GDPR, is that it’s just about data breaches, and whilst this is an important part, it’s not the only way in which you could find your organisation in investigative hot water (as your lawyer will no doubt tell you!).

So in the next couple of months, assuming you’ve got to grips with things such as personal data discovery, reviewing your incident response and security program, and understanding your privacy and data retention policies and procedures, now is a good time to look at what you’ve learned and implement any changes. Maybe your organisation is in a heavily governed industry, like finance, so in theory there’s been less work to do, but regardless of where you are or what you do, if you handle the personal data of EU folks then there will be a level of work needed to prepare for GDPR.

When you implement these changes, do ensure you put the related people, processes and technology through their paces to make sure things are working as they should be. For security teams, something like a breach readiness assessment or a threat simulation tabletop exercise will help you understand how well your incident response processes stand up. In our February GDPR blog, we talked about doing a “Right to be erased” drill - it’s worth doing a few of these in the run up to May 25th, as this is a place you could come unstuck if someone is unhappy with the way in which you’ve dealt with their request.

The other area that we recommend revisiting at this point is third party data processor agreements. These are organisations that you send personal data to, such as a third party payments company, or a cloud-based data storage vendor. This is a vital step in the chain, as without the right contracts in place you could be held responsible for the non-compliance of a processor, which could potentially be a very costly exercise if something goes wrong. If you haven’t had a chance to check in with the data processors that you work with, then do make this a priority over the coming weeks.

As with everything GDPR, your legal counsel and, if you have one, Data Protection Officer are the right places to go if you have questions specific to your organisation. We have a range of assets that can help you better understand the regulation, if you’re looking for a fresh pair of eyes to help you understand your organisation’s GDPR readiness, our consultants are able to assist you with the alignment of your data privacy and security ducks.

Want to read more of our GDPR preparation blog series? Look no further than our GDPR blog tag.

“Why 99?”, you may ask. Why not a nice round hundred? Well, 99 is relevant for two very important reasons: Firstly, per the title, today marks 99 days until the General Data Protection Regulation (GDPR) comes into force. Secondly, the average time to detect that a breach has occurred is 99 days. So we’re now within the Averages Window, and this is a pretty key milestone.

The GDPR covers many different topics and one of those topics is breach notification. Articles 33 and 34 of the GDPR cover this requirement; essentially organisations have 72 hours to report a personal data breach if there is a significant risk to the impacted data subjects (aka “living people”). The 72 hour clock starts ticking at the point of breach discovery, not at the time the breach actually occurred, so if we go with the aforementioned average, that’s 102 days from when an attacker bust through the defences and did something untoward with the data. (For the record, there are no good songs with 102 in the title—I checked, and with an IMDB score of 4.9 I’m not going to give 102 Dalmatians blog title airtime. Sorry, Walt. Those EDMs fans amongst our readership will be overjoyed to know that there is a track called 72 hours...)

The next question you may ask is “what counts as discovery?”, and that is indeed a great question. Working Party 29, the group responsible for helping untangle the legalese vagueness of the GDPR, are on hand to help. They have issued draft guidelines to help organisations better prepare, including giving clarification on what counts as a personal data breach.

Let’s get back to 99 for a moment. 99 days is an age in breach terms. Yes, it’s dropped from 146, or 201, or 205, or 320, depending on the piece of past research you wish to read, but it’s still a bloody long time whichever way you look at it. At the point of discovery, it’s highly likely the attackers are long gone, but trying to unpick exactly what went on over 14 weeks ago is not the easiest of tasks. In addition, you only have 3 days to work out the fundamentals, assuming you have round the clock incident response folks at your disposal.

In the next 99 days, breaches will continue to occur and unfortunately go unnoticed, but there’s one fundamental difference coming down the pipe, which is the upcoming regulatory change around notification. Now, I am in no way suggesting that it’s better to find out before GDPR comes in to effect so that you don’t necessarily need to notify (many other regulations already include this requirement today). As a human who shares data with a multitude of organisations, I am a big fan of breach notification, and the related requirements to keep my personal data as safe as possible. But, I would like you to take some time to think about how prepared your organisation is to both detect and respond to breach. Do you have the right people, process, and technology in place? When did you last update your incident response plan? When did your incident response program last get put through its paces, via a penetration test or firedrill exercise such as a threat simulation (aka a tabletop exercise)? Do you have the ability to spot the usage of compromised credentials within your environment? Now is the time to look hard at the overall breach readiness of your organisation. Making changes now could make the difference between needing to send notifications to a Supervisory Authority, and indeed your customers. Ideally, you want to be able to spot attackers earlier in the attack chain, investigate quickly, and respond with confidence.

Without further ado, here are our recommendations for January:

Enable your entire organization on GDPR compliance

Everyone, really, everyone in your organisation should have some level of GDPR awareness, because it only takes the actions of one unaware person to put you in breach of the regulation (the database under a desk situation, for example). Personal data is everywhere. I’m sat next to two phones and typing at a laptop writing this blog from my house. All of these contain personal data, and many organisations’ employees are in the same boat. Employees who are closest to personal data—such as engineering, marketing, operations, and HR—need the most training. Personal data might well enter your environment through some form of human entry, so ensuring customer services, sales, support et al all understand the fundamentals of GDPR. There is a myriad of online courses available, including certifications, and it may also be wise to include GDPR-related training in your new hire and annual conduct training.

Clean out unnecessary personal data

Article 5 of the GDPR states that personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)”. Additionally, personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed…(‘storage limitation’).”

This means you can only process the personal data you actually need (you can read more about adequacy from the ICO), and only keep it for as long as is necessary to perform the tasks for which you need it. With many compliance regulations, paperwork is key: document which types of personal data you have, the categories of personal data they fall into, why you need the personal data, and for how long you retain this data.

A question I hear pretty frequently boils down to “which compliance wins in a fight?” For example, what should you do if GDPR says you should remove personal data you don’t need, but a different compliance requirement says you need to keep records for a specific amount of time (even if you no longer provide a service to the individuals the data belongs to)? Alas, this is a question you’ll need to answer with your legal experts of choice. The ICO has some sage advice on what to do in these circumstances. The TL;DR is that both/all win and it’s really not a competition, even though GDPR has a much bigger maximum fine stick to wield. Your legal counsel can offer advice specific to your circumstances.

If there is no legal, regulatory or valid reason to have specific personal data, it may be time to consider getting rid of it. As an added bonus, you’ll win back some storage too.

Contact data subjects to ensure personal data accuracy

Article 5 also states that personal data must be “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).” You’re likely already seeing organizations reaching out to you personally to check data is up to date, as like many things that fall under GDPR this is good business practice. Clarification on accuracy (META!!) is also covered by our friends over at the ICO. Before you stop reading this blog and run off to go sending out emails, in-app messages or even letters on Actual Paper, please carry on reading through the next section as you’ve likely got some further communication to do.

Update consent mechanisms, privacy policies, and legal agreements

Not that I have any major life regrets (well, one small one involving not saying hello to Rod Hull, a British kids’ TV entertainer, in the street once, and a few weeks later he died. I’m still reeling a bit, can you tell? Sorry, I digress, but it was a valuable lesson nonetheless.)…BUT, if I had a Delorean and a flux capacitor, right now would be a good moment to go back in time and retrain as a data privacy lawyer. Seriously, these are busy people right now.

Let’s talk about consent first, as this has been a topic of much debate. Consent needs to be provided for personal data to be processed, and it must be able to be rescinded as easily as it was given. There are additional rules around consent for services provided to children. Working party 29, who are the group responsible for clarifying the GDPR articles, have issued guidelines on transparency, which includes the topic of consent. Many organisations expect to be making changes to contracts and web applications to meet this part of the regulation.

Your privacy policy, plus legal agreements with third party suppliers, and to any data controller whose data your organization processes, will also need updating to meet GDPR requirements. Find a good data privacy lawyer and work out which changes are needed so that you have time to update documentation and your website.

Whether you decide to jointly or separately revisit consent and data accuracy discussions with your customers, prospects, employees, and any other EU data subjects you hold data about is a matter for to discuss with your team and counsel. It might be easier to hit both birds with one stone, especially if you have a lot of data.

Watch the GDPR blog tag to keep up as we get closer to GDPR go-time.

Traditional defenses are not geared toward detecting the more complex threats and exploits used in today’s sophisticated threat landscape. Moreover, attackers don’t just operate during business hours. And the longer an attacker goes undetected, the more potential there is for them to do damage. The answer for many organizations is to set up a Security Operations Center (SOC), but this can be a daunting and costly task. It takes a lot of time and money to build a SOC and to competently staff it around the clock. And that’s assuming you can find (and keep!) the right people.

There is another way.

Rapid7 Managed Detection and Response

Rapid7 Managed Detection and Response (MDR) Services, provides 24/7 incident detection and response. This makes it that much easier for organizations to tackle their detection and response needs without needing to invest in building and staffing a SOC themselves. Per the advice of Working Party 29, “a key element of any data security policy is being able, where possible, to prevent a breach and, where it nevertheless occurs, to react to it in a timely manner.” This is great, but to do it well is often beyond the budgetary means of many organizations.

This begs the question-- what’s included in Rapid7 MDR?

People, Process, Technology

Rapid7 built our Managed Detection and Response offering around people, process, and technology. The Rapid7 SOC is full of some of the finest talent in cyber security. They eat, sleep, and breathe alerts. When they finish up at work, many of them go to meetups on hacking. The technical people on the team average more than 10 years experience. They’ve worked for public and private sector organizations. Even the most junior analyst has seen over 300 threats and many breaches.

The backbone of the Rapid7 Managed Detection and Response Service is Rapid7 InsightIDR, for SIEM, User Behavior Analytics (UBA), and Endpoint Detection and Response (EDR), but we don’t just manage the technology for you. The team both hunts for threats and conducts investigations to understand what is going on in your environment. If a lead is a threat, and the threat is a live attacker, the team can easily pivot into incident response escalation mode. Two incident escalations are included annually with the service, so if the worst happens you know the experts have your back.

Prior to deploying Rapid7 MXDR, the team conducts a compromise assessment and builds a threat profile for the organization.The threat profile enables understanding of user behavior within the organization so that it’s easier to spot anomalies and make better use of threat intelligence. The compromise assessment ensures that there is a clean environment prior to starting. In some cases, our team has done a compromise assessment and found issues that previous companies had missed.

Round the clock support

Rapid7 has security operations centers around the globe, where our analysts execute the 24/7/365 coverage. The combination of people, process, and technology makes it possible to better meet organization’s needs for GDPR, without the overhead of an in-house SOC.

Explore Rapid7 Managed XDR.

Fortunately, our vulnerability management solution has been built from the ground up to focus on risk and how to measure it, instead of just CVSS scores and other rating systems that don’t take business context into account. Here’s how InsightVM can help you meet your GDPR compliance needs in an automated and efficient way, saving you time to worry about more intricate security concerns.

Automatically prioritize systems that process personal data for remediation

With InsightVM’s criticality tags, you can tag specific systems that process personal data as more important than other systems, amplifying the risk score of the asset and ensuring that the vulnerabilities found on these assets are prioritized for remediation. You can also tag assets by owner or by type (e.g., GDPR - App Server) to make reporting a breeze.

Track remediation progress to ensure GDPR systems are fixed in a timely manner

Remediation projects in InsightVM let the security team assign the right projects to the right people and track live to ensure that SLAs are met and GDPR systems are patched in a timely manner. You can also integrate with ticketing solutions like JIRA and ServiceNow to seamlessly fold remediation into your IT team’s existing workflow.

Live dashboards for tracking GDPR compliance progress

InsightVM’s Liveboard gives you live dashboards that you can customize for any user in your organization—making it easy to obtain a report card on your GDPR systems. These can be further filtered down to create holistic corporate-wide views for a CIO or CISO, or office-specific views for a security director.

Tutorial: Creating a GDPR compliance dashboard in InsightVM

Now that you’ve tagged your GDPR assets as “Critical,” let’s walk through how to create a dashboard for these assets so you can track risk and remediation progress live.

First, we’ll create a general dashboard using one of InsightVM’s pre-built templates. The “Assets Dashboard” is a good place to start as this comes pre-built with most of the cards we would find useful. To do so, click on the dropdown on the dashboards page and click on “Assets Dashboard” under the Rapid7 Recommended section.

Give this new dashboard a relevant name and a description, and click OK to save.

This will give us a default view that looks like this:

Remember, these cards can be freely moved around, added, or removed, so let’s pull one that's particularly interesting for GDPR to the top: “Assets by Vulnerability Severity Over Time” shows how the number of critical, severe, and moderate vulnerabilities have changed over time.

Every card in InsightVM can be filtered using a list of granular filters for anything from specific software detected on a system to open ports and tags. Since we have already tagged all of our GDPR systems as “very critical” using InsightVM’s criticality tags, we can filter this card down to just those assets by expanding the card and using the filter asset.tags STARTS WITH "very high".

The best part? Now that we’ve done this once, we can click on “Save Filter” to save and easily apply this filter to the rest of the cards in our dashboard, giving us a true GDPR compliance dashboard with just a few minutes of work.

Want additional GDPR compliance tips and tricks? Check out our GDPR toolkit for help on getting ready for May 25th, and of course feel free to reach out to your friendly neighborhood sales rep or Customer Success Manager!

Not an InsightVM customer? You can download a free 30-day trial today to try any of the features that I covered above.

Want more? Get all our GDPR blog content here or add it to your RSS feed.

With holiday season now in full swing in many parts of the world it’s important that GDPR preparation doesn’t get lost in the festivities. Here are our recommendations for December.

Assess your security program for GDPR readiness

In order to meet the requirements of GDPR, it’s possible that your security program may need some changes. Article 32 of the GDPR is all about applying a level of security appropriate to the risk, which also happens to be an approach that Rapid7 has long favored. So, if you’re only running some traditional anti-virus and have a firewall poked full of holes at the gateway then you’ll definitely have some work to do, but even if you have a top-notch-weapons-grade-seven-star security program it’s still worth ensuring that your people, processes and technology are set up for GDPR success. If you’re looking for assistance with this, our strategic advisory services consultants can tailor a GDPR readiness assessment to fit your needs.

Uncover shadow IT services

If you’ve read the November GDPR blog, you might be asking why this is getting called out again. We cannot stress the importance of this enough – you will come unstuck if you don’t get a handle on shadow IT services. From databases under desks, to unsanctioned cloud based applications, shadow IT could be hiding personal data that you’re not securing. Shadow IT tends to occur when users aren’t getting the system or service that they need to perform a task. You need to discover what’s being used and work out whether you need to provision some new services, bring currently used services into the fold so that you can secure them, or block some of them altogether. Blocking services may result in new shadow IT problems springing up, so be wary of being the Department of No.

Perform Privacy Impact Assessments (PIAs)

PIAs, also known as DPIAs (no prizes for guessing what the D stands for) will help guide a lot of your GDPR decisions, so you if you haven’t already done so do start kicking these off now. And if you are a fan of things that are free, then you’ll really like this tool from Avepoint and the International Association of Privacy Professionals (IAPP).

Review and update data retention policy

With every compliance regulation since the history of having 20 seconds to comply, documentation is key. You likely already have a data retention policy in place (if not, then you need to get one), and so now is the time to review it and update where necessary. GDPR requires you only to keep personal data for as long as you actually need it. And if you don’t need it any more, then purge away. Other compliances that apply to your organization are relevant here too, as their data retention requirements may already stipulate for how long you need to keep personal data. It’s worth calling out here a question that many people are already asking – what about the (misnomer-ed) “right to be forgotten”? The Internet Commisioner’s Office (ICO) in the UK have released some excellent guidance on this topic that clarifies what the right to erasure actually entails.

Review and update access control

From a security point of view, limiting user access privileges to systems and information is called out in a whole host of different frameworks. When you are thinking about securing your environment for GDPR, you need to ensure only users who need access to personal data have access to that personal data, and again you need to have solid documentation covering this. It’s fair to say that not all organizations have historically had a good handle on access control. Granting application administrative privileges to a user has been a surefire way to get a helpdesk ticket closed quickly when they’ve reported an inability to perform a task. Revoking privileges when an employee leaves is another area that can sometimes be left wanting.

You also need to think about which devices can access your network, as in our BYOD world it’s relatively easy for users to transfer personal data onto a whole host of unmanaged devices. Giving your access control policies a periodic good wash and brush is something you should be doing anyway, but documentation alone doesn’t equal compliance (or security!). A myriad of technology vendors in the market today can help you solve access control challenges, such as Forescout for NAC and Cyberark for privileged account security.

Document your incident response processes

Articles 33 and 34 of the GDPR bring in mandatory personal data breach notification and communication. If you are unfortunate enough to have lived through the pain of a breach, or even if you haven’t (but have no doubt lived them vicariously through the seemingly daily news reports), then you’ll know the importance of an incident response plan. Whether you’ve got a security operations center deep in a mountainside, or you’re an IT/Security ninja army of one, and indeed anything in between, then you need to have an incident response process in place. Remember paper, that thing we all try to avoid? It has a very valid use here – if you only have your processes in electronic format then you may not be able to access them at the time you need them most. Print off your incident response processes, and make sure you put them somewhere you can easily locate them.

Overwhelmed over the thought of building out an incident response plan at your organization? Check out our MDR services, we would be happy to partner with you.

With holiday season fast approaching in many parts of the world, getting your plans off the ground now is vitally important, as January tends to come around all too quickly. Here are our recommendations for November:

Form a cross-functional team with representation from every major group in the organization

Although it’s a legal text, GDPR isn’t just for the legal team to worry about. It’s highly likely that every department in your organization does something with personal data. You need a senior-level representative from each area to be part of your GDPR task force. They’ll need to understand what GDPR is and how it affects their areas. Our Whiteboard Wednesday: GDPR Overview covers the regulation at a high level, and this guide from legal firm Bird & Bird provides an easily digestible walk through the regulation in more detail without needing a legal degree.

Seek legal counsel

If you do have your own in-house data protection legal specialists, then it’s likely you’re already way ahead in your planning. If you don’t have such a luxury within your organization, then it’s time to bring in a third party to assist. There are a plethora of law firms offering these types of services, so you shouldn’t have to look too hard.

Determine if you need to appoint a Data Protection Officer (DPO)

If your organization fits within one of these three categories, then you must designate a DPO:

• It is a public authority (except for courts acting in their judicial capacity)
• It carries out large-scale systematic monitoring of individuals (e.g., online behavior tracking)
• It carries out large-scale processing of special categories of data, or data relating to criminal convictions and offence

The role of the DPO is to inform and advise on data protection matters; to monitor compliance and cooperate with the supervisory authority; and to act as a point of contact for the supervisory authority. This is a very senior role, but does not have to be a full time employee. There are various options available for virtual DPOs, and your legal counsel will be able to advise as to whether or not you require one.

Map the journey of personal data into, through, and out of your ecosystem

Firstly, it’s important to understand what is meant by “personal data”, as we’re not just talking PII here. It’s essentially one or more pieces of data that can directly or indirectly identify a living person. This article explains things very well. Understanding the paths of personal data throughout your organization is the first step in applying the six principles of data processing (aka article 5 of GDPR). Web applications are a common entry point, as are people whose role it is to enter and update data, such as sales, marketing, customer services, technical support, etc. Look at where personal data is stored, how it gets there, and whether you use cloud-based and/or third-party applications. Now is the time, too, to start thinking about how to get a handle on unsanctioned services (aka shadow IT). If you can’t see where personal data is going, you have no means of discovering and securing that data.

Discover and categorize personal data

Once you’ve worked out where and how personal data arrives, travels, is stored and leaves, then you need to understand what you have, and why you have it. This is where your task force comes into its own – the people closest to the data are the ones who should be telling you what you have. There are various tools available to help you achieve this: OneTrust and Spirion are just a couple of examples.

Contact any third-party data processors to request details of their GDPR plans

Now is the time to reach out to any third-party providers who process personal data on your behalf. These could be financial services, cloud-based applications, storage providers, and more. As the owner of the data (the data controller in GDPR terminology), it is your responsibility to make sure you have the correct contractual agreements in place with data processors; otherwise, you could be held jointly responsible for any issues that arise under GDPR.

We also offer a GDPR Readiness Assessment that can help you understand the gaps in your current processes and technology, and will provide you with a strategic roadmap to GDPR compliance.

Watch the GDPR blog tag to keep up as we get closer to GDPR go-time.