GDPR: Personal data transferred to a third country
IBM QRadar can assist you with GDPR compliance by detecting personally identifiable data in events and flows, and then creating an offense when the data is transferred.
For QRadar to provide maximum GDPR compliance monitoring, you must install the IBM QRadar Content Extension for GDPR from the IBM Security App Exchange. You do not need to install the content extension to run this simulation.
Simulating the threat
The GDPR: Personal data transferred to a third country simulation addresses a situation where an employee transfers personally identifiable data (PII), whether intentional or accidental, to a third country that is not governed by GDPR regulations. The company has not put the proper safeguards in place to handle the transfer of PII data to the third country, breaking both the company's policy and the GDPR regulations.
The PII data might be email addresses, passport information, social security numbers, or whatever the company determines to be personally identifiable data.
- On the Log Activity tab, click Show Experience Center.
- Click Threat simulator.
- Locate the GDPR: Personal data transferred to a third country simulation and click Run.
On the Log Activity tab, you can see the SSL Tunnelling events that are coming into QRadar. These events simulate a sample user, user1, who is transferring personal data to a third country, as determined by the destination IP address. This type of data transfer is often unintentional. By reviewing the payload of the event, you can see that the user shared an email address, which is considered personal data.
Detecting the threat: QRadar in action
In this simulation, the SSL Tunnelling event indicates that the user transferred personal data to a third country. The Custom Rule Engine (CRE) processes the event, which triggers a rule that creates a new event named EC: Personal Data Transferred to Third Countries/Regions.
To warn you about the potential threat, the CRE also creates an offense titled Personal Data Transferred to Third Countries/Regions (Exp Center) and associates all the events that contributed to it. The offense is indexed so that it groups all the contributing events with the same destination IP address into a single offense.
To learn more about the detailed information that QRadar uses to analyze the event and prioritize the offense, play the GDPR: Personal data transferred to a third country video, which is available from the Threat simulator page in the QRadar Experience Center app.
Investigating the threat
The following IBM QRadar content is created by the GDPR: Personal data transferred to a third country threat simulation. After you run the simulation, you can use this content to trace and investigate the threat.
|Saved Search||EC: GDPR|
|Incoming event||SSL Tunneling
The log source for the incoming event is Experience Center: Checkpoint.
|Rule||EC: Personal Data Transferred to Third Countries/Regions|
|Generated event||EC: Personal Data Transferred to Third Countries/Regions
The log source for events that are generated by QRadar is the Custom Rule Engine (CRE).
|Offense||Personal Data Transferred to Third Countries/Regions (Exp
Depending on the events and rules that exist in your environment before running the use case, the name of the offense might include preceded by <offense name> or containing <offense name>.
The offense is indexed based on the Destination IP address, meaning that all events that trigger this rule and that have the same destination IP address are part of the same offense.