Access to In-Scope Unencrypted Resources

Description

Unencrypted communications leaves you vulnerable to a data breach -- when users access PII data, ensure that all connections are encrypted.


Use Case

Compliance

Category

GDPR

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 1

Data Sources

Web Proxy

   GDPR Relevance

Impact:

Access to critical resources should only be made over an encrypted connection. Especially in the context of a compliance mandate, encryption should be used for any channel to access in-scope resources. Detecting when this is not the case, where instead unencrypted connections are being used to access in-scope resources, can help determine potential misuse or unauthorized access, and potentially a deeper issue such as compromised host or network device.

Within a GDPR context, in-scope assets and applications will store and process personal data. Ensuring that only encrypted connections are being used to access those assets is an industry best practice and can be considered an effective security control, as required by Article 32. This is applicable to processing personal data from the controller, and needs to also be addressed if contractors or sub-processors from third countries or international organizations access and transfer personal data (Article 15). In the event that a Supervisory Authority executes powers to place an organization within the scope of a privacy audit, the organization must demonstrate compliance (Article 58). If the organization faces a personal data breach and individuals are impacted, those individuals have the right to demand compensation for material and non-material damage caused by the breach. The organization must prove that they have understood and addressed the risk appropriately and deployed proper countermeasures (Article 82). Capability to demonstrate that best practice was adhered to – that is, that only encrypted connections were used for accessing personal data -- can help mitigate potential impact to the organization.

   How to Implement

Implementation of this capability will vary from system to system. Tracking access via firewall connections is a popular approach, though you could also use application logs which would provide more granular access. Ensure that all data flows (e.g., backups, remote management, etc.) are all encrypted. Splunk recommends working with you auditor, and Splunk Professional Services for any complicated situations.

   Known False Positives

No known false positives at this time.

   How To Respond

Understand why and how this application was accessed over an insecure connection. For in-house apps, this can be tracking down configuration settings. For SaaS apps, this usually understands analyzing your communication paths for a proxy that sends in cleartext (or potentially noting a major bug in a SaaS provider, which is unusual).

   Help

Access to In-Scope Unencrypted Resources Help

This example leverages the Simple Search search assistant. Our example dataset is a collection of anonymized Firewall logs (onboarded in accordance with our Data Onboarding Guides), during which someone uses Workday to download data over an unencrypted connection. Our live search looks for the same behavior using the standardized sourcetypes for Palo Alto Networks or the Common Information Model, and you can look for any destination where you have sensitive data including your cloud providers, databases, and more.

SPL for Access to In-Scope Unencrypted Resources

Demo Data

First we bring in our basic demo dataset. In this case, anonymized Palo Alto Networks logs. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
Next we filter for access to PII data (Workday), over any non-HTTPS port. You can also detect this with any mechanism that allows you to analyze whether content is encrypted.
Finally, we format just the data that users want to see.

Live Data

First we bring in our basic dataset, Palo Alto Networks logs, filtered for access to PII data (Workday), over any non-HTTPS port. You can also detect this with any mechanism that allows you to analyze whether content is encrypted.
Finally, we format just the data that users want to see.

Screenshot of Demo Data