Blinding the Watchers: The Growing Tension between Privacy Concerns and Information Security presented at DeepSecVienna 2018

by Mark Baenziger,

Summary : This talk explores the growing tension between recent changes to customer and employee expectations of privacy, and the need for organizations to gather and examine data in order to detect and respond to information security incidents. This talk highlights specific areas that cause issues, including examples of where security teams have deliberately subverted data privacy controls to do their job, and proposes some potential solutions to the issues.Details:This talk is derived from an earlier project which explored how security teams violate rules and laws in order to accomplish their mission. During the previous project, there were several examples of teams which violated privacy controls because they felt that they had to in order to do their job.The talk starts with examples of how information security teams have run into privacy issues while attempting to detect and respond to intrusions, and gives examples about where some teams have deliberately circumvented privacy controls in order to meet requirements to detect and respond to security incidents.While this talk briefly reviews the various privacy laws that exist, as well as the privacy drivers of EU businesses, its primary focus is on the actual mechanisms where information security team members attempt to subvert or work around privacy controls.It will also explain some of the reasons for the perceived need of information security teams to gather and analyze data used to detect and respond to security incidents, by walking through the use of netflow, full packet capture, weblog, E-mail, and endpoint data acquisitions to support detection and analysis of potential or actual security incidents.The talk closes by demonstrating some alternatives to analyzing these types of data and further exploration of potential future technical and policy changes. These changes can help to strike a better balance between the need to protect employee and customer privacy, and the need to detect, analyze, and respond to computer intrusions and incidents.