MY TAKE: Six-figure GDPR privacy fines reinforce business case for advanced SIEM, UEBA tools

By Byron V. Acohido

Europe came down hard this summer on British Airways and Marriott for failing to safeguard their customers’ personal data.

The EU slammed the UK airline with a $230 million fine, and then hammered the US hotel chain with a $125 million penalty – the first major fines under the EU’s toughened General Data Protection Regulation, which took effect May 25, 2018.

Related: Will GDPR usher in new age of privacy?

It’s no wonder security analysts toiling in security operations centers (SOCs) are depressed. There’s a widening security skills shortage, the complexity of company networks is going through the roof, cyber attacks continue to intensify and now regulators are breathing down their necks.

More than half of the 554 IT and security pros recently polled by the Ponemon Institute consider their SOCs to be ineffectual and some 66% indicated they are considering quitting their jobs.

I had an evocative discussion about this with Sam Humphries, senior product marketing manager for Exabeam. We spoke at Black Hat USA 2019. Exabeam, which sponsored the Ponemon study, is a San Mateo, Calif.-based supplier of advanced security management systems.

Fortunately, there is a cottage industry of cybersecurity vendors, Exabeam among them, engaged in proactively advancing ways for SOC analysts to extract more timely and actionable threat intelligence from their security information and event management (SIEM) and user and entity behavior (UEBA) systems. For a full drill down on our meeting, give a listen to the accompanying podcast. A few key takeaways:

Sticks & carrots

Poor security practices at British Airways resulted in hackers pilfering credit card information, names, addresses, travel booking details and logins for some 500,000 airline customers. Marriott, meanwhile, failed to notice a breach that persisted for four years, exposing some 339 million customer records, of which about 30 million belonged to European residents.

Under GDPR, Europe has the authority to fine organizations up to 4 percent of their annual global revenue if they violate any European citizen’s privacy rights, for example, by failing to secure their personal data. What’s more, organizations that run afoul of the GDPR’s new data loss reporting requirements could face additional fines up to 2 percent of annual global revenue.

Maybe now, with Europe’s privacy police swinging a big stick, companies will actually begin to embrace best security practices for handling personal data. It’s straightforward and well-delineated: only collect and store data you truly need, know why you have it, keep very close track it, limit access to it, keep it only as long as you need it, be transparent about what you’re doing with it, Humphries says.


“The fines look like the stick part, but I think there’s a degree of carrot to this, as well,” Humphries told me. “I think it’s super important that organizations are being held accountable for looking after our data. Trust is an important part of their brand; it should be all about trust.

“That’s kind of the carrot side — being able to demonstrate that you actually do care about the data of the people you do business with. I think that’s really, really important. Saying, ‘I don’t care about your data’ is like saying, ‘I don’t care about you.’ ”

In-house angst

Putting consumer backlash aside for a moment, there is an even more immediate constituency companies ought to be very concerned about: their own IT security staff.

The Ponemon/Exabeam study revealed most SOCs are not aligned with the objectives and needs of the business; only 19 percent of respondents said the objectives of their SOC were fully aligned with their respective organization’s business needs. Forty-nine percent said they were not aligned at all.

One result is that SOC staffers feel downtrodden. Enterprises have spent billions of dollars on next-gen technology solutions, yet security analysts are getting increasingly frustrated. They waste approximately 25 percent of their time chasing false-alarm security alerts and off-base indicators of compromise (IOCs.)

“One of the biggest challenges in security is the dreaded false positive,” Humphries says. “Being told something is bad, when it’s not.”

Meanwhile, some 42% of SOC analysts say it can take months or years to fully resolve actual breaches. All of this wheel spinning in SOCs is proving costly, both operationally and financially. IBM’s recent data breach study shows how the cost of a data breach has risen 12% over the past five years and now costs $3.92 million, on average.

Changing the SIEM game

To top it all off, digital transformation (DX) is making everything much more complex. Different flavors of cloud architectures, sprawling IoT systems and the coming wide deployment of 5G networks add up to not just Big Data, but Very Big Data.

For its part, Exabeam aims to improve a SIEM’s capacity to correlate threat intelligence feeds arriving, at scale, from a wide variety of disparate sources. One of the coolest things it has pioneered is the use of predictable user-based pricing with its user and entity behavior analytics (UEBA) solution, which detects anomalous behavior and suspect lateral movements from any data source within an organization.“We can easily pull in logs from everything from devices, the cloud, networks, users, devices and have it all stored in one place so that you can run queries against it,” Humphries explained.

By tapping into a data lake with its advanced analytics platform, Exabeam can make more and better correlations in real time and then “present the information in a fast and solid way so it can be analyzed,” she says.

Launched in 2013 by Nir Polak, a former top exec at web application firewall vendor Imperva, Exabeam appears to be on the right track. In just half a decade, it has raised $115 million in venture capital, grown to almost 350 employees and reaped over 100 percent revenue growth in each of the last three years.

“Where we’ve helped change the game is in automating a lot of the investigation work — so that you can quickly see everything you need in one space,” Humphries says. “Something that used to take two or three days, or a week, we’ve stitched together and presented it in something we call a smart timeline.

“And then from there, you’ll want to do something. So we can help organizations streamline their response, as well. We present data in a way that makes sense, and then the analyst can go and do something very quickly to reduce that risk of something really bad going on.”

It’s encouraging to see Exabeam, and numerous other cybersecurity vendors, making steady progress with smarter technology that can engender better security practices. Going forward, it may well take both a carrot and a stick, to keep companies focused on preserving privacy. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)



Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone