Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


How to Protect GDPR Data with Varonis

Data Security

In the overall data security paradigm, GDPR data isn’t necessarily more important than other sensitive data, but demands specific monitoring, policy, and processing – with significant fines to encourage compliance. Once you discover and identify GDPR data, you need to be able to secure and protect that data.

GDPR Article 25, “Data Protection by Design and Default,” sets the rules for securing GDPR data. Varonis helps automate and implement a process to get to and maintain a least privilege model to help meet this part of the GDPR. Once you limit access to data, you can proactively protect GDPR data by analyzing file activity and user behavior, automating how to process that data, and actively monitoring your GDPR data.

Apply Security Analytics to GDPR Data

Varonis applies data security analytics to file activity and user behavior, and DatAlert can apply specific threat models to monitor and alert on suspicious activity on GDPR data. Below is a sample of some of our GDPR threat models:

Threat Model: Access to an unusual number of idle GDPR files

How it works: DatAlert triggers this alert when a user accesses a statically significant number of GDPR files that they have not accessed previously (i.e., did not create or modify).
What it means: This user account is looking for something containing GDPR data that they don’t normally access. This attack could be an infiltration attempt, a compromised account, or evidence of breached security.
Where it works: Dell Fluid, EMC, Hitachi NAS, HP NAS, NetApp, OneDrive, Sharepoint, SharePoint Online, Unix, Unix SMB, Windows, Nasuni, HPE 3PAR File Persona

Threat Model: Unusual number of GDPR files deleted or modified

How it works: DatAlert identifies when a user account is deleting or modifying an unusual amount of files that contain GDPR data, compared to that user’s typical behavior.
What it means: When users are deleting or changing many files, it could be an attempt to either cover their tracks, steal data, or modify information. It often indicates that an attacker is attempting to damage or destroy critical data as part of a denial-of-service attack. It’s possible that this user is simply doing clean-up, but more likely is an attempt to steal (or destroy) data.
Where it works: Dell Fluid, EMC, Hitachi NAS, HP NAS, NetApp, OneDrive, Sharepoint, SharePoint Online, Unix, Unix SMB, Windows, Nasuni, HPE 3PAR File Persona

Threat Model: Unusual number of GDPR files with denied access

How it works: DatAlert detects an increase in the number of GDPR files a user has failed to access.
What it means: When a user gets that many denies in a set amount of time, they are looking for – or trying to access – something that they likely shouldn’t be touching. Most likely they are not supposed to be looking for this kind of data, and someone is trying to use this account to access GDPR data in order to exfiltrate it.
Where it works: EMC, Windows, Hitachi NAS

DatAlert highlights suspicious activity and unusual behavior on GDPR data, and helps streamline investigation and pursue forensics on potential threats. DatAlert will also give you the all-important heads up you need to be able to report a data breach discovery within the GDPR mandated 72 hours.

It’s best practice to develop an alert response plan that makes sense with your organization’s security practices and policies so that you have an actionable plan to investigate unusual behavior and suspicious activity.

Automatically Quarantine GDPR Data

In order to stay compliant on a day-to-day basis, you need to be constantly detecting new unsecured GDPR data and protecting that data as quickly as possible.

As users create new files there is a possibility that GDPR data will be left unsecured. Because the Data Classification Engine continuously discovers new GDPR data in your shares, it can pass that information to the Data Transport Engine. The Data Transport Engine can move those newly discovered files containing GDPR data to a quarantine folder during its next scheduled run. Once the GDPR data is quarantined and secured, you can investigate the file and determine who should have access, where it should be stored, and any additional conditions to help comply with GDPR.

Monitor your GDPR Data

It’s vital to maintain a holistic perspective of your GDPR security status. Varonis provides several reports that allow you to keep track of your GDPR data, which can be delivered to your inbox or a shared folder.

Report 12.I.02, Open Access on Sensitive Data, will show you all the GDPR classification matches you have on the network that were discovered within your specified time slice. If you use Data Transport Engine to quarantine new matches, you’ll be able to use this report as a starting point for which files you want to investigate. If you aren’t using Data Transport Engine, you will have to ensure these files are locked down as quickly as possible.

GDPR regulations represent a shift in the way governments are broadly approaching data privacy and data security requirements – and it’s rooted in data security best practices.

Are you ready to see what how your current GDPR situation looks? Get a free 30-day GDPR Readiness Assessment and see how Varonis can help protect your GDPR data.

Jeff Petters

Jeff Petters

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.