Scenario: General Data Protection Regulation (GDPR) covers a wide range of data security issues, including data protection, accountability, data processing, consent from subjects, and privacy. Because your organization does business in Europe, you have to ensure that the way your company handles data is in compliance with all parts of GDPR. The fines for non-compliance are extremely high, so you have little room for error. You want to use Splunk to manage GDPR in-scope systems to ensure compliance.
How Splunk software can help
You can use Splunk software to monitor who accesses what systems, what connections occur in your environment, whether systems are patched appropriately, and a number of other key indicators to guarantee compliance with GDPR and facilitate your ability to prove compliance.
What you need
To succeed in implementing this use case, you need the following dependencies, resources, and information.
The best person to implement this use case is a security architect or a security tools engineer who is familiar with GDPR and the various data sources that are in scope. This person might come from your team, a Splunk partner, or Splunk OnDemand Services.
Demonstrating compliance with GDPR using Splunk software can last from two to three weeks.The majority of that time is spent identifying and collecting assets and identities that are in-scope to populate the look ups.
The following technologies, data, and integrations are useful in successfully implementing this use case:
- Splunk Enterprise or Splunk Cloud
- Data sources onboarded
How to use Splunk software for this use case
You can run many searches with Splunk software to comply with GDPR. Depending on what information you have available, you might find it useful to identify some or all of the following:
- Access to unencrypted resources
- Activity from expired user identity
- Expected host not reporting events
- Geographically improbable access detected
- Device with outdated anti-malware
- Systems with the update service disabled
- New connection to device
- Unauthorized connection through firewall
- Unauthorized access to Splunk indexes
- Unauthorized access to systems
- Brute force access behavior detected
Other steps you can take
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Compliance office for requirements and reporting
- Development and maintenance of asset and identity catalogue with in-scope attributes
This use case is also included in the Splunk Security Essentials app, which provides more information about how to implement the use case successfully in your IT maturity journey. In addition, these Splunk resources might help you understand and implement this use case:
- Conf Talk: A day in the life of a GDPR breach
- Conf Talk: Monitoring GDPR compliance With Splunk
- White Paper: How machine data supports GDPR compliance
- Blog: GDPR: Go beyond compliance. Deliver a ‘data trust’ revolution
- Blog: Knowledge is power: Guidance from ICO and NCSC on GDPR security outcomes
- App: Splunk Security Essentials
How to assess your results
Measuring impact and benefit is critical to assessing the value of compliance operations. The following are example metrics that can be useful to monitor for reduction when implementing this use case:
- Number of out-of-GDPR-compliance incidents detected over time