Learn how to leverage state of the art technology to build an efficient data protection risk management strategy. To view the webinar on demand, click here: https://symc.ly/2GU8Ehb.

1. How to Tackle Data Risk in time for
GDPR Compliance
Deena Thomchick
Sr. Director of Product
Management and Cloud
Security, Symantec
Sunil Choudrie
Information Protection
Strategist, Symantec
Steven Grossman
Vice President of Strategy,
Bay Dynamics

2. Sunil Choudrie
Information Protection Strategist
How to Tackle Data Risk in time for GDPR Compliance

3. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
• The materials contained in this presentation are not intended to provide, and do not
constitute or comprise, legal advice on any particular matter and are provided for
general information purposes only.
• You should not act or refrain from acting on the basis of any material contained in this
presentation, without seeking appropriate legal or other professional advice.
Legal Disclaimer
3

4. Agenda
The scramble to GDPR
Risk areas
Data Visibility
Risk Visualization
1
2
3
4
Q&A5

5. 1. The scramble to GDPR

6. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
EU General Data Protection Regulation (GDPR)
Copyright © 2017 Symantec Corporation 6
28 Interpretations of the Data
Protection Directive
One Data Protection Regulation
Harmonized across all EU member states
TODAY: 2018:
Right to be forgotten Parental Consent Data Protection Officer
Extra-territoriality of GDPR
Fines and penalties
Joint Liability of Controllers and Processors
Mandatory Breach Notification

7. How ready are you for GDPR?
Stage 1: Low awareness of GDPR and its application to the
organization
Stage 2: A GDPR compliance plan is in place and is being worked on
Stage 3: Processes are compliant with an acceptable level of risk
Stage 4: Compliance is being delivered as a result of improved
business processes
Stage 5: High state of readiness, opportunity to share / sell GDPR
“know-how” to others

8. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Customer Timeline for the GDPR
Discovery & Planning
What do I need to do and when by?
o Awareness & Education
o Organisational Buy-In
o High-level Risk Assessments
o In-depth Risk Assessments & Gap Analysis
o Advisory Services
o Information Governance Plans
o Budgeting / Hiring Key Staff
Implementation
Making Changes to Prepare
o Policy and Organisational Updates
o Addressing Technology Gaps
o Purchasing of Software & Technology
Have concerns about ability to
become compliant
9 in 10
Do not fully understand GDPR
96%
Consider compliance at top priority
in the next two years
22%
TODAY 8
? ?
?
Are you
ready?

9. 2. Risk areas

10. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Two big issues
1. Can
you see
all your
data?
2. You have too
much to do
• Day to day
• GDPR implementation
• Breach / change response
10

11. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
…finding the ‘Goldilocks’ technologies
A few words on “State of the Art”
Need to balance innovation with degree of confidence that the
technology will be robust enough to deliver on its promises
! “State of the Art” - a term used, but not defined in GDPR…
Maturity Bleeding Edge
11
“Goldilocks” zone

12. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Three takeaway points
Data Visibility
Risk
Threat defence
Security Operations
productivity
Can your systems
determine GDPR personal
data, and find it wherever
it is (even if it’s in areas
you’re not expecting)
whether at rest, in use or in
motion?
How are you keeping your
users, devices and data
safe from attack?
With plural responsibilities,
is your team fully skilled,
equipped and resourced to
handle a large and
important workload?
Where can you use
technology to ease the
burden?
12

13. How to Tackle Data Risk in time for GDPR Compliance
Deena Thomchick
Sr. Director of Product Management and
Cloud Security, Symantec

14. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
3 Key GDPR requirements to address
Protect Personal Information Implement Privacy by Design Meet strict notification requirements
14

15. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
GDPR applies to
Data controller and data processor
regardless of geographic location (cloud
apps can serve as data processors)
15
Data controller
Data processor

16. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
20% of Cloud Docs are
Broadly Shared1
1 1H 2017 Shadow Data Report
Proliferation of Cloud Apps as
Data Processors
Outside the Enterprise Perimeter
Data Visibility & Protection
Security & Response
Protect data wherever
it is processed
16
Endpoints
Networks
Data Centers

17. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Confirm cloud
data processor
compliance w/ CASB
o Identify & analyze risky
SaaS, PaaS, and IaaS in
use
o Business Readiness
& risk attributes
o Understand usage & risk
o Sanctioned &
Shadow IT use
o Standardize on
compliant cloud apps
o Track and enforce
ongoing compliance
o Continuously
monitor
o Automate control
over app use
17
Find what cloud
apps my users
access and how risky
they are.”
Integrate with
secure web gateway
to control Shadow IT
use.”
Ensure corporate
policy compliance
by monitoring
cloud app usage.”

18. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
o Prevent & Remediate Risky Data
Sharing w/ Data Loss Protection
o Cloud Apps
o Email
o Network
o Endpoints
o Data centers
o Automatically classify personal
information and track it
o Control sharing, emailing &
uploading/downloading of data
o Control access to sensitive data
o Automate enforcement actions:
block, quarantine, alert, encrypt
Don’t allow PII
content to be
broadly shared.”
Automatically identify
and track confidential
content everywhere.”
Don't allow sensitive
content uploaded to
personal email or
cloud accounts.”
Protect personal info
with DLP everywhere
18

19. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Use integrated
DLP for Privacy
by Design
19
Symantec DLP
Consistent
Fine-Tuned Policies
Consistent
Workflow Response
Cloud Apps &
Enterprise Systems
Native Cloud &
On-Prem Inspection
Endpoints Networks Data
Centers
Email

20. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY 20
Protect data w/
information centric
encryption
VIP
DLP
PGP
AUTHENTICATION
DATA
CLASSIFICATION
ENCRYPTION
Vendors
Clients
Partners
Co-workers
o Dynamically encrypt based
on DLP classification
o Content stays encrypted,
regardless of where it travels
o Granular control of who can
access content
o Content is beaconized and
may be revoked at any time
Access
Granted
Access
Denied
Revoke
File

21. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Customer Situation
Global Manufacturing Company
Case Study
o Requirement for governance and protection of personal data associated with EU subjects
o 100,000+ global users with corporate Office 365 & Box cloud accounts
o Enterprise Endpoints, Servers, and Network
Solution
o Audit and risk analysis of cloud apps in use for data processing with CASB
o Apply DLP and threat protection to cloud apps, cloud email, and on enterprise owned assets
with integrated enterprise DLP, cloud email, and CASB solutions
o Enforce highly accurate automated data classification for personal info
o Apply industry-leading anti-malware and ATP
o Automatically control data access w/ granular policy enforcement
leveraging LDAP integration
o Use CASB and DLP dashboards & reports for fast risk analysis and incident response
 Symantec CloudSOC CASB
 Symantec DLP
 Symantec Email Security.cloud
 Symantec Threat Protection
 Symantec ATP
 Symantec Professional Services
Products Used
21

22. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Automate control over use
of cloud apps & services
Protect personal
information everywhere
Secure your data from
unauthorized access
everywhere it goes
Stop threats from
compromising your data
Make sure only
authenticated users
get access
Monitor activity and
apply security controls
Threat protection and
DLP in email
Shadow IT risk analysis, DLP &
threat protection in cloud appsIntegrated Cyber Defense

23. How to Tackle Data Risk in time for GDPR Compliance
Addressing GDPR Compliance with ICA
Steven Grossman
Vice President of Strategy, Bay Dynamics

24. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Challenge: Seeing the Big Picture and Identifying Gaps
Like personal data, security metadata is spread out across many systems and sources:
• Data Loss Protection
• Authentication logs
• Application logs
• Database monitoring logs
• Web Application Firewall logs
• Asset databases
How do enterprises know where their exposed personal data resides?

25. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Cyber Risk Analytics Connects the Dots
Cyber Risk Analytics pulls data together, applies risk and behavior algorithms,
and presents actionable results
• Where does exposed personal data reside?
• Who are risky users that may be trying to exfiltrate personal data?
• What applications and machines may be vulnerable to attacks?
• Who’s performed complex actions that lead to loss of personal data?
• What are risky business processes that may lead to loss of personal data?
• What suspicious activities may be the result of a cyber breach and not an actual user?

26. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Cyber Risk Analytics helps prepare for GDPR compliance
• Mapping the location of personal data, based on:
• Data at rest scanning
• Data in motion analysis
• Data classification
• File access monitoring
• Reporting and driving remediation of protective
posture of infrastructure holding personal data
• Enabling regional and organization metric views
aligning to Data Protection Officer’s responsibility
• Providing insights into personal data handling, broken
business processes and training gaps

27. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Bringing It All Together
Data Loss Prevention (DLP)
Discovers sensitive data across all channels with central policy controls
Information Centric Encryption (ICE)
Integrated policy driven encryption and identity access
Information Centric Tagging (ICT)
Increases DLP efficiency with Users driving DLP data classification
Information Centric Analytics (ICA)
Cyber Risk and Behavior Analytics to find truly risky or malicious users
Validation and ID Protection Service (VIP)
Secures access to critical data with Multi-Factor Authentication
A solutions-based approach:

28. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Identifies potential insider threats and cyber breaches, indicate risky users and
possible GDPR violations, so human analysts can investigate and validate
Behavioral Analytics
DLP
Cloud
Authentication
Web
Encryption
To Investigate!
Normal for user’s peers?
UEBA

29. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Preparing For and Complying With GDPR Using ICA
In addition to preparing for compliance, ICA helps drive ongoing GDPR compliance by:
• Identifying potential data exposure violations
• Ongoing location mapping of personal data
• Mapping of protective posture, including agent coverage
• Data in Motion exfiltration of personal data
• Personal data access from databases and applications
followed by exfiltration attempts
ICA provides out of the box GDPR dashboards and scorecards focused on compliance

30. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
EXAMPLE - ICA GDPR Use Case
Problem: The GDPR requires a need to know where EU personal data resides and where it is being moved. Despite
extensive tooling, enterprises struggle to connect the dots to track down complex data movements.
Solution: ICA correlates database monitoring logs, WAFs, and DLP events to identify a user attempting to exfiltrate
EU personal data via dashboards for visibility into the user’s risk and the data’s location and movement

31. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
GDPR Dashboards
Dashboards visualizations with drill to detail:
• Geographic visualizations of exposed EU personal data
• Geographic visualizations of data movement and associated risk
• Color coded maps of user, database and application access risk

32. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
GDPR Scorecards
Drillable/sliceable scorecards providing metric rollups:
• Potential data communication violations – GDPR related activity
that violated DLP or Cloud GDPR policies
• Associated user risk – Risk scores of those users associated
with potential GDPR violations
• Third party risk – Risk of those third party users associated with
potential GDPR violations
• Exposed data at rest – EU personal data records that are
exposed to different user groups

33. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
GDPR Remediation – DIM to External Destinations

34. Copyright © 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
ICA GDPR Summary
• ICA integrates:
• Disparate cyber security data sources to provide visibility into
how EU personal data is being stored, protected and handled
• GDPR relevant data across multiple ICS solutions providing detailed visibility
into potential issues and inform subsequent response
• ICA analyzes:
• Out of the box dashboards and scorecards provide immediate insights
with ability to drill to greater detail
• Analyzer ad-hoc analysis interface allows analysts to slice and dice ICA
data for even greater insight
• Becomes the cockpit for understanding your GDPR data protection exposure
and potential handling violations
• ICA enables human action:
• Action Plans enable escalation and remediation of verified violations
• Dashboard Wizard allows administrators to create their own dashboards
and scorecards in support of unique requirements

35. Questions?
Deena Thomchick
Sr. Director of Product
Management and Cloud
Security, Symantec
Sunil Choudrie
Information Protection
Strategist, Symantec
Steven Grossman
Vice President of Strategy,
Bay Dynamics

36. Thank you!
Deena Thomchick
Sr. Director of Product
Management and Cloud
Security, Symantec
Sunil Choudrie
Information Protection
Strategist, Symantec
Steven Grossman
Vice President of Strategy,
Bay Dynamics